[Gc] heap overflow
Hans Van den Eynden
hans.vandeneynden at pandora.be
Tue Nov 9 23:30:42 PST 2004
So it's possible to override the link pointer with a function pointer
and in that way to run you own code??
Where are the page headers placed in memory. Are they laying before the
actual heap or behind??
I ask this because if it lays after the heap it also can be overriden by
I only ask all this for my thesis. I have to study the GC and what it
prevents (dangling pointers, memory leaks) and what the vulnerabilities are.
Boehm, Hans wrote:
>There is no explicit structure declaration for an object. At that
>point memory is viewed as a sequence of words. The link field
>resides in the first word of an object. There are no other predefined
>fields in an object allocated by GC_MALLOC. And the link field is
>reused once the object is allocated.
>Yes, the link field can be overwritten
>by a buffer overflow, if you are programming in C or C++.
>So can anything else. That's a hazard of using those
>languages. Defining GC_DEBUG and
>allocating with GC_MALLOC makes this less likely for accidental
>overflows, but certainly doesn't prevent it. It's the client's
>responsibility to prevent it.
>>From: gc-bounces at napali.hpl.hp.com
>>[mailto:gc-bounces at napali.hpl.hp.com]On Behalf Of Hans Van den Eynden
>>Sent: Tuesday, November 09, 2004 6:40 AM
>>To: garbage collector
>>Subject: [Gc] heap overflow
>>The description of the Sweep phase says:
>>"Nonempty small object pages are swept when an allocation attempt
>>encounters an empty free list for that object size and kind.
>>the correct size and kind are repeatedly swept until at least
>>block is found. Sweeping such a page involves scanning the mark bit
>>array in the page header, and building a free list linked through the
>>first words in the objects themselves. This does involve touching the
>>appropriate data page, but in most cases it will be touched only just
>>before it is used for allocation. Hence any paging is essentially
>>But if there is a linked list throught the first words in the object,
>>this pointers could be overridden by an bufferoverflow?
>>Where can i find the struct of the object itself. How is the object
>>itself intern constructed (the inner structure)??
>>Gc mailing list
>>Gc at linux.hpl.hp.com
More information about the Gc