Re: gcc 4.1 security features

[Hikaru Gosun <hgosun () gmail com>]

Hi all,

maybe this is a bit OT, but a year ago I was taking a look at the
Debian patch for the glibc 2.3.2 (I think it was added by Masanori
Goto). Well, the 'interesting' piece of code was:

[snip]
/* free(0) has no effect */
  if (mem != 0) {
    p = mem2chunk(mem);
+    /* Little security check which won't hurt performance: the
+       allocator never wrapps around at the end of the address space.
+       Therefore we can exclude some size values which might appear
+       here by accident or by "design" from some intruder.  */
+    if (__builtin_expect ((uintptr_t) p > (uintptr_t) -size, 0))
+      {
+      if (check_action & 1)
+        {
+          fprintf (stderr, "free(): invalid pointer %p!\n", mem);
+        }
+      if (check_action & 2)
+        abort ();
+      return;
+      }
    size = chunksize(p);
[/snip]

I was involved in a discussion with some friends about how this
protection can be bypassed, and I found the first solution pointed by
Joel (using a big size value and doing some guessing to find the chunk
in the stack).

In that discussion, we didn't get the idea of the second method :(
It's a very interesting approach. It's a long time since I do not
practice heap-exploitation, but I will give it a try (crossing my
fingers).

Best regards.
Hikaru