Version: (using KDE KDE 3.5.4) Installed from: Gentoo Packages Compiler: gcc 4.1.1 OS: Linux kdelibs built in malloc lacks code to prevent heap overflow exploitation. kdelib appears to use a version of doug lea's malloc for it's internal malloc. Most of the time, kde is compiled to use the system's built in malloc, but has the option to use this one. The issue is in the unlink macro. Modern versions of glibc have added some sanity checks to this macro in order to stop heap overflows from being exploitable using traditional techniques. Basically, when a heap overflow occurs, the chunk header of the following block is overwritten, next, when this block is either freed or allocated it is unlinked from it's respective doubly linked lists. Since the attacker has control over the next/prev pointers, this results in an arbitrary write to an arbitrary location. So, this means that if a KDE application has a heap overflow, it is much easier (or even possible) to exploit when compiled against kdelib's built in malloc as apposed to the malloc in recent versions of glibc. if you take a look at the malloc.c recent version of glibc you will see the following: #define unlink(P, BK, FD) { \ FD = P->fd; \ BK = P->bk; \ if (__builtin_expect (FD->bk != P || BK->fd != P, 0)) \ malloc_printerr (check_action, "corrupted double-linked list", P); \ else { \ FD->bk = BK; \ BK->fd = FD; \ } \ } as apposed to the built in kde malloc: #define unlink(P, BK, FD) { \ FD = P->fd; \ BK = P->bk; \ FD->bk = BK; \ BK->fd = FD; \ } my recommendation is that kdelib's built in malloc is updated to be based off a more recent version of glibc's malloc or at the very least add sanity checks to the unlink macro in a similar fashion. Evan Teran
the code is dropped in KDE4 and not recommended in KDE3 for modern linux. So I don't think we want to fix this
Gentoo stopped using the fast-malloc command line option a long time ago. In fact, we do a --disable-fast-malloc at configure time.
Agreed. Nobody seems to be using this anymore.