[32671] in bugtraq
Re: [ANNOUNCE] glibc heap protection patch
daemon@ATHENA.MIT.EDU (William Robertson)
Wed Dec 3 19:09:43 2003
In-Reply-To: <3FCDDEB3.8050006@nopiracy.de>
Mime-Version: 1.0 (Apple Message framework v606)
Content-Type: text/plain; charset=US-ASCII; format=flowed
Message-Id: <8DDADADF-25DF-11D8-8B1F-000A95675F0E@cs.ucsb.edu>
Content-Transfer-Encoding: 7bit
Cc: sectools@securityfocus.com, bugtraq@securityfocus.com
From: William Robertson <wkr@cs.ucsb.edu>
Date: Wed, 3 Dec 2003 14:25:09 -0800
To: Stefan Esser <se@nopiracy.de>
On Dec 03, 2003, at 05:01, Stefan Esser wrote:
> The last time I checked there was no such check in the unlink macro
> (no matter if debug mode or not).
Ah, ok, I see what you meant. The check I was referring to wasn't in
the unlink macro, but in one of dlmalloc's debugging routines. If you
move it into unlink itself, then it does indeed prevent all unlink
exploits, as you say. I agree that a combination of the two techniques
would theoretically be stronger than each on its own, but I also
believe that using properly randomized magic numbers in practice
guarantees that chunk headers cannot be tampered with. However, you do
get a lot for this simple check, so it makes sense to include it.
Thanks for pointing that out.
> Stefan Esser
--
William Robertson
Reliable Software Group, UC Santa Barbara
http://www.cs.ucsb.edu/~wkr/
