[Gc] heap overflow
hans.boehm at hp.com
Tue Nov 9 15:24:30 PST 2004
There is no explicit structure declaration for an object. At that
point memory is viewed as a sequence of words. The link field
resides in the first word of an object. There are no other predefined
fields in an object allocated by GC_MALLOC. And the link field is
reused once the object is allocated.
Yes, the link field can be overwritten
by a buffer overflow, if you are programming in C or C++.
So can anything else. That's a hazard of using those
languages. Defining GC_DEBUG and
allocating with GC_MALLOC makes this less likely for accidental
overflows, but certainly doesn't prevent it. It's the client's
responsibility to prevent it.
> -----Original Message-----
> From: gc-bounces at napali.hpl.hp.com
> [mailto:gc-bounces at napali.hpl.hp.com]On Behalf Of Hans Van den Eynden
> Sent: Tuesday, November 09, 2004 6:40 AM
> To: garbage collector
> Subject: [Gc] heap overflow
> The description of the Sweep phase says:
> "Nonempty small object pages are swept when an allocation attempt
> encounters an empty free list for that object size and kind.
> Pages for
> the correct size and kind are repeatedly swept until at least
> one empty
> block is found. Sweeping such a page involves scanning the mark bit
> array in the page header, and building a free list linked through the
> first words in the objects themselves. This does involve touching the
> appropriate data page, but in most cases it will be touched only just
> before it is used for allocation. Hence any paging is essentially
> unavoidable. "
> But if there is a linked list throught the first words in the object,
> this pointers could be overridden by an bufferoverflow?
> Where can i find the struct of the object itself. How is the object
> itself intern constructed (the inner structure)??
> Gc mailing list
> Gc at linux.hpl.hp.com
More information about the Gc