De Raadt + FBSD + OpenSSH + hole?
Nathan Dorfman
na at rtfm.net
Sun Apr 20 19:00:30 UTC 2014
On Sun, Apr 20, 2014 at 2:31 PM, Jamie Landeg-Jones
<jamie at dyslexicfish.net> wrote:
> Once memory has been freed, I thought any attempt by a user process to
> access it would cause a SIGSEV.
>
> I thought the issue was with programs that inadvertantly expose (either
> to read or write) other parts of their active memory.
>
> Of course, if a process rolls it's own in-process implementation
> of malloc/free, then this point is moot, but once you free memory back
> to the system, isn't in no longer accessable anyway?
free() doesn't usually "free memory back to the system." It just puts
it back onto a "free list" managed by libc, entirely within the
process's address space.
"Use after free" is actually a rather common type of bug -- do a web
search on that term to see just how often it comes up.
-nd.
More information about the freebsd-security
mailing list