decoration decoration
Stories

GROKLAW
When you want to know more...
decoration
For layout only
Home
Archives
Site Map
Search
About Groklaw
Awards
Legal Research
Timelines
ApplevSamsung
ApplevSamsung p.2
ArchiveExplorer
Autozone
Bilski
Cases
Cast: Lawyers
Comes v. MS
Contracts/Documents
Courts
DRM
Gordon v MS
GPL
Grokdoc
HTML How To
IPI v RH
IV v. Google
Legal Docs
Lodsys
MS Litigations
MSvB&N
News Picks
Novell v. MS
Novell-MS Deal
ODF/OOXML
OOXML Appeals
OraclevGoogle
Patents
ProjectMonterey
Psystar
Quote Database
Red Hat v SCO
Salus Book
SCEA v Hotz
SCO Appeals
SCO Bankruptcy
SCO Financials
SCO Overview
SCO v IBM
SCO v Novell
SCO:Soup2Nuts
SCOsource
Sean Daly
Software Patents
Switch to Linux
Transcripts
Unix Books

Gear

Groklaw Gear

Click here to send an email to the editor of this weblog.


You won't find me on Facebook


Donate

Donate Paypal


No Legal Advice

The information on Groklaw is not intended to constitute legal advice. While Mark is a lawyer and he has asked other lawyers and law students to contribute articles, all of these articles are offered to help educate, not to provide specific legal advice. They are not your lawyers.

Here's Groklaw's comments policy.


What's New

STORIES
No new stories

COMMENTS last 48 hrs
No new comments


Sponsors

Hosting:
hosted by ibiblio

On servers donated to ibiblio by AMD.

Webmaster
Brilliant! | 128 comments | Create New Account
Comments belong to whoever posts them. Please notify us of inappropriate comments.
Brilliant!
Authored by: Anonymous on Saturday, January 26 2013 @ 12:30 AM EST
It will work for some implementations of malloc.

Some versions of malloc work by knowing where the end of the
program is, and then asking the kernel to add a bit to the
top of the program when it's needed. When the top chunks of
allocated memory are no longer needed, malloc hands them
back to the kernel. Read the man pages for rbrk/sbrk to
understand how this works.

Malloc can keep adding a bit until they hit the stack, which
will be more or less known on some systems.

So the way this works is to call malloc a whole bunch of
times for relatively small chunks. After whaterver
fragmentation that already exists is filled up, malloc will
start returning sequential blocks of memory.

So when you run out of memory, if you start freeing the last
chunks of memory allocated, they will be right below the
stack. So you have a pretty good idea of where they are.
Windows is especially vulnerable here since the stack size
and location is specified in the executable, but I think
most operating systems could still be exploited in practice.

Then if you load a DLL, there is really only one place it
can go. So you know where that is.

If you use a version of malloc based on mmap, then mmap
should return memory from randomized spots in the address
space. So when you run out of memory, there is no way of
knowing where the last few chunks came from. This will
defeat the attack. It also makes it easier to load dll's
since they can be intermingled with heap memory without
trouble.

[ Reply to This | Parent | # ]

Groklaw © Copyright 2003-2013 Pamela Jones.
All trademarks and copyrights on this page are owned by their respective owners.
Comments are owned by the individual posters.

PJ's articles are licensed under a Creative Commons License. ( Details )