[Gc] heap overflow
mental at rydia.net
Wed Nov 10 11:21:33 PST 2004
On Wed, 10 Nov 2004, Hans Van den Eynden wrote:
> So it's possible to override the link pointer with a function pointer
> and in that way to run you own code??
The link pointers aren't used as function pointers, but any function
pointer in the application's address space could be overwritten in
principle to do that. The GC is not special in this regard, this is true
of C/C++ programs in general.
> Where are the page headers placed in memory. Are they laying before the
> actual heap or behind??
My understanding is that they are themselves allocated from the heap.
Hans can better elaborate on this though.
> I ask this because if it lays after the heap it also can be overriden by
> a bufferoverflow?
Of course. Same goes for on the heap or (in certain circumstances) before
> I only ask all this for my thesis. I have to study the GC and what it
> prevents (dangling pointers, memory leaks) and what the vulnerabilities are.
The vulnerabilities are essentially the same as those of any other C/C++
memory allocator. You can even explicitly free an object, leaving
The only special thing about the GC is that it will free objects without
an explicit request to do so, using a conservative algorithm to determine
which objects can be safely freed. In practice this makes explicit free
calls unnecessary to avoid leaks.
If your code does avoid freeing objects explicitly, and your application
or compiler cannot be tricked into hiding information from the collector,
then you are at least safe from double frees or dereferencing dangling
Even then, the collector merely facilitates some safer practices in
application code; it neither adds nor removes safety by itself.
What it comes down to is this: if you program in C or C++, you are always
at the mercy of your own code and that of the runtime and compiler. You
are only as secure as the least secure of those; no library can save you.
More information about the Gc