Analysis of examples of contaminated memory allocation functions in C language

1. Polluted memory allocation

The memory allocation functions of C language include malloc(), kmalloc, smalloc(), xmalloc(), realloc(), calloc(), GlobalAlloc(), HeapAlloc() and so on, taking malloc() as an example, the prototype of the malloc() function is:

extern void*malloc (unsignedintnum_bytes);

malloc() The function allocates num_bytes bytes of memory and returns a pointer to this memory. When the integer of the memory allocation length comes from an untrusted source that may be contaminated, if the external input data is not effectively judged, it will lead to extremely large memory allocation. Untrusted sources that may be contaminated include: command line parameters, configuration files, network communications, databases, environment variables, registry values, and other input from outside the application.

2. The harm of contaminated memory allocation

Directly use contaminated data as the length parameter of the memory allocation function, such as passing in a very large integer value , the program will allocate a huge memory accordingly, resulting in huge memory overhead on the system, and even leading to denial of service attacks.

There are also some related vulnerability information in the CVE. From January 2018 to March 2019, there were 4 related vulnerability information in the CVE. The vulnerability information is as follows:

##CVEOverviewCVE-2018-6869There is a security vulnerability in the '__zzip_parse_root_directory' function of the zzip/zip.c file in ZZIPlib version 0.13.68. A remote attacker could exploit this vulnerability to cause a denial of service (uncontrolled memory allocation and crash) using a specially crafted zip file. CVE-2018-5783There is a security vulnerability in the 'PoDoFo::PdfVecObjects::Reserve' function of the base/PdfVecObjects.h file in PoDoFo 0.9.5 version . A remote attacker could exploit this vulnerability to cause a denial of service (uncontrolled memory allocation) using a specially crafted PDF file. CVE-2018-5296There is a security vulnerability in the 'PdfParser::ReadXRefSubsection' function of the base/PdfParser.cpp file in PoDoFo version 0.9.5. This vulnerability It comes from the fact that the program does not control the allocation of memory. A remote attacker could exploit this vulnerability to cause a denial of service using a specially crafted PDF file.

3. Sample code

The examples used in this section refer to CWE-789: Uncontrolled Memory Allocation (http://cwe.mitre.org/data/definitions/789 .html) and defines the GetUntrustedInt() function in the example.

3.1 Defect Code

In the above example code, malloc() is used on line 9 The function performs a memory allocation of length totBytes bytes. As can be seen by tracing the path, totBytes is calculated by size*sizeof(char); on line 6 The result is assigned, and the value of size is the user keyboard input obtained using the scanf() function in line 7, which is a contaminated data source, resulting in the memory allocation length totBytes is tainted, and there is a "tainted memory allocation" problem.

Use 360 ​​Code Guard to detect the above sample code, you can detect the "polluted memory allocation" defect, and the display level is high. As shown in Figure 1:

Figure 1: Detection example of contaminated memory allocation

3.2 Repair code

In the above repair code, although the source of totBytes is contaminated data, the totBytes is not corrected in line 10 The length is effectively limited, thus avoiding contaminated memory allocations.

Use 360 ​​Code Guard to detect the repaired code, and you can see that there is no "polluted memory allocation" defect. As shown in Figure 2:

Figure 2: Detection results after repair

4. How to avoid contaminated memory allocation

(1) Avoid using contaminated data directly as the length parameter of the memory allocation function. If it cannot be avoided, the contaminated data should be effectively restricted.

(2) Using source code static analysis tools can effectively discover such problems.

The above is the detailed content of Analysis of examples of contaminated memory allocation functions in C language. For more information, please follow other related articles on the PHP Chinese website!