malloc and buffer overflow attacks
paolo.invernizzi at gmail.com
Mon Jan 3 12:58:33 UTC 2022
On Friday, 31 December 2021 at 13:52:26 UTC, Paul Backus wrote:
> On Friday, 31 December 2021 at 00:13:56 UTC, Walter Bright
>> While D offers buffer overflow detection, it does not protect
>> against buffer overflows resulting from an array size
>> calculation overflow:
>> T* p = cast(T*)malloc(len * T.sizeof);
>> What if `len*T.sizeof` overflows? malloc() will succeed, but
>> the result will be too small for the data.
> For projects using Phobos, an easy way to avoid this is to use
> [`Mallocator`] and [`makeArray`] from the
> `std.experimental.allocator` package.
> T array = Mallocator.instance.makeArray!T(len);
> `makeArray` will perform an overflow check internally and
> return `null` if the check fails.
In the vulnerability described in the article, the 'len'
parameter is the result of a sum overflowing in a previous for
loop, so the problem actually is _outside_ of the allocator.
Anyway, apart from the vulnerability, the described exploit
details are fascinating and terrific at the same time ..."My
other compression format is turing-complete!"
More information about the Digitalmars-d