I am playing with use-after-free vulnerability in Firefox build with Address Sanitizer. Suppose in an exploitation of a use-after-free vulnerability, we manage to allocate a new object B at where the freed object A was placed and hence the dangling pointer points to somewhere inside the new object B, I have two questions:
(1) when we dereference the dangling pointer, will ASAN still detect and report use-after-free related to the dangling pointer and the freed object?
(2) if dereference of dangling pointer now causes a crash due to the fact that it is pointing to a different object (B), then does ASAN detect UAF before the crash or after the crash?
Suppose in an exploitation of a use-after-free vulnerability, we manage to allocate a new object B at where the freed object A was placed
AddressSanitizer, as well as most other debugging heap implementations, has a quarantine buffer. Freed storage is not reused for a very long time, precisely so any uses of dangling pointers could be caught.
(1) when we dereference the dangling pointer, will ASAN still detect and report use-after-free related to the dangling pointer and the freed object?
No. If you wait long enough (or the quarantine buffer is exhausted) for the storage to be re-used, then ASAN will not know that anything is wrong.
(2) ...does ASAN detect UAF before the crash or after the crash?
Neither. Once storage has been reused, ASAN doesn't know anything is wrong. If the program crashes, ASAN will just tell you "your program has crashed", but would not help with the reason why it did crash.