This is the mail archive of the
glibc-bugs@sourceware.org
mailing list for the glibc project.
[Bug libc/18292] Invalid pointer dereference in nsswitch.c:nss_new_service()
- From: "jf at ownco dot net" <sourceware-bugzilla at sourceware dot org>
- To: glibc-bugs at sourceware dot org
- Date: Wed, 22 Apr 2015 06:10:27 +0000
- Subject: [Bug libc/18292] Invalid pointer dereference in nsswitch.c:nss_new_service()
- Auto-submitted: auto-generated
- References: <bug-18292-131 at http dot sourceware dot org/bugzilla/>
https://sourceware.org/bugzilla/show_bug.cgi?id=18292
--- Comment #1 from Justin N. Ferguson <jf at ownco dot net> ---
repro:
set prev_size member of chunk to non-zero value that doesn't properly
dereference. execute "ls -al".
I suppose why I have a non-stdandard prev_size is worth explanation, even
though this is clearly a bug irrelevant of allocator modifications:
I am in the process of developing a patch for the allocator that fixes a
particularly nasty set of double free related issues that can occur from
fastbin's and can be leveraged to bypass all memory corruption related
mitigations (ASLR/NX/ ...vtable verification); the short of it is that you can
get the same block of memory stored in the fastbin free list twice, which in
turn can cause it to be reallocated twice, which in some conditions can result
in conditions wherein a double free behaves more like a logic error and you can
manipulate two different objects/classes that occupy the same block of memory.
prev_size seemed like a good choice given the fastbin blocks are singly linked
and otherwise mostly unused.
--
You are receiving this mail because:
You are on the CC list for the bug.