Dailydave mailing list archives
Re: gcc 4.1 security features
From: "Matt Conover" <mconover () gmail com>
Date: Mon, 20 Feb 2006 19:33:17 -0800
By checking that p->fd->bk == p && p->bk->fd == p before unlinking,
basically all
unlink() based attacks are defeated
I am not so familiar with the Unix heap implementation these days... but if the heap makes use of circular, doubly-linked lists to contain a list of free chunks (i think dlmalloc bins fit this description if my memory serves me) at predictable locations in memory, this can be defeated. it is the same case with windows "safe unlinking check" for free lists in the windows heap implementation. it works when both the list head's forward and backward pointer point to the same chunk (head->flink == head->blink == p, p->flink == head, p->blink == head). if you free a chunk such that you can predict where in memory the freelist head and that it is the only chunk on the free list, then p->fd->bk == p && p->bk->fd == p check can be defeated by swapping the pointers, because the check will still pass, but later unlinking this leads to arbitrary memory overwrites. if what i said is not clear, look at slides 36-41 which give a more visual representation: http://www.cybertech.net/~sh0ksh0k/projects/winheap/XPSP2%20Heap%20Exploitation.ppt those slides specifically talk about defeating the chunk->blink->flink == chunk->flink->blink == chunk case for windows freelist on xpsp2. i have no idea if it's applicable to dlmalloc and related heap implementations, any idea?
Current thread:
- gcc 4.1 security features Matt (Feb 16)
- Re: gcc 4.1 security features Gadi Evron (Feb 16)
- Re: gcc 4.1 security features Halvar Flake (Feb 16)
- Re: gcc 4.1 security features Joel Eriksson (Feb 16)
- Re: gcc 4.1 security features Hikaru Gosun (Feb 17)
- Re: gcc 4.1 security features Angelo Dell'Aera (Feb 17)
- RE: gcc 4.1 security features Dave Korn (Feb 18)
- Re: gcc 4.1 security features Matt Conover (Feb 21)
- Re: gcc 4.1 security features Gadi Evron (Feb 16)
- Re: gcc 4.1 security features Eduardo Tongson (Feb 17)
- <Possible follow-ups>
- Re: gcc 4.1 security features Phantasmal Phantasmagoria (Feb 21)