Bugtraq mailing list archives
Re: ZLib double free bug: Windows NT potentially unaffected
From: Martijn Lievaart <m () rtij nl>
Date: Fri, 15 Mar 2002 13:15:37 +0100
Robert Collins wrote:
-----Original Message-----From: KJK::Hyperion [mailto:noog () libero it] Sent: Friday, March 15, 2002 4:52 AMTo: bugtraq () securityfocus com Subject: ZLib double free bug: Windows NT potentially unaffectedI allocate 4 kb of memory, then I free the block twice. Under debugging, this program will emit the following diagnostic message:HEAP[testheap.exe]: Invalid Address specified to RtlFreeHeap( 130000, 1357f0 )immediately after this, a breakpoint exception (code 0x80000003) is raised. So, apparently, the second free operation degrades gracefully, apparently without any corruption of in-memory structures, since the subsequent allocation/deallocation runs fineCan I suggest you try it with a non-debug build. I've seen heap corruption occur in winNT software, that in debug-builds was trapped, but in non-debug builds was not.
Actually, this is one of the big differences between debug and non-debug builds with MSVC. Note the name of the routine above, it is RtlFreeHeap. This is the MSVC RTL, not WindowsNT memory management.
The MSVC debug builds check for heap corruption on all heap operations, as demonstrated above. Non-debug builds don't check, they just assume that everything is valid. In this case, the pointer passed to free is /not/ valid, which only the debug build will catch. The non-debug build could do anything, most likely crash, but almost equally likely it runs as if there was no bug.
I'm not sure this would be exploitable though. Martijn Lievaart
Current thread:
- ZLib double free bug: Windows NT potentially unaffected KJK::Hyperion (Mar 14)
- Re: ZLib double free bug: Windows NT potentially unaffected Casper Dik (Mar 14)
- Re: ZLib double free bug: Windows NT potentially unaffected Dragos Ruiu (Mar 15)
- Re: ZLib double free bug: Windows NT potentially unaffected Dragos Ruiu (Mar 14)
- <Possible follow-ups>
- RE: ZLib double free bug: Windows NT potentially unaffected Robert Collins (Mar 14)
- Re: ZLib double free bug: Windows NT potentially unaffected Martijn Lievaart (Mar 15)