On deallocation, sampled pointers (specially aligned) get junked and stashed into tcache (to prevent immediate reuse). The expected behavior is to have read-after-free corrupted and stopped by the junk-filling, while write-after-free is checked when flushing the stashed pointers.
4 lines
68 B
Bash
4 lines
68 B
Bash
#!/bin/sh
|
|
|
|
export MALLOC_CONF="tcache_max:1024,lg_san_uaf_align:-1"
|