Date: Fri, 8 Jun 2012 14:48:55 +0200 From: Oliver Pinter <oliver.pntr@gmail.com> To: jasone@freebsd.org, freebsd-hackers@freebsd.org Subject: [Phrack Mag.] The false kingdom of jemalloc, or On exploiting the jemalloc memory manager Message-ID: <CAPjTQNG-_uXtj_xtHYqVi844sixzXcufGrsnyOjavze79t6H6Q@mail.gmail.com>
next in thread | raw e-mail | index | archive | help
An analysis of jemalloc - founded in phrack magazine. --[ Table of contents 1 - Introduction 1.1 - Thousand-faced jemalloc 2 - jemalloc memory allocator overview 2.1 - Basic structures 2.1.1 - Chunks (arena_chunk_t) 2.1.2 - Arenas (arena_t) 2.1.3 - Runs (arena_run_t) 2.1.4 - Regions/Allocations 2.1.5 - Bins (arena_bin_t) 2.1.6 - Huge allocations 2.1.7 - Thread caches (tcache_t) 2.1.8 - Unmask jemalloc 2.2 - Algorithms 3 - Exploitation tactics 3.1 - Adjacent region corruption 3.2 - Heap manipulation 3.3 - Metadata corruption 3.3.1 - Run (arena_run_t) 3.3.2 - Chunk (arena_chunk_t) 3.3.3 - Thread caches (tcache_t) 4 - A real vulnerability 5 - Future work 6 - Conclusion 7 - References 8 - Code [...] "--[ 6 - Conclusion We have done the first step in analyzing jemalloc. We do know, however, that we have not covered every possible potential of corrupting the allocator in a controllable way. We hope to have helped those that were about to study the FreeBSD userspace allocator or the internals of Firefox but wanted to have a first insight before doing so. Any reader that discovers mistakes in our article is advised to contact us as soon as possible and let us know. Many thanks to the Phrack staff for their comments. Also, thanks to George Argyros for reviewing this work and making insightful suggestions. Finally, we would like to express our respect to Jason Evans for such a leet allocator. No, that isn't ironic; jemalloc is, in our opinion, one of the best (if not the best) allocators out there. " http://www.phrack.org/archives/68/p68_0x0a_Pseudomonarchia%20jemallocum_by_argp%20&%20huku.txt http://www.phrack.org/archives/68/p68_0x0d_The%20Art%20of%20Exploitation:%20Exploiting%20VLC,%20a%20jemalloc%20case%20study_by_huku%20&%20argp.txt
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAPjTQNG-_uXtj_xtHYqVi844sixzXcufGrsnyOjavze79t6H6Q>