 
Dailydave mailing list archives
RE: gcc 4.1 security features
From: "Dave Korn" <dave.korn () artimi com>
Date: Fri, 17 Feb 2006 18:42:52 -0000
On 17 February 2006 01:16, Joel Eriksson wrote:
A more relevant fix was added to glibc-2.3.4 during late august 2004 though:
#define unlink(P, BK, FD) {                                            \
  FD = P->fd;                                                          \
  BK = P->bk;                                                          \
  if (__builtin_expect (FD->bk != P || BK->fd != P, 0))                \
    malloc_printf_nc (check_action,                                    \
                      "corrupted double-linked list at %p!\n", P);     \
  FD->bk = BK;                                                         \
  BK->fd = FD;                                                         \
By checking that p->fd->bk == p && p->bk->fd == p before unlinking,
basically all unlink() based attacks are defeated. 
But.. Of course this is no silver bullet either. It stops the unlink()-based attacks, but small chunks (called "fastchunks") are not placed in double-linked lists and thus there are no back-pointers to check. A free()'d fastchunk contains only one pointer, to the next chunk in the list of free chunks of that size. Overwriting a fastchunk = Controlling what pointer a later call to malloc() is going to return. Very convenient. :) Note that fastchunks are also useful for exploiting certain double free() bugs.
It should be commented that fastchunks are also at the heart of the vulnerabilities explained in the "Defeating Microsoft Windows XP SP2 Heap protection and DEP bypass" paper. http://www.maxpatrol.com/defeating-xpsp2-heap-protection.htm cheers, DaveK -- Can't think of a witty .sigline today....
Current thread:
- gcc 4.1 security features Matt (Feb 16)
- Re: gcc 4.1 security features Gadi Evron (Feb 16)
- Re: gcc 4.1 security features Halvar Flake (Feb 16)
- Re: gcc 4.1 security features Joel Eriksson (Feb 16)
- Re: gcc 4.1 security features Hikaru Gosun (Feb 17)
- Re: gcc 4.1 security features Angelo Dell'Aera (Feb 17)
- RE: gcc 4.1 security features Dave Korn (Feb 18)
- Re: gcc 4.1 security features Matt Conover (Feb 21)
 
 
 
- Re: gcc 4.1 security features Gadi Evron (Feb 16)
- Re: gcc 4.1 security features Eduardo Tongson (Feb 17)
- <Possible follow-ups>
- Re: gcc 4.1 security features Phantasmal Phantasmagoria (Feb 21)


