12

I am trying to learn about code vulnerabilities, and am testing some simple programs I wrote. However, many of the issues Glibc catches during runtime (e.g. Stack-Smashing, Double Free, etc.). Thus I would like to be able to run my programs without Glibc's runtime detection errors. Is there a way to turn off Glibc's detection? (like with a compiler flag, etc).

I saw in a previous link it is described how to turn off ASLR and Canaries, but this is not what I'd like to do, since it still stops errors like a Double Free and some other heap errors I want to try out (http://stackoverflow.com/questions/2340259/how-to-turn-off-gcc-compiler-optimization-to-enable-buffer-overflow).

I also know you can turn off compile-time warnings with the -w flags but that doesn't seem to be what I want either. I've tried reading over the GCC flags and looking up information about Glibc, but I haven't gotten anywhere yet. Thus I would greatly appreciate any help. Thanks.

Billy
  • 607
  • 2
  • 8
  • 20

3 Answers3

25

Check the man page for malloc(3) for usage of the MALLOC_CHECK_ environment variable. Using this, you can turn off 'aborts' for those double free errors and whatnot to play with things.

man malloc

So if your program was called 'badfree', you can either set MALLOC_CHECK_ (note trailing underscore) with an export command, or just set it every execution of badfree.

export MALLOC_CHECK_=0
./badfree

--or--

MALLOC_CHECK_=0 ./badfree

Just remember if you use the first method, it's set for ANY program you run in that shell.

Settings for MALLOC_CHECK_ from the malloc(3) man page are:

MALLOC_CHECK_ =
 0  Silently ignore any issues
 1  Send error message to stderr
 2  abort() is called immediately, killing your program.
 3  Do both '1' and '2' (MALLOC_CHECK_ is a bitfield)
lornix
  • 1,946
  • 17
  • 14
  • Anyway to do it on runtime? I mean, without an environment variable, a function or C define. – Carlos Vega Jul 23 '13 at 18:34
  • 1
    Yes! man 3 mallopt, although you may need to install the dev manpages or whatever, usually not default install. mallopt(M_CHECK_ACTION,0); would turn off checking entirely (like MALLOC_CHECK_=0 as env var). Defined in malloc.h, as expected. – lornix Jul 23 '13 at 21:48
0

You can overload operator new and operator delete, but that isn't going to help with a program that uses malloc and free. You can of course write your own implementations of those, also, but overloading C-library functions can be a bit challenging on some OSs.

What, conceptually, is the difference between a double free and free (unallocated_pointer) ?

David Hammen
  • 32,454
  • 9
  • 60
  • 108
  • Maybe I'm not following yet, but how would overloading new/delete help me? I guess I forgot to explicitly note this, but the Double Free comes up while I'm working on C code. – Billy Jul 19 '11 at 18:32
  • I guess you forgot to mention that! You also forgot to mention your intent: Are you trying to write tools to detect vulnerabilities, or are you trying to author a vulnerability? – David Hammen Jul 19 '11 at 19:55
  • On many machines there are **no** options to do what you with the compiler because the C standard library is not a part of the compiler. The standard library is instead a part of the system. It comes bundled with the system on both Linux and on Mac OSX, for example. The GNU compiler collect relies on this. The standard library is not a part of gcc. – David Hammen Jul 19 '11 at 19:59
  • Ohhh, I see. I wish I could get those hours of googling/staring at compiler options back...anyway, yep, I'm just trying out different weaknesses and seeing what happens with memory, what I can do with them, etc. – Billy Jul 19 '11 at 20:06
  • Correction to my previous comment: It's the GNU compiler collection, not the GNU compiler collect. – David Hammen Jul 19 '11 at 20:14
-1

You should at least be able to turn off stack protection with

-fno-stack-protector

at compiletime

Edit: sorry, have just seen that this isn't enough for you

Doesn't seem to be easy because glibc is global for all programs, so it would be pretty bad if you could turn the protection off. My proposal would be to install an old linux distribution that has no heap protection (mid 2003 or earlier should work).

jww
  • 97,681
  • 90
  • 411
  • 885
Daniel
  • 1,527
  • 10
  • 13
  • I've been searching everywhere but can't find anything. The only other flag I found was FORTIFY_SOURCE, but that didn't help me either. Would installing a really old version of gcc work, or do you really have to do the whole distribution? – Billy Jul 19 '11 at 18:32
  • I think because glibc is a core part of your distribution it is not enough to install an old version of gcc. But with VirtualBox or something similar even installing a whole distribution is pretty hassle free. – Daniel Jul 19 '11 at 18:34
  • The book "Hacking. The Art of Exploitation." by Jon Erickson for example contains a linux distribution without protection mechanisms to try out different hacks. I installed it in VirtualBox and it boots very fast. – Daniel Jul 19 '11 at 18:41
  • Oh ok. I actually have this book (but haven't opened it yet haha), so I'll try the code in that environment and see if I still get the error. – Billy Jul 19 '11 at 20:02
  • Update: I just tried doing a double free in the Hacking linux environment and glibc still immediately aborts the program. – Billy Jul 19 '11 at 20:23
  • oh, ok, seems like the book doesn't cover this issue ;) Seems like you really have to install an old distribution – Daniel Jul 19 '11 at 20:36
  • Stack and heap are not the same. -fno-stack-protector will skip stack checks which can improve performance and does not hurt as long the code behaves itself. Stack is faster but smaller, typically 8 megs or less and is used for variables and smaller arrays. Heap is for large memory allocations which is slower but necessary if you need more space in ram. – Rauli Kumpulainen Apr 26 '19 at 22:18