The GNU C Library (glibc) includes a critical security vulnerability for Linux and other operating systems and programs. The dynamic memory management security flaw can be exploited for DoS attacks. Eyal Itkin from Check Point announced that the company has published an open-source patch which makes it harder for attackers to exploit the vulnerability.
Protection for single-linked lists
Check Point announced that Safe-Linking is a security mechanism that protects single-linked lists (such as the fastbin and tcache) from being tampered by attackers and it makes use of randomness from ASLR (mmap_base), and when combined with chunk alignment integrity checks, it protects the “next” pointers from being hijacked by an attacker.
The company also stated that Safe-Unlinking protects double-linked lists, but there wasn’t any such protection for single-linked lists. This new mechanism protects against these 3 common attacks:
- Partial pointer override: modifies the lower bytes (Little Endian)
- Full pointer override: hijacks the pointer to an attacker’s location
- Unaligned chunks: pointing the list to an unaligned address
The design assumes an attacker doesn’t know where the heap is located, and also uses the ASLR randomness to “sign” the single-linked pointers. Eyal Itkin from Check Point also stated,
“We mark the pointer as P and the location in which it is stored as L, and the calculation will be:PROTECT(P) := (L >> PAGE_SHIFT) XOR (P) L = PROTECT(P)
This way, the random bits from the address L will be merged with LSB of the stored protected pointer. This protection layer prevents an attacker from modifying the pointer into a controlled value.”