as buffer overflow vulnerability.
Q: Why doesn't it crash?
A: Dereferencing wild pointer is like opening a box of chocolate, you never know what you're gonna get!
Q: Be more specific!
A: When compiled in debug mode, allocator try to allocate the memory block at the end of a page, and mark the next page as nonwritable. For example, if you allocate 16 bytes, the allocator may place it at 4095 - 16 = 4079. When you write the 16th byte (4096), which resides in the next non-writeable page, hardware notice the OS that your program is malfunctioning.
Q: Why is my bug (malloc(5) and accessing [13]) not detected?
A: Unaligned memory access slows down the program; on some platforms, the program will even crash! Memory allocators tend to align the returning address to prevent such tragedy. On x86_64, my allocator (ptmalloc2 by glibc) aligns the address to a multiple of 16 bytes. So if you allocate 5 bytes, instead of returning 4095 - 5, the allocator returns 4095 - 16. Now you have to access 16 bytes past the returning address to trigger the protection.
Q: How can I detect the bug?
A: Use awesome tools, like ASan in Clang and Valgrind.
amazing
Amazing
Обсуждают сегодня