Closed 0x3c3e closed 5 years ago
Because c should have the same range as a. size of a is 512. Size of c is 500. They fall in the same range in libc.
There is nothing wrong with the code.
@Kyle-Kyle so I got the idea wrong? On the end of execution a != c (pointers) and it's ok?
As I understand from heap-exploitation 512
bytes chunk is splitted in two 500
and probably 12
bytes (it's probably how it work on my local machine). And if c
size fall in range from 505
to 520
malloc choose a
chunk without splitting.
There is no spliting at all in this case on you local machine. You know how bins works right? When you do a malloc, the size will be rounded up. So in this case, 512 will be rounded up to 520. Everything between 505 to 520 will be rounded up to 520. If the size does not fall in the range, it does not use the size at all, there is no way to return the same chunk.
@Kyle-Kyle so output as below is expected? thank you for answers
This file doesn't demonstrate an attack, but shows the nature of glibc's allocator.
glibc uses a first-fit algorithm to select a free chunk.
If a chunk is free and large enough, malloc will select this chunk.
This can be exploited in a use-after-free situation.
Allocating 2 buffers. They can be large, don't have to be fastbin.
1st malloc(512): 0x557a17c7c260
2nd malloc(256): 0x557a17c7c470
we could continue mallocing here...
now let's put a string at a that we can read later "this is A!"
first allocation 0x557a17c7c260 points to this is A!
Freeing the first one...
We don't need to free anything again. As long as we allocate less than 512, it will end up at 0x557a17c7c260
So, let's allocate 500 bytes
3rd malloc(500): 0x557a17c7c580
And put a different string here, "this is C!"
3rd allocation 0x557a17c7c580 points to this is C!
first allocation 0x557a17c7c260 points to
If we reuse the first allocation, it now holds the data from the third allocation.
@0x3c3e Is right, because of tcache this example does not work as expected right now. Because 500 and 512 end up in two different tcache bins. I'll fix it in a sec.
The TCache index is calculated as:
/* When "x" is from chunksize(). */
# define csize2tidx(x) (((x) - MINSIZE + MALLOC_ALIGNMENT - 1) / MALLOC_ALIGNMENT)
/* When "x" is a user-provided size. */
# define usize2tidx(x) csize2tidx (request2size (x))
#define request2size(req) \
(((req) + SIZE_SZ + MALLOC_ALIGN_MASK < MINSIZE) ? \
MINSIZE : \
((req) + SIZE_SZ + MALLOC_ALIGN_MASK) & ~MALLOC_ALIGN_MASK)
/* The smallest possible chunk */
#define MIN_CHUNK_SIZE (offsetof(struct malloc_chunk, fd_nextsize))
/* The smallest size we can malloc is an aligned minimal chunk */
#define MINSIZE \
(unsigned long)(((MIN_CHUNK_SIZE+MALLOC_ALIGN_MASK) & ~MALLOC_ALIGN_MASK))
#define MALLOC_ALIGNMENT (2 * SIZE_SZ < __alignof__ (long double) \
? __alignof__ (long double) : 2 * SIZE_SZ)
So if we request 505 we get:
req = 505
size = (505 + 8 + 0xf) & ~0xf = 528
tidx = (528 - 0x20 +0x10 - 1) / 0x10 = 31
If we request 520 we get:
req = 520
size = (520 + 8 + 0xf) & ~0xf = 528
tidx = (528 - 0x20 +0x10 - 1) / 0x10 = 31
So those are the extremes around 512 that end up in the same tcache idx I should add this calculation to the first_fit.c example maybe...
@Kyle-Kyle Before it was going in the unsorted_bin so it returned the same chunk. In that regard the behavior changed. We could also just make it big enough to not fall in tcache range.
In fact, I'll just do that and add an example for tcache indexing.
yeap. I finally get the problem. My bad. @0x3c3e you are right, this is not expected.
@0x3c3e Should be fixed now, see also the calc_tcache_idx example
If
x
inc = malloc(x)
is fewer than 505 bytes, the example won't work. As I understand inc = malloc(x)
,x
should be in range from 505 to 520 bytes. If someone can point to source code, I will be happy to check it.