Skip to content

fuzz: enable sys_heap ASan poisoning and per-sanitizer hardening split#11005

Open
tmleman wants to merge 1 commit into
thesofproject:mainfrom
tmleman:topic/upstream/pr/fuzzing/enhancement/part6
Open

fuzz: enable sys_heap ASan poisoning and per-sanitizer hardening split#11005
tmleman wants to merge 1 commit into
thesofproject:mainfrom
tmleman:topic/upstream/pr/fuzzing/enhancement/part6

Conversation

@tmleman

@tmleman tmleman commented Jul 16, 2026

Copy link
Copy Markdown
Contributor

With CONFIG_SYS_HEAP_SANITIZER_ASAN enabled, freed and unallocated sys_heap regions are explicitly marked unaddressable via ASan's manual poisoning API. This gives ASan use-after-free and heap-buffer-overflow detection on all SOF dynamic memory (not just libc allocations that ASan tracks natively).

Since poisoning supersedes the full-heap walk for corruption detection under ASan, downgrade the board-level default from EXTREME to FULL. Canaries (FULL) remain valuable: they catch overflows into the adjacent live chunk's trailer, a case that poisoning alone does not cover.

For UBSan builds, which have no heap awareness at all, keep EXTREME in the sanitizer overlay so the full-walk remains the only proactive corruption detector.

Copilot AI review requested due to automatic review settings July 16, 2026 12:54

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates the Zephyr fuzzing configuration to (1) enable sys_heap ASan manual poisoning integration for ASan fuzzing runs and (2) split sys_heap hardening levels per sanitizer: FULL for ASan by default, while keeping EXTREME specifically for UBSan runs.

Changes:

  • Enable CONFIG_SYS_HEAP_SANITIZER_ASAN for ASan fuzzing builds.
  • Downgrade the native_sim libfuzzer board default sys_heap hardening from EXTREME to FULL.
  • Keep EXTREME hardening enabled for UBSan fuzzing builds via the UBSan overlay.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated no comments.

File Description
app/configs/fuzz_ubsan.conf Forces sys_heap hardening to EXTREME for UBSan fuzzing runs.
app/configs/fuzz_asan.conf Enables the sys_heap ASan sanitizer backend for fuzzing runs with ASan.
app/boards/native_sim_libfuzzer.conf Sets the board-level default sys_heap hardening to FULL (instead of EXTREME).

With CONFIG_SYS_HEAP_SANITIZER_ASAN enabled, freed and unallocated
sys_heap regions are explicitly marked unaddressable via ASan's manual
poisoning API. This gives ASan use-after-free and heap-buffer-overflow
detection on all SOF dynamic memory (not just libc allocations that
ASan tracks natively).

Since poisoning supersedes the full-heap walk for corruption detection
under ASan, downgrade the board-level default from EXTREME to FULL.
Canaries (FULL) remain valuable: they catch overflows into the adjacent
live chunk's trailer, a case that poisoning alone does not cover.

For UBSan builds, which have no heap awareness at all, keep EXTREME in
the sanitizer overlay so the full-walk remains the only proactive
corruption detector.

Signed-off-by: Tomasz Leman <tomasz.m.leman@intel.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants