feat: finish lab5 part 2,3

Author: TimmyHuangPeko

lab5/Answer.md

@@ -483,4 +483,5 @@ int main(void)
 }
 ```
 ### Why
-
+The way ASan detects out-of-bound read/write by adding shadow memory that maps to variables in the program, and by inserting redzones between these variables.
+In this program, the out-of-bound write operation on string `a` bypasses the redzones and directly into string `b`. Because the redzones are not accessed, no error is produced.

lab5/Makefile

@@ -2,7 +2,7 @@
 all: uaf_asan
 
 uaf_asan: uaf.c libantiasan.so
-	gcc -Og -g -o $@ $< -lantiasan -L.
+	gcc -fsanitize=address -Og -g -o $@ $< -lantiasan -L.
 
 libantiasan.so: antiasan.c
 	gcc -g -fPIC -c antiasan.c

lab5/antiasan.c

@@ -1,10 +1,30 @@
 #include <stdio.h>
 #include <string.h>
+#include <unistd.h>
+#include <errno.h>
+#include <sys/mman.h>
 
+/*
+ *  Overwrite the value of target variable in shadow
+ */
 void antiasan(unsigned long addr)
 {
-    unsigned long rz = (addr >> 3) + 0x7ffff8000;
-    //printf("%lx\n", *(unsigned long*)rz);
-    //unsigned long t = 0x0;
-    //memcpy((unsigned long*)rz, &t, 8);
+    /* calculate memory address of s[0x10] */
+    unsigned long rz = (addr >> 3) + 0x7fff8000;
+    
+    /* mprotect need to perform on aligned page address, the page size is x^12 bytes */
+    unsigned long b_addr = ((rz>>12)<<12);
+    // printf("%p\n%p\n", (unsigned long*)rz, (unsigned long*)b_addr);
+
+    /* change the access protection for memory page so that it can be read and write */
+    if(mprotect((void*)b_addr, getpagesize(), PROT_READ | PROT_WRITE) == -1) {
+        fprintf(stderr, "antiasan: failed to mprotect shadow - %s, %d\n", strerror(errno), errno);
+    }
+
+    /* change value in shadow to which s[0x10] map */
+    /* first printf: fafafafafafafafd, second printf: fafafafafafafa00 */
+    // printf("%lx\n", *(unsigned long*)rz);
+    *(char*)rz = 0x0;
+    // printf("%lx\n", *(unsigned long*)rz);
 }
+// 0xc067fff8002: 0xfafafafafafdfdfd