[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: false asumption or security flaw? (fwd)

To: "johan '97" <joe197@puspa.cs.ui.ac.id>
Subject: Re: false asumption or security flaw? (fwd)
From: Lennert Buytenhek <buytenh@gnu.org>
Date: Thu, 24 Aug 2000 11:57:52 +0200 (CEST)
cc: kernel-audit@nl.linux.org
In-Reply-To: <Pine.LNX.3.96.1000824094320.10826B-100000@puspa.cs.ui.ac.id>
Sender: owner-kernel-audit@nl.linux.org


Hi,

After you free that chunk of memory, the page it is in probably still
belongs to that process, so it cannot be 'shared' with other processes.
Nothing serious here. However, the glibc memory allocator will probably
put some of its own stuff in that chunk of memory and might hand it out to
another malloc() call later on in your program. In essence, you're causing
random memory corruption. Things like Electric Fence are meant to help
catch these programming errors (because, yes, they are considered
programming errors).

I think you need to read a good book on operating system internals.


greetings,
Lennert


On Thu, 24 Aug 2000, johan '97 wrote:

> > You're creating a reference of type int (int &) with the value of 8 in a
> > roundabout kind of way. Yuck. That shouldn't dump core because it does
> > nothing wrong, but whatever you're trying to do I'll bet that isn't the
> > right way to do it :)
> 
> the fact that i have freed the memory pointed by 'x', but still "legally" 
> can be accessed by the reference variable 'a' (shown by the no dumping
> off the program)  should imply that this piece of memory can be allocated
> not only to one user/process but also many user/process which can be
> devestating in effect!
> 
> i don't know much about how the kernel manages the memory areas to the
> users/processes, so may be a knowledge about how the kernel does things
> in the memory would be helpful here. hints from the experts, please :)
> 
> fyi: if i added this code here
> > On Thu, 24 Aug 2000, johan '97 wrote:
> > > #include <stdio.h>
> > > #include <stdlib.h>
> > > main()
> > > {
> > > 	int *x=(int*)malloc(sizeof(int));
> > > 	*x=8;
> > > 
> > > 	int &a=(*x);
> > > 
> > > 	printf("\na dan x : %d %d", a, *x);
> > > 
> > > 	a = 9;
> > > 
> > > 	printf("\na dan x : %d %d", a, *x);
> > > 
> > > 	free(x);
> > > 
> > > 	a=5;
> /*additional code here*/
> 	free(x);
> > > 
> > > 	return 0;
> > > }
> the program would dump!
> i guess this means that the memmory manager consider the memory pointed by
> 'x' does no longer exist, hence the act of changing it's content is
> "illegal" , BUT this was proved wrong by the piece of code:
> 'a=5;' 
> 
> i think this is serious!
> 
> johan
> surrendered, i have
> 
> 
> 
> Kernel-audit:  discussion list for security and the linux kernel
> Archive:       http://mail.nl.linux.org/kernel-audit/
> 


Kernel-audit:  discussion list for security and the linux kernel
Archive:       http://mail.nl.linux.org/kernel-audit/

Follow-Ups:
- Re: false asumption or security flaw? (fwd)
  - From: "johan '97" <joe197@puspa.cs.ui.ac.id>

References:
- Re: false asumption or security flaw? (fwd)
  - From: "johan '97" <joe197@puspa.cs.ui.ac.id>

Prev by Date: Re: false asumption or security flaw? (fwd)
Next by Date: Re: false asumption or security flaw?
Prev by thread: Re: false asumption or security flaw? (fwd)
Next by thread: Re: false asumption or security flaw? (fwd)
Index(es):
- Date
- Thread