[PATCH][WIP] Make exploiting talloc harder by using a random talloc_magic

Andrew Bartlett abartlet at samba.org
Wed Oct 16 22:06:39 MDT 2013

On Thu, 2013-10-17 at 05:58 +0200, Stefan (metze) Metzmacher wrote:
> Am 17.10.2013 03:34, schrieb Andrew Bartlett:
> > This patch is inspired by the exploit in
> > http://blog.csnc.ch/wp-content/uploads/2012/07/sambaexploit_v1.0.pdf‎
> > and is an idea to see if we can make it harder to exploit talloc.  
> > 
> > The re-order is designed to put the flags earlier into the talloc_chunk,
> > where they would have to be overwritten.
> > 
> > The only downsides I see so far are:
> >  - startup needs to select a better random number
> >  - we loose the magic 'different talloc version' detection, it will just
> > abort with wrong magic.  However library .so names and symbol versions
> > will probably avoid this, now we always build with waf. 
> Can't just add the random one to the fixed one and remove it again if we
> want to check the fixed one?

Two different libraries somehow inter-linked would generate two
different random numbers, so no useful information would be available. 

Andrew Bartlett

Andrew Bartlett
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Catalyst IT                   http://catalyst.net.nz

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20131017/d3744bd3/attachment.pgp>

More information about the samba-technical mailing list