[PATCH][WIP] Make exploiting talloc harder by using a random talloc_magic
abartlet at samba.org
Wed Oct 16 22:06:39 MDT 2013
On Thu, 2013-10-17 at 05:58 +0200, Stefan (metze) Metzmacher wrote:
> Am 17.10.2013 03:34, schrieb Andrew Bartlett:
> > This patch is inspired by the exploit in
> > http://blog.csnc.ch/wp-content/uploads/2012/07/sambaexploit_v1.0.pdf
> > and is an idea to see if we can make it harder to exploit talloc.
> > The re-order is designed to put the flags earlier into the talloc_chunk,
> > where they would have to be overwritten.
> > The only downsides I see so far are:
> > - startup needs to select a better random number
> > - we loose the magic 'different talloc version' detection, it will just
> > abort with wrong magic. However library .so names and symbol versions
> > will probably avoid this, now we always build with waf.
> Can't just add the random one to the fixed one and remove it again if we
> want to check the fixed one?
Two different libraries somehow inter-linked would generate two
different random numbers, so no useful information would be available.
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 836 bytes
Desc: This is a digitally signed message part
More information about the samba-technical