fuzz: enable sys_heap ASan poisoning and per-sanitizer hardening split#11005
Open
tmleman wants to merge 1 commit into
Open
fuzz: enable sys_heap ASan poisoning and per-sanitizer hardening split#11005tmleman wants to merge 1 commit into
tmleman wants to merge 1 commit into
Conversation
tmleman
requested review from
dbaluta,
kv2019i,
lbetlej,
lgirdwood,
mmaka1 and
plbossart
as code owners
July 16, 2026 12:54
Contributor
There was a problem hiding this comment.
Pull request overview
This PR updates the Zephyr fuzzing configuration to (1) enable sys_heap ASan manual poisoning integration for ASan fuzzing runs and (2) split sys_heap hardening levels per sanitizer: FULL for ASan by default, while keeping EXTREME specifically for UBSan runs.
Changes:
- Enable
CONFIG_SYS_HEAP_SANITIZER_ASANfor ASan fuzzing builds. - Downgrade the native_sim libfuzzer board default sys_heap hardening from EXTREME to FULL.
- Keep EXTREME hardening enabled for UBSan fuzzing builds via the UBSan overlay.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
| app/configs/fuzz_ubsan.conf | Forces sys_heap hardening to EXTREME for UBSan fuzzing runs. |
| app/configs/fuzz_asan.conf | Enables the sys_heap ASan sanitizer backend for fuzzing runs with ASan. |
| app/boards/native_sim_libfuzzer.conf | Sets the board-level default sys_heap hardening to FULL (instead of EXTREME). |
With CONFIG_SYS_HEAP_SANITIZER_ASAN enabled, freed and unallocated sys_heap regions are explicitly marked unaddressable via ASan's manual poisoning API. This gives ASan use-after-free and heap-buffer-overflow detection on all SOF dynamic memory (not just libc allocations that ASan tracks natively). Since poisoning supersedes the full-heap walk for corruption detection under ASan, downgrade the board-level default from EXTREME to FULL. Canaries (FULL) remain valuable: they catch overflows into the adjacent live chunk's trailer, a case that poisoning alone does not cover. For UBSan builds, which have no heap awareness at all, keep EXTREME in the sanitizer overlay so the full-walk remains the only proactive corruption detector. Signed-off-by: Tomasz Leman <tomasz.m.leman@intel.com>
kv2019i
approved these changes
Jul 17, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
With CONFIG_SYS_HEAP_SANITIZER_ASAN enabled, freed and unallocated sys_heap regions are explicitly marked unaddressable via ASan's manual poisoning API. This gives ASan use-after-free and heap-buffer-overflow detection on all SOF dynamic memory (not just libc allocations that ASan tracks natively).
Since poisoning supersedes the full-heap walk for corruption detection under ASan, downgrade the board-level default from EXTREME to FULL. Canaries (FULL) remain valuable: they catch overflows into the adjacent live chunk's trailer, a case that poisoning alone does not cover.
For UBSan builds, which have no heap awareness at all, keep EXTREME in the sanitizer overlay so the full-walk remains the only proactive corruption detector.