Date: Sun, 20 Apr 2014 15:00:28 -0400 From: Nathan Dorfman <na@rtfm.net> To: Jamie Landeg-Jones <jamie@dyslexicfish.net> Cc: hcoin@quietfountain.com, freebsd-security@freebsd.org Subject: Re: De Raadt + FBSD + OpenSSH + hole? Message-ID: <CADgEyUt1_BiTQhvjzS0%2Bot0hUVNSUMXM8qXki%2B6dZio%2BgWfZgg@mail.gmail.com> In-Reply-To: <201404201831.s3KIVCSY054778@catnip.dyslexicfish.net> References: <534B11F0.9040400@paladin.bulgarpress.com> <201404141207.s3EC7IvT085450@chronos.org.uk> <201404141232.s3ECWFQ1081178@catnip.dyslexicfish.net> <53522186.9030207@FreeBSD.org> <201404200548.s3K5mV7N055244@catnip.dyslexicfish.net> <53540307.1070708@quietfountain.com> <201404201831.s3KIVCSY054778@catnip.dyslexicfish.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, Apr 20, 2014 at 2:31 PM, Jamie Landeg-Jones <jamie@dyslexicfish.net> wrote: > Once memory has been freed, I thought any attempt by a user process to > access it would cause a SIGSEV. > > I thought the issue was with programs that inadvertantly expose (either > to read or write) other parts of their active memory. > > Of course, if a process rolls it's own in-process implementation > of malloc/free, then this point is moot, but once you free memory back > to the system, isn't in no longer accessable anyway? free() doesn't usually "free memory back to the system." It just puts it back onto a "free list" managed by libc, entirely within the process's address space. "Use after free" is actually a rather common type of bug -- do a web search on that term to see just how often it comes up. -nd.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CADgEyUt1_BiTQhvjzS0%2Bot0hUVNSUMXM8qXki%2B6dZio%2BgWfZgg>