From owner-freebsd-hackers@FreeBSD.ORG Fri Jun 8 12:48:56 2012 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3D819106564A; Fri, 8 Jun 2012 12:48:56 +0000 (UTC) (envelope-from oliver.pntr@gmail.com) Received: from mail-gh0-f182.google.com (mail-gh0-f182.google.com [209.85.160.182]) by mx1.freebsd.org (Postfix) with ESMTP id DC7D58FC14; Fri, 8 Jun 2012 12:48:55 +0000 (UTC) Received: by ghbz22 with SMTP id z22so1369709ghb.13 for ; Fri, 08 Jun 2012 05:48:55 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=7zuoG7SX99GWXYiF5UKAXhMbkqdGPNarShIJwynVtHw=; b=0H7CNxeosK+NoreYJAsKPgeRDnE+icL1BhbJsvD2ltqlztPv+R7A90N2khUDrUMAU6 hC4QgLyW+TZkzBbGFEGEfU/GsJ4mmSNSZCrjFE08tfy82NandY+vLZCE9qaikTYmfkBZ +OmxCQvo0KHcYwjvFD5BbIlOK9f77+qEq84BjHLQBAc0l3KTg0Qv7cCVUnqi7knJe+9e wng53YqU7bwRAOxfXJiisbCVKOYnsNeZgMp16nkKzUDW/ESWOoQDfwKvx+JPhXwg8W+g GNXeVrqaydUTZhLA9KBHgBmubfyhdIJUZRd5fJHaoU6/RDRYFT09JwLlMYp+en6+oTKJ EW7Q== MIME-Version: 1.0 Received: by 10.236.114.169 with SMTP id c29mr6608068yhh.108.1339159735270; Fri, 08 Jun 2012 05:48:55 -0700 (PDT) Received: by 10.236.46.233 with HTTP; Fri, 8 Jun 2012 05:48:55 -0700 (PDT) Date: Fri, 8 Jun 2012 14:48:55 +0200 Message-ID: From: Oliver Pinter To: jasone@freebsd.org, freebsd-hackers@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Cc: Subject: [Phrack Mag.] The false kingdom of jemalloc, or On exploiting the jemalloc memory manager X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Jun 2012 12:48:56 -0000 An analysis of jemalloc - founded in phrack magazine. --[ Table of contents 1 - Introduction 1.1 - Thousand-faced jemalloc 2 - jemalloc memory allocator overview 2.1 - Basic structures 2.1.1 - Chunks (arena_chunk_t) 2.1.2 - Arenas (arena_t) 2.1.3 - Runs (arena_run_t) 2.1.4 - Regions/Allocations 2.1.5 - Bins (arena_bin_t) 2.1.6 - Huge allocations 2.1.7 - Thread caches (tcache_t) 2.1.8 - Unmask jemalloc 2.2 - Algorithms 3 - Exploitation tactics 3.1 - Adjacent region corruption 3.2 - Heap manipulation 3.3 - Metadata corruption 3.3.1 - Run (arena_run_t) 3.3.2 - Chunk (arena_chunk_t) 3.3.3 - Thread caches (tcache_t) 4 - A real vulnerability 5 - Future work 6 - Conclusion 7 - References 8 - Code [...] "--[ 6 - Conclusion We have done the first step in analyzing jemalloc. We do know, however, that we have not covered every possible potential of corrupting the allocator in a controllable way. We hope to have helped those that were about to study the FreeBSD userspace allocator or the internals of Firefox but wanted to have a first insight before doing so. Any reader that discovers mistakes in our article is advised to contact us as soon as possible and let us know. Many thanks to the Phrack staff for their comments. Also, thanks to George Argyros for reviewing this work and making insightful suggestions. Finally, we would like to express our respect to Jason Evans for such a leet allocator. No, that isn't ironic; jemalloc is, in our opinion, one of the best (if not the best) allocators out there. " http://www.phrack.org/archives/68/p68_0x0a_Pseudomonarchia%20jemallocum_by_argp%20&%20huku.txt http://www.phrack.org/archives/68/p68_0x0d_The%20Art%20of%20Exploitation:%20Exploiting%20VLC,%20a%20jemalloc%20case%20study_by_huku%20&%20argp.txt