Re: Avice about the importance of heap overflow in hdf5

[Ola Lundqvist <ola@inguza.com>]

Hi Ben

Thank you for the information that it is glibc that "protect". Do we know that glibc in wheezy do this or is this a more recent thing?

// Ola

On 25 November 2016 at 00:58, Ben Hutchings <ben@decadent.org.uk> wrote:

On Thu, 2016-11-24 at 14:59 +0100, Raphael Hertzog wrote:
> Hi,
>
> On Tue, 22 Nov 2016, Ola Lundqvist wrote:
[...]
> > Also I have in other discussions got the impression that gcc nowadays have
> > some kind of heap protection that prevent overwrite of data causing
> > arbitrary code execution. I may be wrong however.
>
> Looking at hdf5 in wheezy, I don't see any hardening feature enabled. I
> wonder where you saw that gcc has such protections by default in Debian.
[...]

glibc (not gcc) has heap hardening.  (Of course, this doesn't help
libraries that use their own heap.)  I've previously been told that
this makes it impractical to achieve code execution through a heap
overflow.

Ben.

--
Ben Hutchings
[W]e found...that it wasn't as easy to get programs right as we had
thought.
... I realized that a large part of my life from then on was going to
be spent
in finding mistakes in my own programs. - Maurice Wilkes, 1949

--

 --- Inguza Technology AB --- MSc in Information Technology ----

/  ola@inguza.com                    Folkebogatan 26            \

|  opal@debian.org                   654 68 KARLSTAD            |

|  http://inguza.com/                Mobile: +46 (0)70-332 1551 |

\  gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9  /

 ---------------------------------------------------------------