Heap overflow

A heap overflow is a type of buffer overflow that occurs in the heap data area. Heap overflows are exploitable in a different manner to that of stack-based overflows. Memory on the heap is dynamically allocated by the application at run-time and typically contains program data. Exploitation is performed by corrupting this data in specific ways to cause the application to overwrite internal structures such as linked list pointers. The canonical heap overflow technique overwrites dynamic memory allocation linkage (such as malloc meta data) and uses the resulting pointer exchange to overwrite a program function pointer.

Consequences

An accidental overflow may result in data corruption or unexpected behavior by any process which uses the affected memory area. On operating systems without memory protection, this could be any process on the system.

A deliberate exploit may result in data at a specific location being altered in an arbitrary way, or in arbitrary code being executed.

The Microsoft JPEG GDI+ vulnerability MS04-028 is an example of the danger a heap overflow can represent to a computer user.

iOS jailbreaking often uses Heap overflows to gain arbitrary code, usually for kernel exploits to achieve the ability to replace the kernel with the one jailbreak provides.

Detection and Prevention

Since version 2.3.6 the GNU libc includes protections that can detect heap overflows after the fact, for example by checking pointer consistency when calling unlink. While those protections protect against old-style exploits, they are not perfect, as described in The Malloc Maleficarum, further described in Malloc Des-Maleficarum.

Microsoft Windows operating systems implement protections against heap overflows since Windows XP SP2 such as safe unlinking and cookies. It also can mitigate these threats through the use of Data Execution Prevention (DEP) and ASLR.

Heap overflow

Consequences

Detection and Prevention

External links

See also