This is the mail archive of the glibc-bugs@sourceware.org mailing list for the glibc project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

[Bug libc/18292] Invalid pointer dereference in nsswitch.c:nss_new_service()


https://sourceware.org/bugzilla/show_bug.cgi?id=18292

--- Comment #1 from Justin N. Ferguson <jf at ownco dot net> ---
repro:
set prev_size member of chunk to non-zero value that doesn't properly
dereference. execute "ls -al".

I suppose why I have a non-stdandard prev_size is worth explanation, even
though this is clearly a bug irrelevant of allocator modifications:

I am in the process of developing a patch for the allocator that fixes a
particularly nasty set of double free related issues that can occur from
fastbin's and can be leveraged to bypass all memory corruption related
mitigations (ASLR/NX/ ...vtable verification); the short of it is that you can
get the same block of memory stored in the fastbin free list twice, which in
turn can cause it to be reallocated twice, which in some conditions can result
in conditions wherein a double free behaves more like a logic error and you can
manipulate two different objects/classes that occupy the same block of memory.

prev_size seemed like a good choice given the fastbin blocks are singly linked
and otherwise mostly unused.

-- 
You are receiving this mail because:
You are on the CC list for the bug.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]