RE: gcc 4.1 security features

["Dave Korn" <dave.korn () artimi com>]

On 17 February 2006 01:16, Joel Eriksson wrote:

> A more relevant fix was added to glibc-2.3.4 during late august 2004 though:
>
> #define unlink(P, BK, FD) {                                            \
>   FD = P->fd;                                                          \
>   BK = P->bk;                                                          \
>   if (__builtin_expect (FD->bk != P || BK->fd != P, 0))                \
>     malloc_printf_nc (check_action,                                    \
>                       "corrupted double-linked list at %p!\n", P);     \
>   FD->bk = BK;                                                         \
>   BK->fd = FD;                                                         \
>
> By checking that p->fd->bk == p && p->bk->fd == p before unlinking,
> basically all unlink() based attacks are defeated. 

> But.. Of course this is no silver bullet either. It stops the unlink()-based
> attacks, but small chunks (called "fastchunks") are not placed in
> double-linked lists and thus there are no back-pointers to check. A
> free()'d fastchunk 
> contains only one pointer, to the next chunk in the list of free chunks of
> that size. Overwriting a fastchunk = Controlling what pointer a later call
> to malloc() is going to return. Very convenient. :)
>
> Note that fastchunks are also useful for exploiting certain double free()
> bugs. 


  It should be commented that fastchunks are also at the heart of the
vulnerabilities explained in the "Defeating Microsoft Windows XP SP2 Heap
protection and DEP bypass" paper.

http://www.maxpatrol.com/defeating-xpsp2-heap-protection.htm



   cheers,
      DaveK
-- 
Can't think of a witty .sigline today....