Security Basics mailing list archives
Re: Integer & Heap overflows?
From: jnf <lists () innocence-lost net>
Date: Thu, 16 Dec 2004 14:32:35 -0700 (MST)
Hi, phrack.org is probably the best resource for such - specific papers are: Vudo malloc tricks - http://phrack.org/show.php?p=57&a=8 Once upon a free - http://phrack.org/show.php?p=57&a=9 This next one is the most up to date, however it will be hard(er) to follow without understanding the concepts in the first two- there were some changes in the algorithm and this is the only paper I know of that addresses the changes. Advanced Doug Lea malloc tricks - http://phrack.org/show.php?p=61&a=6 Now onto the basic 'here is how it works' papers, without all of the haxor stuff in it- which imho is also imperative, and provides a better understanding of how it works, which also prepares you for future changes better than 'here is how to exploit it' papers: A memory allocator (by doug lea) - http://gee.cs.oswego.edu/dl/html/malloc.html Wolfram Gloger's malloc homepage (author of ptmalloc) - http://gee.cs.oswego.edu/dl/html/malloc.html Hoard: A scalable memory allocator for multithreaded applications - ftp://ftp.cs.utexas.edu/pub/emery/papers/asplos2000.pdf Between all of the above you should not only be busy for a while, but also get a good understanding of how it works. The most important thing to note is that the problem w/ malloc()/free() (aside from the part about overwriting memory in the first place), is that each block of memory allocated has metadata inline, which causes some sticky situations not terribly unlike the saved return address on the stack. For int overflows, any general c book will at least touch the concept, most of the time its refered to as being undefined- although they are hardly new (and one could argue that most arch's support mathmatical instructions that can catch and overflow and therefore it is possible to stop int overflows from happening- but thats another topic of conversation) The best paper I've run across on the subject however, would again be from phrack: http://phrack.org/show.php?p=60&a=10 As for off-by-one errors, thinks of it like this: char buf[ MAX_LEN ] ; buf[ MAX_LEN ] = 'A' ; say for example MAX_LEN is #define'd as 16, then what the assignment equates to is: buf[ 10 ] = 'A' ; However, as I am sure you know- counting in c starts at 0, so an array with 10 members will be buf[ 0 ] through buf[ 9 ] , understand? jnf -- There are only two choices in life. You either conform the truth to your desire, or you conform your desire to the truth. Which choice are you making? On Thu, 16 Dec 2004, Loptr Chaote wrote:
Date: Thu, 16 Dec 2004 00:27:28 +0100 From: Loptr Chaote <loptr.chaote () gmail com> To: security-basics () securityfocus com Subject: Integer & Heap overflows? Hello! I was wondering if anyone have good papers/websites lying around describing how Integer overflows and Heap overflows (and also the "off-by-one"[?] bug, if that is not the same as integer overflow). I have found several good ones on stack smashing/regular buffer overflows, but very little on the above mentioned. Best regards Loptr Chaote
Current thread:
- Integer & Heap overflows? Loptr Chaote (Dec 16)
- Re: Integer & Heap overflows? Ron (Dec 16)
- Re: Integer & Heap overflows? jnf (Dec 17)
- Re: Integer & Heap overflows? jnf (Dec 16)
- Re: Integer & Heap overflows? Konstantin Rozinov (Dec 17)
- Re: Integer & Heap overflows? Ron (Dec 16)