AddressSanitizer's FakeStack metadata can be rewrite by users

[brandb97]

AddressSanitizer save a &flag[pos] in the end of FakeStack, which can be rewrite by users. If you run this code snippet with -fsanitize=address, you would get SEGV signal. Because AddressSanitizer try to read &flag[pos] in __asan_stack_free, but it reads wrong place.

struct BigData {
        int x[1000];
};

void *test() {
        struct BigData x;
        int *y = x.x + 1032;
        for (int i = 0; i < 5000; i++)
                y[i] = 0xffffffff;
        return &x;
}

int main() {
        *(int *)test() = 1;
        return 0;
}

You should compile this program with clang -fsanitize=address source.c -o a.out. I'm using v18.1.6 to do this experiment.

[vitalybuka]

Thanks. We can't protect all cases of corrupting metadata, but in this case, with fix like yours, we have no excuse for not doing that.