Heap overflow - Revision history

Annawwanna: /* growthexperiments-addlink-summary-summary:3|0|0 */

2025-05-01T21:24:00Z

Link suggestions feature: 3 links added.

← Previous revision		Revision as of 21:24, 1 May 2025
Line 6:		Line 6:
	==Consequences==		==Consequences==

	An accidental overflow may result in data corruption or unexpected behavior by any process that accesses the affected memory area. On [[operating system]]s without [[memory protection]], this could be any process on the system.		An accidental overflow may result in [[data corruption]] or unexpected behavior by any process that accesses the affected memory area. On [[operating system]]s without [[memory protection]], this could be any process on the system.

	For example, a [[Microsoft]] [[JPEG]] [[Graphics Device Interface\|GDI+]] buffer overflow vulnerability could allow remote execution of code on the affected machine.<ref>{{cite web		For example, a [[Microsoft]] [[JPEG]] [[Graphics Device Interface\|GDI+]] buffer overflow vulnerability could allow remote execution of code on the affected machine.<ref>{{cite web
Line 35:		Line 35:
	\|access-date = 29 Mar 2016}}</ref> In addition, Linux has included support for [[ASLR]] since 2005, although [[PaX]] introduced a better implementation years before. Also Linux has included support for NX-bit since 2004.		\|access-date = 29 Mar 2016}}</ref> In addition, Linux has included support for [[ASLR]] since 2005, although [[PaX]] introduced a better implementation years before. Also Linux has included support for NX-bit since 2004.

	[[Microsoft]] has included protections against heap resident buffer overflows since April 2003 in [[Windows Server 2003]] and August 2004 in [[Windows XP]] with [[Windows XP#Service Pack 2\|Service Pack 2]]. These mitigations were safe unlinking and heap entry header cookies. Later versions of Windows such as [[Windows Vista\|Vista]], Server 2008 and Windows 7 include: Removal of commonly targeted data structures, heap entry metadata randomization, expanded role of heap header cookie, randomized heap base address, [[function pointer]] encoding, termination of heap corruption and algorithm variation. Normal Data Execution Prevention (DEP) and ASLR also help to mitigate this attack.<ref name="Microsoft Security Research & Defense">{{cite web		[[Microsoft]] has included protections against heap resident buffer overflows since April 2003 in [[Windows Server 2003]] and August 2004 in [[Windows XP]] with [[Windows XP#Service Pack 2\|Service Pack 2]]. These mitigations were safe unlinking and heap entry header cookies. Later versions of Windows such as [[Windows Vista\|Vista]], Server 2008 and [[Windows 7]] include: Removal of commonly targeted data structures, heap entry metadata randomization, expanded role of heap header cookie, randomized heap [[base address]], [[function pointer]] encoding, termination of heap corruption and algorithm variation. Normal Data Execution Prevention (DEP) and ASLR also help to mitigate this attack.<ref name="Microsoft Security Research & Defense">{{cite web
	\| url = https://msrc.microsoft.com/blog/2009/08/preventing-the-exploitation-of-user-mode-heap-corruption-vulnerabilities/		\| url = https://msrc.microsoft.com/blog/2009/08/preventing-the-exploitation-of-user-mode-heap-corruption-vulnerabilities/
	\| title = Preventing the exploitation of user mode heap corruption vulnerabilities		\| title = Preventing the exploitation of user mode heap corruption vulnerabilities

Jenngra505: Updated citation to where Microsoft Technet has been relocated.

2024-10-10T23:28:52Z

Updated citation to where Microsoft Technet has been relocated.

← Previous revision		Revision as of 23:28, 10 October 2024
Line 36:		Line 36:

	[[Microsoft]] has included protections against heap resident buffer overflows since April 2003 in [[Windows Server 2003]] and August 2004 in [[Windows XP]] with [[Windows XP#Service Pack 2\|Service Pack 2]]. These mitigations were safe unlinking and heap entry header cookies. Later versions of Windows such as [[Windows Vista\|Vista]], Server 2008 and Windows 7 include: Removal of commonly targeted data structures, heap entry metadata randomization, expanded role of heap header cookie, randomized heap base address, [[function pointer]] encoding, termination of heap corruption and algorithm variation. Normal Data Execution Prevention (DEP) and ASLR also help to mitigate this attack.<ref name="Microsoft Security Research & Defense">{{cite web		[[Microsoft]] has included protections against heap resident buffer overflows since April 2003 in [[Windows Server 2003]] and August 2004 in [[Windows XP]] with [[Windows XP#Service Pack 2\|Service Pack 2]]. These mitigations were safe unlinking and heap entry header cookies. Later versions of Windows such as [[Windows Vista\|Vista]], Server 2008 and Windows 7 include: Removal of commonly targeted data structures, heap entry metadata randomization, expanded role of heap header cookie, randomized heap base address, [[function pointer]] encoding, termination of heap corruption and algorithm variation. Normal Data Execution Prevention (DEP) and ASLR also help to mitigate this attack.<ref name="Microsoft Security Research & Defense">{{cite web
	\| url = ~~http~~://~~blogs~~.~~technet~~.com/~~b/srd/archive~~/2009/08~~/04~~/preventing-the-exploitation-of-user-mode-heap-corruption-vulnerabilities~~.aspx~~		\| url = https://msrc.microsoft.com/blog/2009/08/preventing-the-exploitation-of-user-mode-heap-corruption-vulnerabilities/
	\| title = Preventing the exploitation of user mode heap corruption vulnerabilities		\| title = Preventing the exploitation of user mode heap corruption vulnerabilities
	\| publisher = Technet blog, Microsoft Security Research & Defense		\| publisher = Technet blog, Microsoft Security Research & Defense

InternetArchiveBot: Rescuing 1 sources and tagging 0 as dead.) #IABot (v2.0.9.5

2024-07-18T22:40:02Z

Rescuing 1 sources and tagging 0 as dead.) #IABot (v2.0.9.5

← Previous revision		Revision as of 22:40, 18 July 2024
Line 57:		Line 57:
	* [http://phrack.org/issues/57/8.html#article Vudo malloc tricks]		* [http://phrack.org/issues/57/8.html#article Vudo malloc tricks]
	* [http://www.h-online.com/security/features/A-Heap-of-Risk-747161.html Heap Overflow article at Heise Security]		* [http://www.h-online.com/security/features/A-Heap-of-Risk-747161.html Heap Overflow article at Heise Security]
	* [http://www.ptsecurity.com/download/defeating-xpsp2-heap-protection.pdf Defeating Microsoft Windows XP SP2 Heap protection and DEP bypass]		* [http://www.ptsecurity.com/download/defeating-xpsp2-heap-protection.pdf Defeating Microsoft Windows XP SP2 Heap protection and DEP bypass] {{Webarchive\|url=https://web.archive.org/web/20131101140750/http://www.ptsecurity.com/download/defeating-xpsp2-heap-protection.pdf \|date=2013-11-01 }}

	[[Category:Computer security exploits]]		[[Category:Computer security exploits]]

Citation bot: Added publisher. | Use this bot. Report bugs. | Suggested by Abductive | Category:Software anomalies | #UCB_Category 10/35

2024-02-20T11:20:35Z

Added publisher. | Use this bot. Report bugs. | Suggested by Abductive | Category:Software anomalies | #UCB_Category 10/35

← Previous revision		Revision as of 11:20, 20 February 2024
Line 42:		Line 42:
	\| access-date = 29 Mar 2016}}</ref>		\| access-date = 29 Mar 2016}}</ref>

	The most common detection method for heap overflows is online dynamic analysis. This method observes the runtime execution of programs to identify vulnerabilities through the detection of security breaches.<ref>{{Cite book \|title=Proceedings of the Second Workshop on Real, Large Distributed Systems: December 13, 2005, San Francisco, CA, USA \|date=2005 \|isbn=978-1-931971-40-9 \|editor-last=USENIX Association}}</ref>		The most common detection method for heap overflows is online dynamic analysis. This method observes the runtime execution of programs to identify vulnerabilities through the detection of security breaches.<ref>{{Cite book \|title=Proceedings of the Second Workshop on Real, Large Distributed Systems: December 13, 2005, San Francisco, CA, USA \|date=2005 \|publisher=USENIX Association \|isbn=978-1-931971-40-9 \|editor-last=USENIX Association}}</ref>

	==See also==		==See also==

Claudiajoyce: /* Detection and prevention */ Added bullet point and hyperlink

2024-02-16T18:38:24Z

Detection and prevention: Added bullet point and hyperlink

← Previous revision		Revision as of 18:38, 16 February 2024
Line 45:		Line 45:

	==See also==		==See also==
			* [[Buffer overflow]]
	* [[Heap spraying]]		* [[Heap spraying]]
	* [[Stack buffer overflow]]		* [[Stack buffer overflow]]

Claudiajoyce: /* Detection and prevention */ Added to detection secion

2024-02-16T18:37:48Z

Detection and prevention: Added to detection secion

← Previous revision		Revision as of 18:37, 16 February 2024
Line 41:		Line 41:
	\| date = 4 Aug 2009		\| date = 4 Aug 2009
	\| access-date = 29 Mar 2016}}</ref>		\| access-date = 29 Mar 2016}}</ref>

			The most common detection method for heap overflows is online dynamic analysis. This method observes the runtime execution of programs to identify vulnerabilities through the detection of security breaches.<ref>{{Cite book \|title=Proceedings of the Second Workshop on Real, Large Distributed Systems: December 13, 2005, San Francisco, CA, USA \|date=2005 \|isbn=978-1-931971-40-9 \|editor-last=USENIX Association}}</ref>

	==See also==		==See also==

Rkieferbaum: v2.05 - Fix errors for CW project (Link equal to linktext)

2023-02-24T18:33:26Z

v2.05 - Fix errors for CW project (Link equal to linktext)

← Previous revision		Revision as of 18:33, 24 February 2023
Line 1:		Line 1:
	{{Short description\|Software anomaly}}		{{Short description\|Software anomaly}}
	A '''heap overflow''', '''heap overrun''', or '''heap smashing''' is a type of [[buffer overflow]] that occurs in the [[Heap (programming)\|heap]] data area. Heap overflows are exploitable in a different manner to that of [[stack overflow\|stack-based overflows]]. Memory on the heap is [[C dynamic memory allocation\|dynamically allocated]] at [[Runtime (program lifecycle phase)\|runtime]] and typically contains program data. Exploitation is performed by corrupting this data in specific ways to cause the application to overwrite internal structures such as [[~~Linked list\|~~linked list]] [[Pointer (computer programming)\|pointers]]. The canonical heap overflow technique overwrites dynamic memory allocation linkage (such as <code>malloc</code> metadata) and uses the resulting pointer exchange to overwrite a program [[function pointer]].		A '''heap overflow''', '''heap overrun''', or '''heap smashing''' is a type of [[buffer overflow]] that occurs in the [[Heap (programming)\|heap]] data area. Heap overflows are exploitable in a different manner to that of [[stack overflow\|stack-based overflows]]. Memory on the heap is [[C dynamic memory allocation\|dynamically allocated]] at [[Runtime (program lifecycle phase)\|runtime]] and typically contains program data. Exploitation is performed by corrupting this data in specific ways to cause the application to overwrite internal structures such as [[linked list]] [[Pointer (computer programming)\|pointers]]. The canonical heap overflow technique overwrites dynamic memory allocation linkage (such as <code>malloc</code> metadata) and uses the resulting pointer exchange to overwrite a program [[function pointer]].

	For example, on older versions of [[Linux]], two buffers allocated next to each other on the heap could result in the first buffer overwriting the second buffer's metadata. By setting the in-use bit to zero of the second buffer and setting the length to a small negative value which allows null bytes to be copied, when the program calls <code>free()</code> on the first buffer it will attempt to merge these two buffers into a single buffer. When this happens, the buffer that is assumed to be freed will be expected to hold two [[Pointer (computer programming)\|pointers]] FD and BK in the first 8 bytes of the formerly allocated buffer. BK gets written into FD and can be used to overwrite a pointer.		For example, on older versions of [[Linux]], two buffers allocated next to each other on the heap could result in the first buffer overwriting the second buffer's metadata. By setting the in-use bit to zero of the second buffer and setting the length to a small negative value which allows null bytes to be copied, when the program calls <code>free()</code> on the first buffer it will attempt to merge these two buffers into a single buffer. When this happens, the buffer that is assumed to be freed will be expected to hold two [[Pointer (computer programming)\|pointers]] FD and BK in the first 8 bytes of the formerly allocated buffer. BK gets written into FD and can be used to overwrite a pointer.

Squam Lizard: Adding local short description: "Software anomaly", overriding Wikidata description "type of buffer overflow"

2022-10-09T11:36:01Z

Adding local short description: "Software anomaly", overriding Wikidata description "type of buffer overflow"

← Previous revision		Revision as of 11:36, 9 October 2022
Line 1:		Line 1:
			{{Short description\|Software anomaly}}
	A '''heap overflow''', '''heap overrun''', or '''heap smashing''' is a type of [[buffer overflow]] that occurs in the [[Heap (programming)\|heap]] data area. Heap overflows are exploitable in a different manner to that of [[stack overflow\|stack-based overflows]]. Memory on the heap is [[C dynamic memory allocation\|dynamically allocated]] at [[Runtime (program lifecycle phase)\|runtime]] and typically contains program data. Exploitation is performed by corrupting this data in specific ways to cause the application to overwrite internal structures such as [[Linked list\|linked list]] [[Pointer (computer programming)\|pointers]]. The canonical heap overflow technique overwrites dynamic memory allocation linkage (such as <code>malloc</code> metadata) and uses the resulting pointer exchange to overwrite a program [[function pointer]].		A '''heap overflow''', '''heap overrun''', or '''heap smashing''' is a type of [[buffer overflow]] that occurs in the [[Heap (programming)\|heap]] data area. Heap overflows are exploitable in a different manner to that of [[stack overflow\|stack-based overflows]]. Memory on the heap is [[C dynamic memory allocation\|dynamically allocated]] at [[Runtime (program lifecycle phase)\|runtime]] and typically contains program data. Exploitation is performed by corrupting this data in specific ways to cause the application to overwrite internal structures such as [[Linked list\|linked list]] [[Pointer (computer programming)\|pointers]]. The canonical heap overflow technique overwrites dynamic memory allocation linkage (such as <code>malloc</code> metadata) and uses the resulting pointer exchange to overwrite a program [[function pointer]].

Togamid: The linked paper "Smashing the heap for Fun and Profit" is a republishing of the earlier Phrack paper "Vudo malloc tricks". As Wikipedia should link to the original source, the link and corresponding text has been updated.

2022-05-15T14:58:12Z

The linked paper "Smashing the heap for Fun and Profit" is a republishing of the earlier Phrack paper "Vudo malloc tricks". As Wikipedia should link to the original source, the link and corresponding text has been updated.

← Previous revision		Revision as of 14:58, 15 May 2022
Line 51:		Line 51:

	==External links==		==External links==
			* [http://phrack.org/issues/57/8.html#article Vudo malloc tricks]
	* [https://web.archive.org/web/20060713194734/http://doc.bughunter.net/buffer-overflow/heap-corruption.html Smashing The Heap For Fun And Profit]
	* [http://www.h-online.com/security/features/A-Heap-of-Risk-747161.html Heap Overflow article at Heise Security]		* [http://www.h-online.com/security/features/A-Heap-of-Risk-747161.html Heap Overflow article at Heise Security]
	* [http://www.ptsecurity.com/download/defeating-xpsp2-heap-protection.pdf Defeating Microsoft Windows XP SP2 Heap protection and DEP bypass]		* [http://www.ptsecurity.com/download/defeating-xpsp2-heap-protection.pdf Defeating Microsoft Windows XP SP2 Heap protection and DEP bypass]

Citation bot: Add: website. | Use this bot. Report bugs. | Suggested by Abductive | Category:Software anomalies | #UCB_Category 18/39

2022-03-29T08:04:36Z

Add: website. | Use this bot. Report bugs. | Suggested by Abductive | Category:Software anomalies | #UCB_Category 18/39

← Previous revision		Revision as of 08:04, 29 March 2022
Line 10:		Line 10:
	\|url = http://www.microsoft.com/technet/security/bulletin/MS04-028.mspx		\|url = http://www.microsoft.com/technet/security/bulletin/MS04-028.mspx
	\|title = Microsoft Security Bulletin MS04-028, Buffer Overrun in JPEG Processing (GDI+) Could Allow Code Execution (833987)		\|title = Microsoft Security Bulletin MS04-028, Buffer Overrun in JPEG Processing (GDI+) Could Allow Code Execution (833987)
			\|website = [[Microsoft]]
	\|date = 14 Sep 2004		\|date = 14 Sep 2004
	\|access-date = 29 Mar 2016}}</ref>		\|access-date = 29 Mar 2016}}</ref>

← Previous revision		Revision as of 18:33, 24 February 2023
Line 1:		Line 1:
	{{Short description\|Software anomaly}}		{{Short description\|Software anomaly}}
	A '''heap overflow''', '''heap overrun''', or '''heap smashing''' is a type of [[buffer overflow]] that occurs in the [[Heap (programming)\|heap]] data area. Heap overflows are exploitable in a different manner to that of [[stack overflow\|stack-based overflows]]. Memory on the heap is [[C dynamic memory allocation\|dynamically allocated]] at [[Runtime (program lifecycle phase)\|runtime]] and typically contains program data. Exploitation is performed by corrupting this data in specific ways to cause the application to overwrite internal structures such as [[~~Linked list\|~~linked list]] [[Pointer (computer programming)\|pointers]]. The canonical heap overflow technique overwrites dynamic memory allocation linkage (such as <code>malloc</code> metadata) and uses the resulting pointer exchange to overwrite a program [[function pointer]].		A '''heap overflow''', '''heap overrun''', or '''heap smashing''' is a type of [[buffer overflow]] that occurs in the [[Heap (programming)\|heap]] data area. Heap overflows are exploitable in a different manner to that of [[stack overflow\|stack-based overflows]]. Memory on the heap is [[C dynamic memory allocation\|dynamically allocated]] at [[Runtime (program lifecycle phase)\|runtime]] and typically contains program data. Exploitation is performed by corrupting this data in specific ways to cause the application to overwrite internal structures such as [[linked list]] [[Pointer (computer programming)\|pointers]]. The canonical heap overflow technique overwrites dynamic memory allocation linkage (such as <code>malloc</code> metadata) and uses the resulting pointer exchange to overwrite a program [[function pointer]].

	For example, on older versions of [[Linux]], two buffers allocated next to each other on the heap could result in the first buffer overwriting the second buffer's metadata. By setting the in-use bit to zero of the second buffer and setting the length to a small negative value which allows null bytes to be copied, when the program calls <code>free()</code> on the first buffer it will attempt to merge these two buffers into a single buffer. When this happens, the buffer that is assumed to be freed will be expected to hold two [[Pointer (computer programming)\|pointers]] FD and BK in the first 8 bytes of the formerly allocated buffer. BK gets written into FD and can be used to overwrite a pointer.		For example, on older versions of [[Linux]], two buffers allocated next to each other on the heap could result in the first buffer overwriting the second buffer's metadata. By setting the in-use bit to zero of the second buffer and setting the length to a small negative value which allows null bytes to be copied, when the program calls <code>free()</code> on the first buffer it will attempt to merge these two buffers into a single buffer. When this happens, the buffer that is assumed to be freed will be expected to hold two [[Pointer (computer programming)\|pointers]] FD and BK in the first 8 bytes of the formerly allocated buffer. BK gets written into FD and can be used to overwrite a pointer.