[25005] in bugtraq
Re: VNC Security Bulletin - zlib double free issue (multiple vendors and versions)
daemon@ATHENA.MIT.EDU (Nick Lamb)
Mon Apr 8 23:44:06 2002
Date: Sat, 6 Apr 2002 14:12:44 +0100
From: Nick Lamb <njl98r@ecs.soton.ac.uk>
To: bugtraq@securityfocus.com
Message-ID: <20020406141243.A4802@ecs.soton.ac.uk>
Mail-Followup-To: bugtraq@securityfocus.com
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature"; boundary="y0ulUmNC+osPPQO6"
Content-Disposition: inline
In-Reply-To: <DEA38DBA-487E-11D6-908D-00039355CFA6@suespammers.org>; from asd@suespammers.org on Fri, Apr 05, 2002 at 05:21:19AM -0500
--y0ulUmNC+osPPQO6
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
On Fri, Apr 05, 2002 at 05:21:19AM -0500, Anthony DeRobertis wrote:
> for (x = 0; x < 10000; ++x) {
> ptr = malloc(123456);
> free(ptr);
> free(ptr);
Thought experiment: Allocate 1 million x 1 Kb chunks, free them but
keep the pointers. Now allocate 1 million x 1 Kb chunks but hang on
to them. Now free the first lot of pointers again. How does the system
know that this is a double free() ?
Maybe someone can explain to me how they distinguish between 0x4007fec0
which is a pointer to a 512 byte struct that I just alloc'ed, and
0x4007fec0 which is a pointer to a 64Kb buffer that I free'd half an
hour ago ? I think the answer is "they don't" and therefore this
"protection" is a nice developer's diagnostic but not a protection
feature for users.
Has anyone analysed the zlib bug and checked that exploits MUST trigger
double free protection on BSD? Or is this just supposition based on
black box testing and not much real thought? What about multi-threaded
apps where the zlib calls may be happening in tandem with other code
that uses the allocator?
Maybe more people should re-read the OpenBSD security philosophy. All
bugs are potential security holes. Fix the bugs.
Nick.
--y0ulUmNC+osPPQO6
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE8rvRLJL0BVnQb59gRAuNWAJ9o4yriY85m7Rg2mpN2fdrk2ToM3QCdFFFz
txVI2P+01UH5wqzAO7WcIfg=
=vZwK
-----END PGP SIGNATURE-----
--y0ulUmNC+osPPQO6--
