[PATCH][WIP] Make exploiting talloc harder by using a random talloc_magic

Andrew Bartlett abartlet at samba.org
Wed Oct 16 19:34:14 MDT 2013


This patch is inspired by the exploit in
http://blog.csnc.ch/wp-content/uploads/2012/07/sambaexploit_v1.0.pdf‎
and is an idea to see if we can make it harder to exploit talloc.  

The re-order is designed to put the flags earlier into the talloc_chunk,
where they would have to be overwritten.

The only downsides I see so far are:
 - startup needs to select a better random number
 - we loose the magic 'different talloc version' detection, it will just
abort with wrong magic.  However library .so names and symbol versions
will probably avoid this, now we always build with waf. 
 - presumably the compiler would have been able to optimise the previous
talloc version check

What do folks think, and can I get some help to prove it would disrupts
these exploits?

Thanks,

Andrew Bartlett
-- 
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Catalyst IT                   http://catalyst.net.nz

-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-lib-talloc-Disrupt-buffer-overflow-attacks-on-Samba-.patch
Type: text/x-patch
Size: 5773 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20131017/86bf3a4b/attachment.bin>


More information about the samba-technical mailing list