Closed k4lizen closed 3 months ago
I can write a PR for cleaning up this file if given the go-ahead
I think the point is malloc_consolidate
can allow the same chunk to be taken twice. And the idea of the existing description is to teach readers that freeing tache-sized chunk can also trigger malloc_consolidate
. unsortedbin-sized chunk can trigger it is a widely known behavior so the technique forgets to mention that as well. It'd be definitely more complete to mention it.
Notice that when doing free, there is only tcache and unsortedbin (we leave out mmap here). smallbin and largebin are basically sorted unsortedbins
.
About the calloc
call, I'd say it'd be better if we keep its current implementation but add some explanations for it. As a repo with educational purposes, it should guide readers to try out and understand different new mechanisms.
And please feel free to clean up the file and PRs are welcome
I am taking a look at this right now and wanted to mention that I was wrong:
Even if tcache was disabled, and it was a small chunk, I'm pretty sure this: https://elixir.bootlin.com/glibc/latest/source/malloc/malloc.c#L4468 would still be hit (and it is what is being hit in the exploit currently).
Currently in the exploit this is in-fact being hit. The other malloc_consolidate thats present in _int_malloc is really hard to hit since its only reached when the top chunk is too small for the allocation.
It doesn't need to be tcache-sized. Changing the chunk size of p3 and p4 to a large-bin works perfectly. This is because this
malloc_consolidate
is hit: https://elixir.bootlin.com/glibc/latest/source/malloc/malloc.c#L4041Even if tcache was disabled, and it was a small chunk, I'm pretty sure this: https://elixir.bootlin.com/glibc/latest/source/malloc/malloc.c#L4468 would still be hit (and it is what is being hit in the exploit currently).Even the further text:
Is a bit misleading, since the exploit works if p3 gets consolidated with top and doesn't go into the tcache (which is the case when larger malloc values for p3 and p4 are provided).
As a side note:
Utilizes a non-obvious mechanic of calloc to not take p1 out of the tcache. It would probably be better to allocate p1 with malloc before the tcache is freed, since its more obvious what is going on.