Adding fastbin dup consolidate for glibc 2.31

[Kyle-Kyle]

This is an interesting technique. It is another new technique to bypass the double-free check in glibc-2.31. The core idea here is to

1. free the victim chunk into fastbin
2. trigger malloc_consolidate to merge fastbin into top chunk
3. allocate a tcache-sized chunk from the top chunk (so its address is the same as the dangling pointer)
4. perform the second free on the dangling pointer, which actually frees the allcoated chunk at step-3
5. now the chunk allocated from step 3 is also in tcache

So, in the existing poc, p2 is not necessary, you may want to remove it to avoid confusion to readers. And please add explanation on why it works (what happens during malloc_consolidate: p1 gets merged into top chunk)

[Kyle-Kyle]

This technique may work for all versions. I'll add it to other versions as well once you finish the modifications. Thank you for your contribution!

[Ch0pin]

Hi @Kyle-Kyle , I made the changes you requested. I also have a relevant write-up here, in case you want to add a reference. Thank you for your remarks.

[Kyle-Kyle]

it looks good to me. I'll add a reference in the exploit. Thanks for your contribution!