chrisferret.lmh.ox.ac.uk

• Next message: Pavel Kankovsky: "Re: free() issues"
• Previous message: Pete Philips: "Re: IDS"
• Next in thread: Pavel Kankovsky: "Re: free() issues"
• Reply: Pavel Kankovsky: "Re: free() issues"
• Reply: Solar Designer: "Re: free() issues"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi,

In the light of Solar's excellent work on problems with malloc()'ed buffer
overflows, I'm wondering if there might be problems with abuse of free().

Take the following example. A program allocates a chunk of memory with a
single malloc() call. Suppose this chunk of memory is filled with
user-supplied data. Now suppose that an errant program calls free() at
some offset into this chunk of memory. This is clearly a bug because the
address passed to free will not have been one returned by malloc().

Diagramatically,

  Single malloc() chunk:

        -----------------------------------------------
        | |
        -----------------------------------------------
        ^ ^
        | |
      address free()
      returned called
      by malloc() here

Is this not potentially vulnerable to similar free chunk management
attacks like the excellent one outlined by Solar recently?

I didn't read up on the DL-malloc implementation, but I suspect that the
errant free() will treat a piece of the user supplied data in the buffer
as a free chunk descriptor. That means pointer accesses under user
control. Whoops.[1]

Comments?

Cheers
Chris

[1] Am I correct that the chunk descriptor tends to live just before the
memory address returned by malloc()?

• Next message: Pavel Kankovsky: "Re: free() issues"
• Previous message: Pete Philips: "Re: IDS"
• Next in thread: Pavel Kankovsky: "Re: free() issues"
• Reply: Pavel Kankovsky: "Re: free() issues"
• Reply: Solar Designer: "Re: free() issues"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]