Bug 133453

Summary: kdelibs built in malloc lacks code to prevent heap overflow exploitation
Product: [Frameworks and Libraries] kdelibs Reporter: Evan Teran <evan.teran>
Component: generalAssignee: Lubos Lunak <l.lunak>
Status: RESOLVED INTENTIONAL    
Severity: normal    
Priority: NOR    
Version: unspecified   
Target Milestone: ---   
Platform: Gentoo Packages   
OS: Linux   
Latest Commit: Version Fixed In:

Description Evan Teran 2006-09-02 20:09:34 UTC
Version:            (using KDE KDE 3.5.4)
Installed from:    Gentoo Packages
Compiler:          gcc 4.1.1 
OS:                Linux

kdelibs built in malloc lacks code to prevent heap overflow exploitation. kdelib appears to use a version of doug lea's malloc for it's internal malloc. Most of the time, kde is compiled to use the system's built in malloc, but has the option to use this one.

The issue is in the unlink macro. Modern versions of glibc have added some sanity checks to this macro in order to stop heap overflows from being exploitable using traditional techniques. 

Basically, when a heap overflow occurs, the chunk header of the following block is overwritten, next, when this block is either freed or allocated it is unlinked from it's respective doubly linked lists. Since the attacker has control over the next/prev pointers, this results in an arbitrary write to an arbitrary location.

So, this means that if a KDE application has a heap overflow, it is much easier (or even possible) to exploit when compiled against kdelib's built in malloc as apposed to the malloc in recent versions of glibc.

if you take a look at the malloc.c recent version of glibc you will see the following:

#define unlink(P, BK, FD) {                                            \
  FD = P->fd;                                                          \
  BK = P->bk;                                                          \
  if (__builtin_expect (FD->bk != P || BK->fd != P, 0))                \
    malloc_printerr (check_action, "corrupted double-linked list", P); \
  else {                                                               \
    FD->bk = BK;                                                       \
    BK->fd = FD;                                                       \
  }                                                                    \
}

as apposed to the built in kde malloc:

#define unlink(P, BK, FD) {                                            \
  FD = P->fd;                                                          \
  BK = P->bk;                                                          \
  FD->bk = BK;                                                         \
  BK->fd = FD;                                                         \
}

my recommendation is that kdelib's built in malloc is updated to be based off a more recent version of glibc's malloc or at the very least add sanity checks to the unlink macro in a similar fashion.

Evan Teran
Comment 1 Stephan Kulow 2006-09-02 20:30:40 UTC
the code is dropped in KDE4 and not recommended in KDE3 for modern linux. So I don't think we want to fix this
Comment 2 Caleb Tennis 2006-09-04 15:33:56 UTC
Gentoo stopped using the fast-malloc command line option a long time ago. In fact, we do a --disable-fast-malloc at configure time.
Comment 3 Lubos Lunak 2006-09-19 12:16:14 UTC
Agreed. Nobody seems to be using this anymore.