[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: false asumption or security flaw?

To: kernel-audit@nl.linux.org
Subject: Re: false asumption or security flaw?
From: Tim Robbins <fyre@box3n.gumbynet.org>
Date: Fri, 25 Aug 2000 11:51:37 +1000 (EST)
In-Reply-To: <Pine.LNX.3.96.1000824085021.8124B-100000@puspa.cs.ui.ac.id>
Sender: owner-kernel-audit@nl.linux.org

References are not pointers. What you're doing in  the first example you
posted is completely legal albeit stupid. No kernel bugs. No compilers
bugs. No C Library bugs. Read up some more on references; I'm assuming
that was supposed to be the C++ reference symbol instead of the C address
of symbol. 

Playing with memory after it has been freed has undefined effects. You can
get away with it some times on some systems, but a malloc debugger such as
Perens' excellent Electric Fence will catch that kind of thing.

In conclusion, 'a' is not dynamically allocated, it is a reference
('int&').

Tim

--
Tim Robbins
fyre@box3n.gumbynet.org

On Thu, 24 Aug 2000, johan '97 wrote:

> On Thu, 24 Aug 2000, Tim Robbins wrote:
> 
> > You're creating a reference of type int (int &) with the value of 8 in a
> > roundabout kind of way. Yuck. That shouldn't dump core because it does
> > nothing wrong, but whatever you're trying to do I'll bet that isn't the
> > right way to do it :)
> 
> the fact that i have freed the memory pointed by 'x', but still "legally" 
> can be accessed by the reference variable 'a' (shown by the no dumping
> off the program)  should imply that this piece of memory can be allocated
> not only to one user/process but also many user/process which can be
> devestating in effect!
> 
> i don't know much about how the kernel manages the memory areas to the
> users/processes, so may be a knowledge about how the kernel does things
> in the memory would be helpful here. hints from the experts, please :)
> 
> fyi: if i added this code here
> > On Thu, 24 Aug 2000, johan '97 wrote:
> > > #include <stdio.h>
> > > #include <stdlib.h>
> > > main()
> > > {
> > > 	int *x=(int*)malloc(sizeof(int));
> > > 	*x=8;
> > > 
> > > 	int &a=(*x);
> > > 
> > > 	printf("\na dan x : %d %d", a, *x);
> > > 
> > > 	a = 9;
> > > 
> > > 	printf("\na dan x : %d %d", a, *x);
> > > 
> > > 	free(x);
> > > 
> > > 	a=5;
> /*additional code here*/
> 	free(x);
> > > 
> > > 	return 0;
> > > }
> the program would dump!
> i guess this means that the memmory manager consider the memory pointed by
> 'x' does no longer exist, hence the act of changing it's content is
> "illegal" , BUT this was proved wrong by the piece of code:
> 'a=5;' 
> 
> i think this is serious!
> 
> johan
> surrendered, i have
> 


Kernel-audit:  discussion list for security and the linux kernel
Archive:       http://mail.nl.linux.org/kernel-audit/

Follow-Ups:
- Re: false asumption or security flaw?
  - From: Tim Robbins <fyre@box3n.gumbynet.org>

References:
- Re: false asumption or security flaw?
  - From: "johan '97" <joe197@puspa.cs.ui.ac.id>

Prev by Date: Re: false asumption or security flaw?
Next by Date: Re: false asumption or security flaw?
Prev by thread: Re: false asumption or security flaw?
Next by thread: Re: false asumption or security flaw?
Index(es):
- Date
- Thread