Bug 133453

Summary:	kdelibs built in malloc lacks code to prevent heap overflow exploitation
Product:	[Frameworks and Libraries] kdelibs	Reporter:	Evan Teran <evan.teran>
Component:	general	Assignee:	Lubos Lunak <l.lunak>
Status:	RESOLVED INTENTIONAL
Severity:	normal
Priority:	NOR
Version:	unspecified
Target Milestone:	---
Platform:	Gentoo Packages
OS:	Linux
Latest Commit:		Version Fixed In:

Description Evan Teran 2006-09-02 20:09:34 UTC

Version:            (using KDE KDE 3.5.4)
Installed from:    Gentoo Packages
Compiler:          gcc 4.1.1 
OS:                Linux

kdelibs built in malloc lacks code to prevent heap overflow exploitation. kdelib appears to use a version of doug lea's malloc for it's internal malloc. Most of the time, kde is compiled to use the system's built in malloc, but has the option to use this one.

The issue is in the unlink macro. Modern versions of glibc have added some sanity checks to this macro in order to stop heap overflows from being exploitable using traditional techniques. 

Basically, when a heap overflow occurs, the chunk header of the following block is overwritten, next, when this block is either freed or allocated it is unlinked from it's respective doubly linked lists. Since the attacker has control over the next/prev pointers, this results in an arbitrary write to an arbitrary location.

So, this means that if a KDE application has a heap overflow, it is much easier (or even possible) to exploit when compiled against kdelib's built in malloc as apposed to the malloc in recent versions of glibc.

if you take a look at the malloc.c recent version of glibc you will see the following:

#define unlink(P, BK, FD) {                                            \
  FD = P->fd;                                                          \
  BK = P->bk;                                                          \
  if (__builtin_expect (FD->bk != P || BK->fd != P, 0))                \
    malloc_printerr (check_action, "corrupted double-linked list", P); \
  else {                                                               \
    FD->bk = BK;                                                       \
    BK->fd = FD;                                                       \
  }                                                                    \
}

as apposed to the built in kde malloc:

#define unlink(P, BK, FD) {                                            \
  FD = P->fd;                                                          \
  BK = P->bk;                                                          \
  FD->bk = BK;                                                         \
  BK->fd = FD;                                                         \
}

my recommendation is that kdelib's built in malloc is updated to be based off a more recent version of glibc's malloc or at the very least add sanity checks to the unlink macro in a similar fashion.

Evan Teran

Comment 1 Stephan Kulow 2006-09-02 20:30:40 UTC

the code is dropped in KDE4 and not recommended in KDE3 for modern linux. So I don't think we want to fix this

Comment 2 Caleb Tennis 2006-09-04 15:33:56 UTC

Gentoo stopped using the fast-malloc command line option a long time ago. In fact, we do a --disable-fast-malloc at configure time.

Comment 3 Lubos Lunak 2006-09-19 12:16:14 UTC

Agreed. Nobody seems to be using this anymore.