shellphish / how2heap

A repository for learning various heap exploitation techniques.
MIT License
7.2k stars 1.14k forks source link

House of Lore redundancy #145

Closed nnewram closed 2 years ago

nnewram commented 2 years ago

https://github.com/shellphish/how2heap/blob/44be09851c2a20fc63b73f68e96fa978c9ef23bf/glibc_2.31/house_of_lore.c#L83 This allocation seems to be redundant as commenting it out does not affect the result of the PoC.

Kyle-Kyle commented 2 years ago

Thank you for pointing this out. We actually add this extra padding on purpose. You can find this practice existing commonly in this repo. We do this because freeing a chunk adjacent to the top chunk sometimes gets the newly freed chunk merged into the top chunk, which is usually not expected. Originally, the merge only happens to chunks belonging to unsorted bin, but later it got extended to fastbin. It may be extended to tcache bin as well in the future. To be safe, we think it is a good practice to add an extra padding to ensure that no merge (or consolidation) happens when freeing the chunk adjacent to the top chunk.