[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: zlib bug

To: Ted U <grendel@heorot.stanford.edu>
Subject: Re: zlib bug
From: Artur Grabowski <art@blahonga.org>
Date: 12 Mar 2002 10:42:07 +0100
Cc: Ian D <ian@assv.net>, misc@openbsd.org
References: <Pine.BSO.4.40.0203120020280.9483-100000@heorot.stanford.edu>
User-Agent: Gnus/5.0807 (Gnus v5.8.7) Emacs/20.7

Ted U <grendel@heorot.stanford.edu> writes:

> On 12 Mar 2002, Ian D wrote:
> 
> > > No, it does not affect OpenBSD because of the superior
> > > malloc (free, to be exact) implementation.
> > > I read /. too and I instantly checked with the man pages.
> >
> > Is OpenBSD as a whole immune to this bug, or just OpenBSD's OpenSSH
> > implementation?
> 
> I think immune is a strong word.  It's still a bug.  But BSD malloc
> implementations are safe for the most part from being exploited.
> 
> OpenBSD as a whole, until a few hours ago, was vulnerable to the flaw in
> any program that used libz (I count 7 in /usr/bin) would double free.  It
> just so happens that double freeing reports a warning instead of
> corrupting the heap.

That depends on in which order you do the double free.

if it's:

x = malloc();
free(x);
free(x);

Then everything should be safe with phk malloc.

But if it's:

x = malloc();
free(x);
a = malloc();
free(x);
b = malloc();

no malloc implementation will catch that and you have a big risk that
'a' and 'b' will point to the same memory.

I don't know how bad it was in zlib.

//art

Follow-Ups:
- Re: zlib bug
  - From: Darren Reed <avalon@coombs.anu.edu.au>

References:
- Re: zlib bug
  - From: Ted U <grendel@heorot.stanford.edu>

Prev by Date: Re: ccdconfig causes a kernel panic on 3.0
Next by Date: Netboot
Prev by thread: Re: zlib bug
Next by thread: Re: zlib bug
Index(es):
- Date
- Thread