Dailydave mailing list archives
Re: gcc 4.1 security features
From: Hikaru Gosun <hgosun () gmail com>
Date: Fri, 17 Feb 2006 11:03:21 +0100
Hi all, maybe this is a bit OT, but a year ago I was taking a look at the Debian patch for the glibc 2.3.2 (I think it was added by Masanori Goto). Well, the 'interesting' piece of code was: [snip] /* free(0) has no effect */ if (mem != 0) { p = mem2chunk(mem); + /* Little security check which won't hurt performance: the + allocator never wrapps around at the end of the address space. + Therefore we can exclude some size values which might appear + here by accident or by "design" from some intruder. */ + if (__builtin_expect ((uintptr_t) p > (uintptr_t) -size, 0)) + { + if (check_action & 1) + { + fprintf (stderr, "free(): invalid pointer %p!\n", mem); + } + if (check_action & 2) + abort (); + return; + } size = chunksize(p); [/snip] I was involved in a discussion with some friends about how this protection can be bypassed, and I found the first solution pointed by Joel (using a big size value and doing some guessing to find the chunk in the stack). In that discussion, we didn't get the idea of the second method :( It's a very interesting approach. It's a long time since I do not practice heap-exploitation, but I will give it a try (crossing my fingers). Best regards. Hikaru
Current thread:
- gcc 4.1 security features Matt (Feb 16)
- Re: gcc 4.1 security features Gadi Evron (Feb 16)
- Re: gcc 4.1 security features Halvar Flake (Feb 16)
- Re: gcc 4.1 security features Joel Eriksson (Feb 16)
- Re: gcc 4.1 security features Hikaru Gosun (Feb 17)
- Re: gcc 4.1 security features Angelo Dell'Aera (Feb 17)
- RE: gcc 4.1 security features Dave Korn (Feb 18)
- Re: gcc 4.1 security features Matt Conover (Feb 21)
- Re: gcc 4.1 security features Gadi Evron (Feb 16)
- Re: gcc 4.1 security features Eduardo Tongson (Feb 17)
- <Possible follow-ups>
- Re: gcc 4.1 security features Phantasmal Phantasmagoria (Feb 21)