Bugtraq mailing list archives
Re: [ANNOUNCE] glibc heap protection patch
From: Stefan Esser <stefan () suspekt org>
Date: Tue, 02 Dec 2003 15:03:42 +0100
Hello, I looked onto your site for a few seconds and saw that you use magic values.
I'd just like to announce that we have a heap protection system for glibc available for download. The system detects and prevents all heap overflow exploits that modify inline control information from succeeding against a protected application, can be installed system-wide or on a per-process basis using LD_PRELOAD, and is transparent to existing applications.
Nice advertisement but you should underline the fact, that it only protects against glibc malloc()/free() problems. There are a number of software packages that implement their own heap wrappers or work with linked lists. They still are vulnerable to heap overflows. f.e. PHP. And on the other hand there is a much simpler way to protect any unlink from a linked list from ever beeing exploited. 1.5 years ago I added code to my glibc (and to the PHP malloc/free wrappers (only on my system cause PHP group wanted this code not in official Zend Engine)) that simply checks on unlink if my backward pointed block really points with his forward pointer to me and if my forward pointed block points with his backward pointer to me. This makes the unlink process unexploitable, while your approach is still attackable if someone guessed the magic value. (Even if that sounds unrealistic it is still possible.) The unlink macro would then look like #define unlink(P, BK, FD) { \ FD = P->fd; \ BK = P->bk; \ if (FD->bk != P || BK->fd != P) ATTACK_ON_UNLINK; \ FD->bk = BK; \ BK->fd = FD; \ } (I am writing this down from my memory, I have the code not here at the moment) Stefan Esser
Current thread:
- [ANNOUNCE] glibc heap protection patch William Robertson (Dec 01)
- Re: [ANNOUNCE] glibc heap protection patch Stefan Esser (Dec 02)
- Re: [ANNOUNCE] glibc heap protection patch William Robertson (Dec 02)
- Re: [ANNOUNCE] glibc heap protection patch Stefan Esser (Dec 03)
- Re: [ANNOUNCE] glibc heap protection patch William Robertson (Dec 03)
- Re: [ANNOUNCE] glibc heap protection patch William Robertson (Dec 02)
- Re: [ANNOUNCE] glibc heap protection patch Stefan Esser (Dec 02)
- Re: [ANNOUNCE] glibc heap protection patch Eugene Tsyrklevich (Dec 02)
- Re: [ANNOUNCE] glibc heap protection patch William Robertson (Dec 02)
- Re: [ANNOUNCE] glibc heap protection patch Han Boetes (Dec 03)
- Re: [ANNOUNCE] glibc heap protection patch Adam Shostack (Dec 04)
- Re: [ANNOUNCE] glibc heap protection patch Jim Knoble (Dec 04)
- Re: [ANNOUNCE] glibc heap protection patch William Robertson (Dec 02)
- Message not available
- Re: [ANNOUNCE] glibc heap protection patch William Robertson (Dec 04)
- <Possible follow-ups>
- Re: [ANNOUNCE] glibc heap protection patch xenophi1e (Dec 03)