From owner-freebsd-current Mon Mar 11 14:19:30 2002 Delivered-To: freebsd-current@freebsd.org Received: from critter.freebsd.dk (critter.freebsd.dk [212.242.86.163]) by hub.freebsd.org (Postfix) with ESMTP id 06E9D37B41B; Mon, 11 Mar 2002 14:19:16 -0800 (PST) Received: from critter.freebsd.dk (localhost [127.0.0.1]) by critter.freebsd.dk (8.12.2/8.12.2) with ESMTP id g2BMItnp059935; Mon, 11 Mar 2002 23:18:55 +0100 (CET) (envelope-from phk@critter.freebsd.dk) Date: Mon, 11 Mar 2002 23:18:55 +0100 Message-ID: <59934.1015885135@critter.freebsd.dk> From: Poul-Henning Kamp Subject: the zlib double free bug: Belived harmless with phkmalloc MIME-Version: 1.0 Content-Type: multipart/digest; boundary="----- =_aaaaaaaaaa" To: undisclosed-recipients:; Sender: owner-freebsd-current@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG ------- =_aaaaaaaaaa Subject: the zlib double free bug: Belived harmless with phkmalloc From: Poul-Henning Kamp Date: Mon, 11 Mar 2002 23:18:55 +0100 Message-ID: <59934.1015885135@critter.freebsd.dk> Sender: phk@critter.freebsd.dk Bcc: Blind Distribution List: ; MIME-Version: 1.0 I just sent this to security-officer. Please notice that if you have ports or applications linked with other allocators than the libc malloc from FreeBSD this statement does not apply. Poul-Henning ------- Forwarded Message To: security-officer@freebsd.org Subject: the zlib double free bug From: Poul-Henning Kamp Date: Mon, 11 Mar 2002 23:13:57 +0100 Message-ID: <58959.1015884837@critter.freebsd.dk> Sender: phk@critter.freebsd.dk As author of our malloc(3) it is my opinion that we are not vulnerable to this (kind of) bug. Most mallocs keep their housekeeping data right next to the allocated range. This gives rise to all sorts of unpleassant situations if programs stray outside the dotted line, free(3) things twice or free(3) modified pointers. phkmalloc(3) does not store housekeeping next to allocated data, and in particular it has code that detects and complains about exactly the kind of double free this advisory talks about: critter phk> cat a.c main() { char *p; p = malloc(256); p = malloc(256); free(p); free(p); } critter phk> make a cc -O -pipe a.c -o a a.c: In function `main': a.c:7: warning: assignment makes pointer from integer without a cast a.c:8: warning: assignment makes pointer from integer without a cast critter phk> ./a a in free(): error: chunk is already free Abort (core dumped) critter phk> The malloc flag 'A' determines if the situation is just warned about or if the program should call abort(3). - -- Poul-Henning Kamp | UNIX since Zilog Zeus 3.20 phk@FreeBSD.ORG | TCP/IP since RFC 956 FreeBSD committer | BSD since 4.3-tahoe Never attribute to malice what can adequately be explained by incompetence. ------- End of Forwarded Message ------- =_aaaaaaaaaa-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-current" in the body of the message