oss-sec mailing list archives
memory allocator upstream patches
From: Xi Wang <xi.wang () gmail com>
Date: Tue, 5 Jun 2012 01:54:17 -0400
Hi, I would like to share some upstream patches of two specific types of memory allocator vulnerabilities. * malloc(n) size overflow. Consider the following code pattern. n = read_from_input(); p = malloc(n); if (p) memcpy(p, input_buffer, n); Some malloc() implementations internally perform alignment/padding for a large n, and the allocation size wraps around to a small integer. That means they would allocate a smaller buffer than expected, leading to buffer overflow. * calloc(n, size) size overflow. Some calloc() implementations don't check for n * size multiplication overflow, and would allocate a smaller buffer than expected, leading to buffer overflow. The two types of vulnerabilities can be easily reproduced using malloc(-1) and calloc(BIG-VALUE, BIG-VALUE). If the return values are non-null, the implementations are likely to be problematic. See a more complete list at: http://kqueue.org/blog/2012/03/05/memory-allocator-security-revisited/ Below are some recent upstream fixes. Boehm-Demers-Weiser GC (libgc) ============================== malloc() size overflow, upstream patch (revised by the developers): https://github.com/ivmai/bdwgc/commit/be9df82919960214ee4b9d3313523bff44fd99e1 The bug in mallocx.c was found by Ivan Maidanski. calloc() size overflow, upstream patch (revised by the developers): https://github.com/ivmai/bdwgc/commit/e10c1eb9908c2774c16b3148b30d2f3823d66a9a https://github.com/ivmai/bdwgc/commit/6a93f8e5bcad22137f41b6c60a1c7384baaec2b3 https://github.com/ivmai/bdwgc/commit/83231d0ab5ed60015797c3d1ad9056295ac3b2bb bionic (Android libc) ===================== malloc() size overflow, upstream patch (revised by the developers): https://github.com/android/platform_bionic/commit/7f5aa4f35e23fd37425b3a5041737cdf58f87385 NB: this vulnerability could only be triggered in debug mode, the same as CVE-2009-0607, calloc() size overflow. nedmalloc ========= malloc() size overflow, upstream patch: https://github.com/ned14/nedmalloc/commit/1a759756639ab7543b650a10c2d77a0ffc7a2000 calloc() size overflow, upstream patch: https://github.com/ned14/nedmalloc/commit/2965eca30c408c13473c4146a9d47d547d288db1 Hoard ===== http://www.hoard.org/ malloc() size overflow, confirmed by the developers via email in this March, no upstream patch available (since 3.8). calloc() size overflow, which should only happen on non-glibc platforms (e.g., Mac OS X). It has not been confirmed by the developers, but one can easily reproduce it. boost::pool =========== ordered_malloc() (similar to calloc()) size overflow, upstream patch: https://svn.boost.org/trac/boost/changeset/78326 - xi
Current thread:
- memory allocator upstream patches Xi Wang (Jun 04)
- Re: memory allocator upstream patches Jan Lieskovsky (Jun 07)
- Re: memory allocator upstream patches Kurt Seifried (Jun 07)