How should the heap-buffer-overflow error message be read?

问题

I wanted to know how the following error message should be read. In particular:

(1) what do things such as fa (heap left redzone) and fd (freed heap region) mean?

(2) What is the significance of the 00s and 05s.

(3) What is the significance of the memory block being pointed to (0x0c067fff8010)?

(4) What is a wild pointer?

(5) Why is the fa on the line with the memory block that has an arrow to it in square brackets ([fa])?

Compilation Command

clang++ test.cpp -fsanitize=address -D_LIBCPP_DEBUG=1

Error Message

Address 0x6030000000f0 is a wild pointer.
SUMMARY: AddressSanitizer: heap-buffer-overflow 
(/home/tzadiko/randomStuff/a.out+0x4fa83d) in main
Shadow bytes around the buggy address:
  0x0c067fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c067fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c067fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c067fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c067fff8000: fa fa fd fd fd fd fa fa 00 00 00 07 fa fa 00 00
=>0x0c067fff8010: 05 fa fa fa 00 00 04 fa fa fa fa fa fa fa[fa]fa
  0x0c067fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

回答1:

You left out a crucial bit of the output. Here is the legend (taken from the documentation):

Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:     fa
  Heap righ redzone:     fb
  Freed Heap region:     fd
  Stack left redzone:    f1
  Stack mid redzone:     f2
  Stack right redzone:   f3
  Stack partial redzone: f4
  Stack after return:    f5
  Stack use after scope: f8
  Global redzone:        f9
  Global init order:     f6
  Poisoned by user:      f7
  ASan internal:         fe

After reading this description, I think the address to your questions is, in turn:

1. The redzone is a region of unaccessible data both to the left and to the right of an allocation. ASan keeps a bitmask of the entire memory and determines for each 8-byte region wat kind of memory it is.

2. As the legend shows, 00 is fully addressable memory, 01 through 07 means "partially addressable". A value with 05 in it presumably means the first 5 bytes of that 8-byte block may be addressed.

3. 0x0c067fff801e is the index into the bitmap. The part in brackets indicates which shadow byte is intended. Multiply it by 8 and you get 0x6033fffc00f0, which must presumably be still modified a bit to get back at the offending memory region.

4. A wild pointer is one that points into unallocated (or recently freed) memory.

5. See 3.

来源：https://stackoverflow.com/questions/58488551/how-should-the-heap-buffer-overflow-error-message-be-read