temporal-errors.md (1648B)
1 +++ 2 title = 'Temporal errors' 3 +++ 4 # Temporal errors 5 Main types: 6 - use after free 7 - uninitialized variables 8 9 ## Use after free 10 Sometimes, program retains pointer to freed memory location ("dangling pointer") 11 - e.g. malloc buffer that was freed, or local variable buffer after function return 12 13 Future allocation/function call can re-use memory. 14 15 Sometimes, attacker can craft input to overwrite memory with own data: 16 1. Program allocs buffer or variable X 17 2. Program uses X to store some data 18 3. Program frees X 19 4. Program allocates buffer/variable Y overlapping with X 20 5. Data written to Y also overwrites relevant part of X 21 6. Program uses X, causing incorrect result 22 23 Useful to: 24 - bypass length restrictions for later buffer overflow 25 - overwrite fields that shouldn't be attacker-controlled 26 - overwrite validated data with incorrect data that will not be validated 27 - leak sensitive data from new buffer 28 29 ## Double free 30 Free can't efficiently check block validity 31 - detects only some cases of double free 32 - undetected cases might corrupt metadata, useful for arbitrary write 33 - might free reused memory 34 35 ## Uninitialized variables 36 Local variables and buffers not automatically initialized to zero. 37 Instead, contain whatever data happened to be on stack/heap before they were allocated. 38 39 Sometimes, attacker can craft input to initialize variable; 40 1. program allocates buffer/variable X 41 2. program uses X to store some data under attacker control 42 3. program frees X 43 4. program allocs buffer/variable Y overlapping X 44 5. program does not initialize (part of) Y, causing attacker's data from X to remain there 45 6. program uses Y causing incorrect result