Re: Integer & Heap overflows?

[jnf <lists () innocence-lost net>]

Hi,

phrack.org is probably the best resource for such - specific papers are:

Vudo malloc tricks - http://phrack.org/show.php?p=57&a=8
Once upon a free - http://phrack.org/show.php?p=57&a=9

This next one is the most up to date, however it will be hard(er) to
follow without understanding the concepts in the first two- there were
some changes in the algorithm and this is the only paper I know of that
addresses the changes.

Advanced Doug Lea malloc tricks - http://phrack.org/show.php?p=61&a=6

Now onto the basic 'here is how it works' papers, without all of the haxor
stuff in it- which imho is also imperative, and provides a better
understanding of how it works, which also prepares you for future changes
better than 'here is how to exploit it' papers:

A memory allocator (by doug lea) -
http://gee.cs.oswego.edu/dl/html/malloc.html

Wolfram Gloger's malloc homepage (author of ptmalloc) -
http://gee.cs.oswego.edu/dl/html/malloc.html

Hoard: A scalable memory allocator for multithreaded applications -
ftp://ftp.cs.utexas.edu/pub/emery/papers/asplos2000.pdf


Between all of the above you should not only be busy for a while, but also
get a good understanding of how it works. The most important thing to note
is that the problem w/ malloc()/free() (aside from the part about
overwriting memory in the first place), is that each block of memory
allocated has metadata inline, which causes some sticky situations not
terribly unlike the saved return address on the stack.

For int overflows,

any general c book will at least touch the concept, most of the time its
refered to as being undefined- although they are hardly new (and one could
argue that most arch's support mathmatical instructions that can catch and
overflow and therefore it is possible to stop int overflows from
happening- but thats another topic of conversation)

The best paper I've run across on the subject however, would again be from
phrack: http://phrack.org/show.php?p=60&a=10

As for off-by-one errors, thinks of it like this:


char buf[ MAX_LEN ] ;

buf[ MAX_LEN ] = 'A' ;

say for example MAX_LEN is #define'd as 16, then what the assignment
equates to is:

buf[ 10 ] = 'A' ;

However, as I am sure you know- counting in c starts at 0, so an array
with 10 members will be buf[ 0 ] through buf[ 9 ] , understand?

jnf





--

There are only two choices in life. You either conform the truth to your desire,
or you conform your desire to the truth. Which choice are you making?
On Thu, 16 Dec 2004, Loptr Chaote wrote:

> Date: Thu, 16 Dec 2004 00:27:28 +0100
> From: Loptr Chaote <loptr.chaote () gmail com>
> To: security-basics () securityfocus com
> Subject: Integer & Heap overflows?
>
> Hello!
>
> I was wondering if anyone have good papers/websites lying around
> describing how Integer overflows and Heap overflows (and also the
> "off-by-one"[?] bug, if that is not the same as integer overflow).
>
> I have found several good ones on stack smashing/regular buffer
> overflows, but very little on the above mentioned.
>
> Best regards
>  Loptr Chaote