> Now, if the attacker has an off-by-one corruption with a small value (NUL or \x01 - \x07) that hits the lowest significant byte of a length (malloc_chunk->size), the attacker can only use that to cause the length to effectively shrink. This is because all heap chunks are at least 8 bytes under the covers. Shrinking a chunk's length means it will never match the prev_size stored at the end of that chunk. Even if the attacker deploys their one byte overflow multiple times, this new check should always catch them.
Is the LSB of the heap chunk size always >= 8?
What about a malloc_chunk->size with a multiple of 256? (Or anything else with an LSB < 7). With a one byte overflow one of this they could cause it to think that the size is up to 7 bytes more than the size of the real chunk.
/* Get size, ignoring use bits */
#define chunksize(p) ((p)->size & ~(SIZE_BITS))
So you really can't increase the size by less than 8. However, I know what you're now thinking: an attacker with a 1-byte overflow can mess with the flags! That would be a topic for another blog post, but I'm not aware of any techniques where messing with the flags would permit a clean ASLR bypass.
Last 3 bits of this field contains flag information.
PREV_INUSE (P) – This bit is set when previous chunk is allocated.
IS_MMAPPED (M) – This bit is set when chunk is mmap’d.
NON_MAIN_ARENA (N) – This bit is set when this chunk belongs to a thread arena.
It certainly doesn't look like those could be used against ASLR.
No doubt. However, if the single byte off the end is reliably accessible, then programs may come to rely on it by accident. If a program is allocating n but using n+1, then a single-byte overflow would access n+2 and the problem repeats. Better to have that single byte off the end be reliably crashy to touch, but not exploitable.
You'd also incur substantial space overhead for small allocations in many cases. I'm not familiar with Linux's implementation, but on the Mac, for example, all allocations are a multiple of 16 bytes. It's common to allocate 16 or 32 bytes for small objects, so padding the allocation by one byte will bump you up to 32 and 48 bytes respectively.
One of the funniest things I've seen in code I saw in PHP core a decade ago; they had a buffer underflow where they would overwrite arr[-1] with some character. Their solution was to save the contents of arr[-1] before the loop, then restore it afterwards.
You could do that at the compiler level, and only for types that end in a flexible array member, or only when malloc's argument looks like "sizeof (T) + x". That would generally avoid the space overhead, and in the flexible array member case you could e.g. add a whole int (4 byes) for an int-typed flexible array member. But I am not sure it's a good idea, for the other reason you mentioned.
This is true. But in the case where the malloc heap metadata is under attack, the attacker will usually just allocate exactly the right size to ensure that the off-by-one goes off the end of the chunk, instead of into slack space.
Bu Rust also must have an allocator under the hood that is unsafe and rust apps can call C libraries or C kernel so why do I see the Rust strike team complaining that something that they use indirectly is improved.
There is a big difference in using a programing language where unsafe code is explicit and easy to track down, versus one where each line of code is a possible security exploit.
Also Rust isn't the only option to write more secure code, it was already possible before C was even created using Algol and PL/I variants.
Quote from Tony Hoare's ACM award article in 1981, regarding Algol use in the industry, a programming language almost 10 years older than C.
"A consequence of this principle is that every occurrence of every subscript of every subscripted variable was on every occasion checked at run time against both the upper and the lower declared bounds of the array. Many years later we asked our customers whether they wished us to provide an option to switch off these checks in the interests of efficiency on production runs. Unanimously, they urged us not to--they already knew how frequently subscript errors occur on production runs where failure to detect them could be disastrous. I note with fear and horror that even in 1980 language designers and users have not learned this lesson. In any respectable branch of engineering, failure to observe such elementary precautions would have long been against the law."
Yes, there are many languages that are safer, including c++ collection can be used safely but you don't see Java/c# devs popping up in a C/C++ related thread mentioning again their favorite language.
Btw there are also languages that are safer then Rust and you do not see those people asking to not use Rust, again better tool for the job(where in most of the cases the project is a huge one and is done).
Which means you missed all that BBS and USENET bashing fun.
No, bashing C is a common practice from those of us on the memory safe side of the fence since the early days.
Take the paper "A History of CLU"[0] describing how CLU was designed and implemented in 1975.
"I believe this is a better approach than providing a generally unsafe language like C, or a language with unsafe features, like Mesa [Mitchell, 1978], since it discourages programmers from using the unsafe features casually."
There are tons of other examples, all available in old papers, BBS and USENET archives.
Thanks, I will read it, so are you of the opinion that there is no job that C is the best tool? Btw I am not a C developer and I would never use C except if I am asked to work on a project that uses C already. I would use C++ with Qt for GUI though.
Exactly, C only became widely adopted by the industry thanks to AT&T only being allowed to charge a symbolic price for UNIX and making the source code available to universities.
Which 80's startups like Sun and SGI used as basis for their workstation OSes.
Bjarne created C++, because after having to use BCPL instead of Simula to finish his PhD, he never wanted to work like that ever again.
So C with Classes started as a tool for Bjarne to target C, while staying productive and able to write safer code.
Rust uses a different allocator actually, jemalloc which doesnt store data inline like ptmalloc does. So an overflow could overwrite other heap stored data it wouldn't overwrite heap metadata or result in a vulnerability from the allocator code.
Granted, if you link/call in code that uses ptmalloc (glibc's malloc) in Rust it is still an issue but unsafe code in Rust itself won't be vulnerable to this sort of attack.
No. Technically that's why "safe" languages were invented.
Rust is one of the worse examples of those, as you can hardly call Rust safe. Only Rust fanboys do so.
Pascal, ADA, LISP, ATS, Java, Go, D, pony and all of the lisp and functional languages are safe.
Do you see the problem now? You have a whole chapter about unsafe, with 4 major cases. Stdlib is full of unsafe.
And you don't even talk about unsafe threaded code. One of the biggest safety problems nowadays. Memory safety is solved since decades with GC. Concurrency safety also for a few years.
Is the LSB of the heap chunk size always >= 8?
What about a malloc_chunk->size with a multiple of 256? (Or anything else with an LSB < 7). With a one byte overflow one of this they could cause it to think that the size is up to 7 bytes more than the size of the real chunk.