[PATCH][WIP] Make exploiting talloc harder by using a random talloc_magic
Andrew Bartlett
abartlet at samba.org
Wed Oct 16 22:06:39 MDT 2013
On Thu, 2013-10-17 at 05:58 +0200, Stefan (metze) Metzmacher wrote:
> Am 17.10.2013 03:34, schrieb Andrew Bartlett:
> > This patch is inspired by the exploit in
> > http://blog.csnc.ch/wp-content/uploads/2012/07/sambaexploit_v1.0.pdf
> > and is an idea to see if we can make it harder to exploit talloc.
> >
> > The re-order is designed to put the flags earlier into the talloc_chunk,
> > where they would have to be overwritten.
> >
> > The only downsides I see so far are:
> > - startup needs to select a better random number
> > - we loose the magic 'different talloc version' detection, it will just
> > abort with wrong magic. However library .so names and symbol versions
> > will probably avoid this, now we always build with waf.
>
> Can't just add the random one to the fixed one and remove it again if we
> want to check the fixed one?
Two different libraries somehow inter-linked would generate two
different random numbers, so no useful information would be available.
Andrew Bartlett
--
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20131017/d3744bd3/attachment.pgp>
More information about the samba-technical
mailing list