"Use after Free" memory abuse hacking
Posted: Tue Jun 24, 2014 9:29 am
Refer to article on Ars Technica
interesting
supposedly,-- with memory protection properly initiated -- the x86 chip effects memory protection concurrently with access
Thus, if I were to have some pointers, e.g.
and i were to code to copy string b to string a -- memory protection should verify that both pointers are referencing memory that has been allocated to my address space
however -- as i understand it -- the protection model is a bit coarse-- generally tracking memory in 4k pages -- ( although i think you can vary this as you build the memory management tables prior to switching into protected mode..... ( if memory serves ))
too, if memory serves when I allocate the pointers,.....
the data will be allocated from an existing page if possible....
which means.... if I
i now have RATS in both places....
now: I save pointer to a and release memory allocated at point a :
and then print the content:
prints(save_point);
i should get RATS
as I understand it Intel is working on implementing dope vectors to prevent this. to bad those were not added to C++
remember, in PL/1 when you are working with strings or arrays you are working trhough dope vectors which provide
the current and maximum size of these variables. the STRINGRANGE condition is based on this idea
interesting stuff
interesting
supposedly,-- with memory protection properly initiated -- the x86 chip effects memory protection concurrently with access
Thus, if I were to have some pointers, e.g.
Code: Select all
char *point_a, point_b, *save_point;
Code: Select all
strcpy(point_a,point_b);
however -- as i understand it -- the protection model is a bit coarse-- generally tracking memory in 4k pages -- ( although i think you can vary this as you build the memory management tables prior to switching into protected mode..... ( if memory serves ))
too, if memory serves when I allocate the pointers,.....
Code: Select all
#define WK_STRING_LENGTH 128
point_a = (char *) malloc(WK_STRING_LENGTH);
point_b = (char *) malloc(WK_STRING_LENGTH);
which means.... if I
Code: Select all
strcpy(point_b,"RATS");
strcpy(point_a,point_b);
now: I save pointer to a and release memory allocated at point a :
Code: Select all
save_point=point_a;
free(point_a);
prints(save_point);
i should get RATS
as I understand it Intel is working on implementing dope vectors to prevent this. to bad those were not added to C++
remember, in PL/1 when you are working with strings or arrays you are working trhough dope vectors which provide
the current and maximum size of these variables. the STRINGRANGE condition is based on this idea
interesting stuff