malloc and buffer overflow attacks

Paolo Invernizzi paolo.invernizzi at gmail.com
Mon Jan 3 12:58:33 UTC 2022


On Friday, 31 December 2021 at 13:52:26 UTC, Paul Backus wrote:
> On Friday, 31 December 2021 at 00:13:56 UTC, Walter Bright 
> wrote:
>> While D offers buffer overflow detection, it does not protect 
>> against buffer overflows resulting from an array size 
>> calculation overflow:
>>
>>     T* p = cast(T*)malloc(len * T.sizeof);
>>
>> What if `len*T.sizeof` overflows? malloc() will succeed, but 
>> the result will be too small for the data.
>
> For projects using Phobos, an easy way to avoid this is to use 
> [`Mallocator`][1] and [`makeArray`][2] from the 
> `std.experimental.allocator` package.
>
>     T[] array = Mallocator.instance.makeArray!T(len);
>
> `makeArray` will perform an overflow check internally and 
> return `null` if the check fails.
>
> [1]: 
> https://dlang.org/library/std/experimental/allocator/mallocator/mallocator.html
> [2]: 
> https://dlang.org/library/std/experimental/allocator/make_array.html

In the vulnerability described in the article, the 'len' 
parameter is the result of a sum overflowing in a previous for 
loop, so the problem actually is _outside_ of the allocator.

Anyway, apart from the vulnerability, the described exploit 
details are fascinating and terrific at the same time ..."My 
other compression format is turing-complete!"




More information about the Digitalmars-d mailing list