Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 8 Jun 2012 14:48:55 +0200
From:      Oliver Pinter <oliver.pntr@gmail.com>
To:        jasone@freebsd.org, freebsd-hackers@freebsd.org
Subject:   [Phrack Mag.] The false kingdom of jemalloc, or On exploiting the jemalloc memory manager
Message-ID:  <CAPjTQNG-_uXtj_xtHYqVi844sixzXcufGrsnyOjavze79t6H6Q@mail.gmail.com>
next in thread | raw e-mail | index | archive | help 
An analysis of jemalloc - founded in phrack magazine.

--[ Table of contents

1 - Introduction
  1.1 - Thousand-faced jemalloc
2 - jemalloc memory allocator overview
  2.1 - Basic structures
    2.1.1 - Chunks (arena_chunk_t)
    2.1.2 - Arenas (arena_t)
    2.1.3 - Runs (arena_run_t)
    2.1.4 - Regions/Allocations
    2.1.5 - Bins (arena_bin_t)
    2.1.6 - Huge allocations
    2.1.7 - Thread caches (tcache_t)
    2.1.8 - Unmask jemalloc
  2.2 - Algorithms
3 - Exploitation tactics
  3.1 - Adjacent region corruption
  3.2 - Heap manipulation
  3.3 - Metadata corruption
    3.3.1 - Run (arena_run_t)
    3.3.2 - Chunk (arena_chunk_t)
    3.3.3 - Thread caches (tcache_t)
4 - A real vulnerability
5 - Future work
6 - Conclusion
7 - References
8 - Code

[...]

"--[ 6 - Conclusion

We have done the first step in analyzing jemalloc. We do know, however,
that we have not covered every possible potential of corrupting the
allocator in a controllable way. We hope to have helped those that were
about to study the FreeBSD userspace allocator or the internals of Firefox
but wanted to have a first insight before doing so. Any reader that
discovers mistakes in our article is advised to contact us as soon as
possible and let us know.

Many thanks to the Phrack staff for their comments. Also, thanks to George
Argyros for reviewing this work and making insightful suggestions.

Finally, we would like to express our respect to Jason Evans for such a
leet allocator. No, that isn't ironic; jemalloc is, in our opinion, one of
the best (if not the best) allocators out there.
"

http://www.phrack.org/archives/68/p68_0x0a_Pseudomonarchia%20jemallocum_by_argp%20&%20huku.txt

http://www.phrack.org/archives/68/p68_0x0d_The%20Art%20of%20Exploitation:%20Exploiting%20VLC,%20a%20jemalloc%20case%20study_by_huku%20&%20argp.txt

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAPjTQNG-_uXtj_xtHYqVi844sixzXcufGrsnyOjavze79t6H6Q>