Malloc and security

06-18-2012, 08:11 PM

Hiya

Just a quick question, which malloc, is there anyway that this function
(used in C) could allocate memory into already allocated memory, such as
the stack - or code space!

Jamie

--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 4FDF8B8E.2020306@jatos.co.uk">http://lists.debian.org/4FDF8B8E.2020306@jatos.co.uk

06-18-2012, 08:25 PM

Hiya

Just a quick question, which malloc, is there anyway that this function
(used in C) could allocate memory into already allocated memory, such as
the stack - or code space!

Jamie

--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 4FDF8ECF.4030404@jatos.co.uk">http://lists.debian.org/4FDF8ECF.4030404@jatos.co.uk

06-18-2012, 08:31 PM

On Mon, Jun 18, 2012 at 09:25:51PM +0100, Jamie White wrote:
> Just a quick question, which malloc, is there anyway that this
> function (used in C) could allocate memory into already allocated
> memory, such as the stack - or code space!

The debian-devel mailing list is meant for development _of_ Debian,
not _with_ Debian. In other words, we use this list for discussing
how to make Debian itself better. Your question seems to be better
suited for the other category. For that, I do not know of suitable
mailing lists, but the Usenet newsgroup comp.lang.c would do; also
the website http://stackoverflow.com/ may be helpful.

(The short answer is: It's not a problem in malloc, it's a problem
in your code, and you probably have a pointer problem or your code
uses memory that has already been freed.)

Happy hacking.

--
All my predictions will turn out to be false

06-18-2012, 08:38 PM

On Mon, Jun 18, 2012 at 09:25:51PM +0100, Jamie White wrote:
> Hiya
>
> Just a quick question, which malloc, is there anyway that this
> function (used in C) could allocate memory into already allocated
> memory, such as the stack - or code space!

Assuming that the program uses memory correctly, no. But if the
program has a bug that causes it to write to unallocated memory, it
could corrupt the memory allocator's state so that malloc later
returns memory that has already been allocated.

This isn't really on-topic for debian-devel, as it's a general C
language/library question. Perhaps you should send further
questions to the comp.lang.c newsgroup, unless they're specific
to development of the Debian distribution.

Ben.

--
Ben Hutchings
We get into the habit of living before acquiring the habit of thinking.
- Albert Camus

--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20120618203815.GM2753@decadent.org.uk">http://lists.debian.org/20120618203815.GM2753@decadent.org.uk

Mon Jun 18 23:30:01 2012
Return-Path: <anaconda-devel-list-bounces@redhat.com>
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
eagle542.startdedicated.com
X-Spam-Level:
X-Spam-Status: No, score=-5.0 required=5.0 tests=HTML_MESSAGE,RCVD_IN_DNSWL_HI,
T_RP_MATCHES_RCVD autolearn=ham version=3.3.1
X-Original-To: tom@linux-archive.org
Delivered-To: tom-linux-archive.org@eagle542.startdedicated.com
Received: from mx4-phx2.redhat.com (mx4-phx2.redhat.com [209.132.183.25])
by eagle542.startdedicated.com (Postfix) with ESMTP id D5EF220E0244
for <tom@linux-archive.org>; Mon, 18 Jun 2012 22:39:06 +0200 (CEST)
Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33])
by mx4-phx2.redhat.com (8.13.8/8.13.8) with ESMTP id q5IKaLOS012509;
Mon, 18 Jun 2012 16:36:21 -0400
Received: from int-mx10.intmail.prod.int.phx2.redhat.com
(int-mx10.intmail.prod.int.phx2.redhat.com [10.5.11.23])
by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP
id q5IKaKVo022720
for <anaconda-devel-list@listman.util.phx.redhat.com>;
Mon, 18 Jun 2012 16:36:20 -0400
Received: from mx1.redhat.com (ext-mx13.extmail.prod.ext.phx2.redhat.com
[10.5.110.18])
by int-mx10.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP
id q5IKaFt4031955
for <anaconda-devel-list@redhat.com>; Mon, 18 Jun 2012 16:36:15 -0400
Received: from g6t0184.atlanta.hp.com (g6t0184.atlanta.hp.com [15.193.32.61])
by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id q5IKaDFc016686
for <anaconda-devel-list@redhat.com>; Mon, 18 Jun 2012 16:36:13 -0400
Received: from G4W3011G.americas.hpqcorp.net (g4w3011g.houston.hp.com
[16.234.25.125]) (using TLSv1 with cipher AES128-SHA (128/128 bits))
(No client certificate requested)
by g6t0184.atlanta.hp.com (Postfix) with ESMTPS id 30F71C013
for <anaconda-devel-list@redhat.com>;
Mon, 18 Jun 2012 20:36:13 +0000 (UTC)
Received: from G4W3200G.americas.hpqcorp.net (16.234.105.236) by
G4W3011G.americas.hpqcorp.net (16.234.25.125) with Microsoft SMTP
Server (TLS) id 14.2.283.4; Mon, 18 Jun 2012 20:35:15 +0000
Received: from G4W3203.americas.hpqcorp.net ([169.254.13.77]) by
G4W3200G.americas.hpqcorp.net ([16.234.105.236]) with mapi id
14.02.0283.003; Mon, 18 Jun 2012 20:35:14 +0000
From: "Parthasarathy, Balaji (BCS, Cupertino, USA)"
<balaji.parthasarathy@hp.com>
To: "anaconda-devel-list@redhat.com" <anaconda-devel-list@redhat.com>
Subject: How to get a shell when kickstart install fails/hangs
Thread-Topic: How to get a shell when kickstart install fails/hangs
Thread-Index: Ac1Nkdc3CGhD96kZR7eW4/wRhL8KnA==
Date: Mon, 18 Jun 2012 20:34:46 +0000
Message-ID: <774A286A68497042B74D49490106082E35B72552@G4W3203. americas.hpqcorp.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [15.193.49.14]
MIME-Version: 1.0
X-RedHat-Spam-Score: -105.009 (HTML_MESSAGE, RCVD_IN_DNSWL_HI,
T_RP_MATCHES_RCVD, USER_IN_WHITELIST)
X-Scanned-By: MIMEDefang 2.68 on 10.5.11.23
X-Scanned-By: MIMEDefang 2.68 on 10.5.110.18
X-loop: anaconda-devel-list@redhat.com
X-BeenThere: anaconda-devel-list@redhat.com
X-Mailman-Version: 2.1.12
Precedence: junk
Reply-To: Discussion of Development and Customization of the Red Hat Linux
Installer <anaconda-devel-list@redhat.com>
List-Id: Discussion of Development and Customization of the Red Hat Linux
Installer <anaconda-devel-list.redhat.com>
List-Unsubscribe: <https://www.redhat.com/mailman/options/anaconda-devel-list>,
<mailto:anaconda-devel-list-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/anaconda-devel-list>
List-Post: <mailto:anaconda-devel-list@redhat.com>
List-Help: <mailto:anaconda-devel-list-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/anaconda-devel-list>,
<mailto:anaconda-devel-list-request@redhat.com?subject=subscribe>
Content-Type: multipart/mixed; boundary="===============5735257252912195003=="
Sender: anaconda-devel-list-bounces@redhat.com
Errors-To: anaconda-devel-list-bounces@redhat.com

--===============5735257252912195003==
Content-Language: en-US
Content-Type: multipart/alternative;
boundary="_000_774A286A68497042B74D49490106082E35B 72552G4W3203americas_"

--_000_774A286A68497042B74D49490106082E35B72552G4W32 03americas_
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

I have been experimenting with some kickstart files to automate installs (i=
t also includes Cobbler snippets). But I get failures about errors in kicks=
tart files when Anaconda launches. I want to get a shell to troubleshoot th=
e problem. How do I do that? Right now I have a screen that says:

The system will be rebooted when you press Ctrl+C or Ctrl+Alt+Del.

The message also says that the Anaconda version is 13.21.149. I'm trying to=
install RHEL 6.2 Server.

Thanks
Balaji

--_000_774A286A68497042B74D49490106082E35B72552G4W32 03americas_
Content-Type: text/html; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

<html xmlns:v=3D"urn:schemas-microsoft-com:vml" xmlns

=3D"urn:schemas-micr=
osoft-com

ffice

ffice" xmlns:w=3D"urn:schemas-microsoft-com

ffice:word" =
xmlns:x=3D"urn:schemas-microsoft-com

ffice:excel" xmlns:m=3D"http://schema=
s.microsoft.com/office/2004/12/omml" xmlns=3D"http://www.w3.org/TR/REC-html=
40">
<head>
<meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3Dus-ascii"=
>
<meta name=3D"Generator" content=3D"Microsoft Word 14 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color

urple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type

ersonal-compose;
font-family:"Calibri","sans-serif";
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri","sans-serif";}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style>
</head>
<body lang=3D"EN-US" link=3D"blue" vlink=3D"purple">
<div class=3D"WordSection1">
I have been experimenting with some kickstart files =
to automate installs (it also includes Cobbler snippets). But I get failure=
s about errors in kickstart files when Anaconda launches. I want to get a s=
hell to troubleshoot the problem.
How do I do that? Right now I have a screen that says:<o

></o

>
<o

> </o

>
The system will be rebooted when you press Ctrl+=
C or Ctrl+Alt+Del.<o

></o

>
<o

> </o

>
The message also says that the Anaconda version is 1=
3.21.149. I’m trying to install RHEL 6.2 Server.<o

></o

>
<o

> </o

>
Thanks<o

></o

>
Balaji
<o

></o

>
<o

> </o

>
</div>
</body>
</html>

--_000_774A286A68497042B74D49490106082E35B72552G4W32 03americas_--

--===============5735257252912195003==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
Anaconda-devel-list mailing list
Anaconda-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/anaconda-devel-list
--===============5735257252912195003==--

06-18-2012, 08:40 PM

On 18/06/12 21:11, Jamie White wrote:
> Hiya
>
> Just a quick question, which malloc, is there anyway that this function
> (used in C) could allocate memory into already allocated memory, such as
> the stack - or code space!
>
> Jamie
>
>

Cross posting offtopic email to two mailing lists (ubuntu-devel and
debian-devel) is not nice.

If you want quicker response times IRC would have been more appropriate.

--
Regards,
Dmitrijs.

--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 4FDF9254.5080505@debian.org">http://lists.debian.org/4FDF9254.5080505@debian.org

06-18-2012, 08:42 PM

On 18/06/12 21:25, Jamie White wrote:
> Hiya
>
> Just a quick question, which malloc, is there anyway that this function
> (used in C) could allocate memory into already allocated memory, such as
> the stack - or code space!
>
> Jamie
>
>
sorry, not to two mailing lists. to the same one twice in a very short
space of time. Could have been a user / mail client error.

--
Regards,
Dmitrijs.

--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 4FDF92AE.3080203@debian.org">http://lists.debian.org/4FDF92AE.3080203@debian.org

06-18-2012, 08:46 PM

In fact I didn't send it to both, I resent twice, a mistake as I thought the first email hadn't sent properly.

Jamir
Sent from my BlackBerry® smartphone on O2

-----Original Message-----
From: Dmitrijs Ledkovs <xnox@debian.org>
Sender: Dmitrijs Ledkovs <dmitrij.ledkov@surgut.co.uk>
Date: Mon, 18 Jun 2012 21:40:52
To: <debian-devel@lists.debian.org>
Cc: <jamie@jatos.co.uk>
Subject: Re: Malloc and security

On 18/06/12 21:11, Jamie White wrote:
> Hiya
>
> Just a quick question, which malloc, is there anyway that this function
> (used in C) could allocate memory into already allocated memory, such as
> the stack - or code space!
>
> Jamie
>
>

Cross posting offtopic email to two mailing lists (ubuntu-devel and
debian-devel) is not nice.

If you want quicker response times IRC would have been more appropriate.

--
Regards,
Dmitrijs.

--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: http://lists.debian.org/4FDF9254.5080505@debian.org

06-18-2012, 09:15 PM

Aaah, any packages that need maintaining? Has there been swearing
before? I assume to private email addys.

Jamie

On 18/06/2012 22:12, Dmitrijs Ledkovs wrote:

I totally understand top posting from mobiles.

Well, debian has improved, there was no swearing this time around, I
don't think.

Thick skin is good, please maintain a few packages.

Regards,
Dmitrijs.

On 18/06/12 22:00, Jamie White wrote:

Oh thats flaming? Just seems like just friendly requests not todo stuff.
Certainly, had faaarrrr worse said to me! I'm thick skinned :P Btw,
please excuse top loading, BB doesn't allow base loading! Keeping same
flow now though.

Jamie

On 18/06/2012 21:52, Dmitrijs Ledkovs wrote:

anyway... You have been flamed to death by now =)))

Welcome to friendly debian development.

Smile, it gets worse (tm)

=))))))))) feel free to him me up if you need advice or a sponsor.

On 18/06/12 21:48, jamie@jatos.co.uk wrote:

Okies, I ignore the second email I sent, I'll just send this one to
you as not to clutter the list.

Yeah, like I say, an error in thinking first one hadn't gone,
apologies for that.

Jamie
------Original Message------
From: Dmitrijs Ledkovs
Sender: Dmitrijs Ledkovs
To: jamie@jatos.co.uk
Subject: Re: Malloc and security
Sent: 18 Jun 2012 21:45

sent an apology to the debian-devel.

There are two identical emails to debian-devel ~10mins apart or so.

On 18/06/12 21:44, jamie@jatos.co.uk wrote:

I am not quite sure how it ended on Ubuntu devel, I didn't send it
there...
Sent from my BlackBerry® smartphone on O2

-----Original Message-----
From: Dmitrijs Ledkovs<xnox@debian.org>
Sender: Dmitrijs Ledkovs<dmitrij.ledkov@surgut.co.uk>
Date: Mon, 18 Jun 2012 21:40:52
To:<debian-devel@lists.debian.org>
Cc:<jamie@jatos.co.uk>
Subject: Re: Malloc and security

On 18/06/12 21:11, Jamie White wrote:

Hiya

Just a quick question, which malloc, is there anyway that this
function
(used in C) could allocate memory into already allocated memory,
such as
the stack - or code space!

Jamie

Cross posting offtopic email to two mailing lists (ubuntu-devel and
debian-devel) is not nice.

If you want quicker response times IRC would have been more
appropriate.

--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 4FDF9A88.7080509@jatos.co.uk">http://lists.debian.org/4FDF9A88.7080509@jatos.co.uk

06-19-2012, 08:34 AM

On Mon, Jun 18, 2012 at 09:38:15PM +0100, Ben Hutchings wrote:
> On Mon, Jun 18, 2012 at 09:25:51PM +0100, Jamie White wrote:
> > Hiya
> >
> > Just a quick question, which malloc, is there anyway that this
> > function (used in C) could allocate memory into already allocated
> > memory, such as the stack - or code space!
>
> Assuming that the program uses memory correctly, no. But if the
> program has a bug that causes it to write to unallocated memory, it
> could corrupt the memory allocator's state so that malloc later
> returns memory that has already been allocated.

valgrind is a wonderful tool for debugging this kind of errors.

--
I was born an ugly, dumb and work-loving child, then an evil midwife
replaced me in the crib.

06-19-2012, 10:31 AM

Ben Hutchings <ben@decadent.org.uk> writes:

> On Mon, Jun 18, 2012 at 09:25:51PM +0100, Jamie White wrote:
>> Hiya
>>
>> Just a quick question, which malloc, is there anyway that this
>> function (used in C) could allocate memory into already allocated
>> memory, such as the stack - or code space!
>
> Assuming that the program uses memory correctly, no. But if the
> program has a bug that causes it to write to unallocated memory, it
> could corrupt the memory allocator's state so that malloc later
> returns memory that has already been allocated.

Actually I believe this is undefined in C. Malloc may verry well oveflow
the heap region and run into the stack or code going by the C standard.

But eglibc malloc uses sbrk() and mmap() to get memory from the kernel
and those functions will not return space already allocated by the stack
or code. That is probably true for every libc on every modern Unix system.

MfG
Goswin

--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: http://lists.debian.org/87mx3zd24k.fsf@frosties.localnet