Vulnerability Development mailing list archives
safe mallocs (was Re: vulndev-1 and a suggestion about the ensuing discussion)
From: Bennett Todd <bet () rahul net>
Date: Thu, 15 May 2003 21:49:31 -0400
2003-05-15T12:46:57 xenophi1e:
On a related note, how many ways are there of preventing this sort of error, or at least preventing it from being a security issue? [...] 2) Use canaries in the allocator. What's the best way to do this? For one byte overflows a simple value at the end that's difficult to guess would have saved this snippet from being 0wn3d. What about a longer overflow as might have resulted from using strcpy?
For immediate detection you need something cleverer; in the worst case, you've gotta enlist the aid of the vm subsystem. But sufficient for this case, and possibly enough to be of some general use, is a strategy I used in an emalloc() wrapper I wrote back in the '80s, part of libbent, dunno if that's still around anywhere, I don't have a copy anymore. It started by my just making a library of things I did so often I could type 'em without having to think, the first was probably FILE *efopen(char *name, char *mode) { FILE *ret; if (ret = fopen(name, mode)) { return ret; } (void) fprintf(stderr, "%s: %s: %s\n", progname, name, strerr(errno)); exit(1); } (that may be slightly off, it's been maybe 15 years since I've typed it:-). When I got around to wrapping malloc, I decided to get a smigeon cleverer. I wrapped so emalloc returned a char *, just like malloc, but the char* it returned was the result of mallocing the original size(rounded up to pessimal alignment) + 2*sizeof(somestruct), where somestruct was constructed to be pessimally aligned, and had a canary, as well as a length field. The original malloc request length got stuffed into the length field in the struct at the beginning and end, and both structs had their canary fields initialized as well. erealloc and efree checked to make sure the ptrs they were handed had prepended valid canary struct, used the length in it to find and check the trailing one, then freed the "real" malloc pointer to the beginning of the prepended malloc struct. I can't recall it ever actually helping me by catching a bug, but it pleased me at the time. -Bennett
Attachment:
_bin
Description:
Current thread:
- vulndev-1 and a suggestion about the ensuing discussion Bernie Cosell (May 15)
- <Possible follow-ups>
- Re: vulndev-1 and a suggestion about the ensuing discussion xenophi1e (May 15)
- possible format string in ultra edit 8.00 Thijs Dalhuijsen (May 16)
- safe mallocs (was Re: vulndev-1 and a suggestion about the ensuing discussion) Bennett Todd (May 16)
- RE: vulndev-1 and a suggestion about the ensuing discussion Michael Wojcik (May 15)
- Re: vulndev-1 and a suggestion about the ensuing discussion xenophi1e (May 16)
- Re: vulndev-1 and a suggestion about the ensuing discussion Valdis . Kletnieks (May 17)