funsec mailing list archives
heap protection in glibc - some questions
From: Gadi Evron <ge () linuxbox org>
Date: Thu, 19 Jan 2006 22:50:37 +0200
A friend of mine grabbed my attention to this today. In version 2.3.4 of glibc...if (__builtin_expect ((uintptr_t) p > (uintptr_t) -size, 0) || __builtin_expect ((uintptr_t) p & MALLOC_ALIGN_MASK, 0))
^^^ This line was added. There is also a comment on it: + /* Little security check which won't hurt performance: the + allocator never wrapps around at the end of the address space. + Therefore we can exclude some size values which might appear + here by accident or by "design" from some intruder. */ + if (__builtin_expect ((uintptr_t) p > (uintptr_t) -size, 0) + || __builtin_expect ((uintptr_t) p & MALLOC_ALIGN_MASK, 0)) + { + errstr = "free(): invalid pointer"; + errout: + malloc_printerr (check_action, errstr, mem); + return; + } It was mentioned on http://www.securityfocus.com/columnists/359. Now, my questions if some of you can be so kind as to try and answer:In your estimation, how many people actually heard about this (outside the tight circle of secure coding maniacs)?
In your estimation, how many people actually go through the pain of upgrading glibc?
This seems effective to me. In retrospect, how effective did it prove to be over the past year, in your experience? Is it too early to tell?
Heard of this? http://www.cs.ucsb.edu/~wkr/projects/heap_protection/ What's your take on it, and how do you compare the two? I'd appreciate your input if you have the time.A friend of mine might also write on this, but I would like some more opinions.
Thanks guys! Gadi. _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- heap protection in glibc - some questions Gadi Evron (Jan 19)