Bugtraq mailing list archives

Re: libresolv+ bug

From: proff () suburbia net (Julian Assange)
Date: Thu, 22 Aug 1996 10:53:36 +1000

A simple and reasonably efficient implementation would simply arrange for
arrays to be allocated at the end of a hardware memory page.  So, assuming
a CPU with a stack that grows downward, 4-byte ints and 4K pages, we have
memory that might look like this:

        0x00122000: 4096 unallocated, read/write prohibited bytes
        0x00123000: 3996 unallocated bytes
                    100 bytes for 'buf'
        0x00124000: 4096 unallocated, read/write prohibited bytes
        0x00125000: 3096 unallocated bytes
                    1000 bytes for 'buf2'
        0x00126000: 4096 unallocated, read/write prohibited bytes
        0x00127000: unknown number of unallocated bytes
                    12 bytes for a, b, and c
                    stack frame for 'foo'
                    foo's caller's automatic variables and frame
                    foo's caller's caller's automatic variables and frame

It's mostly safe to allow the stack frame for a function that is called
by 'foo' to appear immediately before 'buf', but not safe to allow the
non-array variables (a, b, c) to be there.  Any buffer overrun at the high
end of the buffer would cause a segmentation fault, but a buffer underrun
at the low end of the buffer would silently clobber anything else in
the same page.  It would be caught if the overrun hit the low end of the
page.


There is a malloc debuging package called "Electric Fence", developed at pixar,
which does just this.

--
"Of all tyrannies a tyranny sincerely  exercised for the good of its victims
 may be the most  oppressive.  It may be better to live under  robber barons
 than  under  omnipotent  moral busybodies,  The robber baron's  cruelty may
 sometimes sleep,  his cupidity may at some point be satiated; but those who
 torment us for own good  will torment us  without end,  for they do so with
 the approval of their own conscience."    -   C.S. Lewis, _God in the Dock_
+---------------------+--------------------+----------------------------------+
|Julian Assange RSO   | PO Box 2031 BARKER | Secret Analytic Guy Union        |
|proff () suburbia net   | VIC 3122 AUSTRALIA | finger for PGP key hash ID =     |
|proff () gnu ai mit edu | FAX +61-3-98199066 | 0619737CCC143F6DEA73E27378933690 |
+---------------------+--------------------+----------------------------------+

Current thread:

Re: libresolv+ bug, (continued)
- Re: libresolv+ bug Andi Gutmans (Aug 20)
  - Re: libresolv+ bug Jon Lewis (Aug 20)
    - Re: libresolv+ bug Elliot Lee (Aug 20)
  - Re: libresolv+ bug Nick Andrew (Aug 20)
    - Re: libresolv+ bug Jon Lewis (Aug 20)
  - SigSev -> Security Hole Tim Smithers (Aug 20)
    - Re: SigSev -> Security Hole Brian Mitchell (Aug 20)
- Re: libresolv+ bug Don Lewis (Aug 20)
- Re: libresolv+ bug Zygo Blaxell (Aug 21)
- Re: libresolv+ bug Zygo Blaxell (Aug 21)
  - Re: libresolv+ bug Julian Assange (Aug 21)
  - Re: libresolv+ bug Thomas Ptacek (Aug 21)
    - Re: libresolv+ bug Nick Andrew (Aug 22)
    - Re: libresolv+ bug John Macdonald (Aug 22)
    - Re: libresolv+ bug David Holland (Aug 22)
    - Re: libresolv+ bug Zygo Blaxell (Aug 22)
- Re: libresolv+ bug Mikolaj J. Habryn (Aug 23)