[Gc] security issue with libgc ?

Christophe Meessen meessen at cppm.in2p3.fr
Sat Mar 17 09:25:46 PST 2007


MenTaLguY a écrit :
> On Fri, 16 Mar 2007 16:30:28 +0100, Christophe Meessen <meessen at cppm.in2p3.fr> wrote:
>> Could it be possible to provide data that tricks libgc into considering
>> some of it as pointers and interfering with its normal activity  like
>> jeopardizing memory management, crashing the program or worse causing it
>> to execute injected code ?
> 
> Assuming your program is otherwise correct, the worst that can happen is that memory is prevented from being freed because values received from the network happen to look like live references.
> 
> To mitigate that, I would suggest allocating any buffers you use for receiving data from the network using gc_malloc_atomic, so the gc knows to ignore any apparent pointers inside them.  It's a good idea anyway, even discounting malicious clients.
> 
> -mental

I am new to libgc so I don't know the algorithm used to recognize
pointers. I suppose libgc is looking if they are addresses in the heap
space and I guess/hope that it checks that at this address is a valid
block. The security depends on the algorithm of pointer recognition.

The proposal might be ok if the received data was hold in a raw block
allocaded with malloc.

My application is a C++ application where the transmitted may be
serialized objects and objet agregagtions (with pointers between them).
>From my understanding, this is a use case where a GC is required. People
who say a GC is not needed in C++ are wrong. There are use cases where
it is required.

So the thing is that the intantiated object (memory block) may have
valid pointers next to fixed size char arrays as member variable and
thus contain raw bytes received from the network.

The way libgc identifies valid pointers from fake or forged one stored
in the char array is thus a critical point.

Applications that can ensure that no foreign crafted byte sequence
interfers with the GC are safe. In may case, it's unclear.

How does the valid pointer recognition work ? Can the GC be wrong on
this recognition ? What would be the possible consequences ? Only memory
leak ?




More information about the Gc mailing list