Closed nnewram closed 2 years ago
Thank you for pointing this out. We actually add this extra padding on purpose. You can find this practice existing commonly in this repo. We do this because freeing a chunk adjacent to the top chunk sometimes gets the newly freed chunk merged into the top chunk, which is usually not expected. Originally, the merge only happens to chunks belonging to unsorted bin, but later it got extended to fastbin. It may be extended to tcache bin as well in the future. To be safe, we think it is a good practice to add an extra padding to ensure that no merge (or consolidation) happens when freeing the chunk adjacent to the top chunk.
https://github.com/shellphish/how2heap/blob/44be09851c2a20fc63b73f68e96fa978c9ef23bf/glibc_2.31/house_of_lore.c#L83 This allocation seems to be redundant as commenting it out does not affect the result of the PoC.