Re: gcc 4.1 security features

["Matt Conover" <mconover () gmail com>]

> By checking that p->fd->bk == p && p->bk->fd == p before unlinking,
basically all
> unlink() based attacks are defeated

I am not so familiar with the Unix heap implementation these days... but if
the heap makes use of circular, doubly-linked lists to contain a list of
free chunks (i think dlmalloc bins fit this description if my memory serves
me) at predictable locations in memory, this can be defeated.

it is the same case with windows "safe unlinking check" for free lists in
the windows heap implementation. it works when both the list head's forward
and backward pointer point to the same chunk (head->flink == head->blink ==
p, p->flink == head, p->blink == head).

if you free a chunk such that you can predict where in memory the freelist
head and that it is the only chunk on the free list, then  p->fd->bk == p &&
p->bk->fd == p check can be defeated by swapping the pointers, because the
check will still pass, but later unlinking this leads to arbitrary memory
overwrites. if what i said is not clear, look at slides 36-41 which give a
more visual representation:
http://www.cybertech.net/~sh0ksh0k/projects/winheap/XPSP2%20Heap%20Exploitation.ppt
those slides specifically talk about defeating the chunk->blink->flink ==
chunk->flink->blink == chunk case for windows freelist on xpsp2.

i have no idea if it's applicable to dlmalloc and related heap
implementations, any idea?