Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:70612 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 66595 invoked from network); 12 Dec 2013 23:11:51 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 12 Dec 2013 23:11:51 -0000 Authentication-Results: pb1.pair.com header.from=tstarling@wikimedia.org; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=tstarling@wikimedia.org; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain wikimedia.org designates 208.80.152.186 as permitted sender) X-PHP-List-Original-Sender: tstarling@wikimedia.org X-Host-Fingerprint: 208.80.152.186 mchenry.wikimedia.org Received: from [208.80.152.186] ([208.80.152.186:37482] helo=mchenry.wikimedia.org) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id C9/F4-32587-5B24AA25 for ; Thu, 12 Dec 2013 18:11:50 -0500 Received: from [2620:0:860:2:219:b9ff:fedd:86eb] (port=48750 helo=sanger.wikimedia.org) by mchenry.wikimedia.org with esmtp (Exim 4.69) (envelope-from ) id 1VrFQ2-0000WW-Oy; Thu, 12 Dec 2013 23:11:46 +0000 Received: from cpe-121-216-59-234.lnse1.ken.bigpond.net.au ([121.216.59.234]:59969 helo=[10.0.0.7]) by sanger.wikimedia.org with esmtpsa (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1VrFQ1-0000pp-Il; Thu, 12 Dec 2013 23:11:45 +0000 Message-ID: <52AA42AD.7080605@wikimedia.org> Date: Fri, 13 Dec 2013 10:11:41 +1100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.0 MIME-Version: 1.0 To: Pierre Joye CC: Stas Malyshev , internals Mailing List , Marcus Boerger References: <5281AE1C.4040108@wikimedia.org> <52A50402.6040303@sugarcrm.com> <52A95137.4050505@wikimedia.org> In-Reply-To: X-Enigmail-Version: 1.5.2 OpenPGP: id=BF976370 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Subject: Re: [PHP-DEV] EXIF integer overflow again From: tstarling@wikimedia.org (Tim Starling) On 12/12/13 17:07, Pierre Joye wrote: > But generating it at runtime during the test run sounds like a good > solution. While I am not sure yet about a good way to craft a TIFF > to fit the crash requirements, we have no API to get the heap size > (not sure it is displayed by bintools). Not the heap size, the heap pointer, i.e. (size_t)ptr, the distance between the start of address space and the pointer returned by emalloc(). On Linux, malloc() will sometimes use brk(), which gives you an address after .text, .data, etc., so it is dependent on the size of the main binary (which could be Apache, php-fcgi, etc.) -- typically it is some tens of megabytes above the start of the address space. If malloc() decides to use mmap() instead, on a 64-bit system, the address returned will typically be terabytes above the start of address space, so the attack will be infeasible. Windows apparently doesn't have brk(), so the attack there would probably be limited to 32-bit systems. -- Tim Starling