fastbin_dup

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
#include stdio.h
#include stdlib.h

int main()
{
fprintf(stderr, This file demonstrates a simple double-free attack with fastbins.n);

fprintf(stderr, Allocating 3 buffers.n);
int a = malloc(8);
int b = malloc(8);
int c = malloc(8);

fprintf(stderr, 1st malloc(8) %pn, a);
fprintf(stderr, 2nd malloc(8) %pn, b);
fprintf(stderr, 3rd malloc(8) %pn, c);

fprintf(stderr, Freeing the first one...n);
free(a);

fprintf(stderr, If we free %p again, things will crash because %p is at the top of the free list.n, a, a);
free(a);

fprintf(stderr, So, instead, we'll free %p.n, b);
free(b);

fprintf(stderr, Now, we can free %p again, since it's not the head of the free list.n, a);
free(a);

fprintf(stderr, Now the free list has [ %p, %p, %p ]. If we malloc 3 times, we'll get %p twice!n, a, b, a, a);
fprintf(stderr, 1st malloc(8) %pn, malloc(8));
fprintf(stderr, 2nd malloc(8) %pn, malloc(8));
fprintf(stderr, 3rd malloc(8) %pn, malloc(8));
}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
This file demonstrates a simple double-free attack with fastbins.
Allocating 3 buffers.
1st malloc(8): 0xb74010
2nd malloc(8): 0xb74030
3rd malloc(8): 0xb74050
Freeing the first one...
If we free 0xb74010 again, things will crash because 0xb74010 is at the top of the free list.
*** Error in `./fastbin_dup_double_free': double free or corruption (fasttop): 0x0000000000b74010 ***
======= Backtrace: =========
/lib/x86_64-linux-gnu/libc.so.6(+0x790cb)[0x7fe7c6e7d0cb]
/lib/x86_64-linux-gnu/libc.so.6(+0x82c9a)[0x7fe7c6e86c9a]
/lib/x86_64-linux-gnu/libc.so.6(cfree+0x4c)[0x7fe7c6e8ad8c]
./fastbin_dup_double_free[0x400740]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf1)[0x7fe7c6e243f1]
./fastbin_dup_double_free[0x40054a]

当我们运行程序后,程序发生了明显的报错,这是一个典型的 double free 。意味通常而言,一个已经 free 掉的 chunk 是不能被 free 第二次的。然后我们把原本的注释加上。

首先 程序malloc了三个chunk
然后free(a)

printf(stderr, 3rd malloc(8) %pn, c);

fprintf(stderr, Freeing the first one...n);
free(a);

fprintf(stderr, If we free %p again, things will crash because %p is at the top of the free list.n, a, a);
free(a);##这个free(a)是不行的

然后free(b) free(a)
fprintf(stderr, So, instead, we'll free %p.n, b);
free(b);

fprintf(stderr, Now, we can free %p again, since it's not the head of the free list.n, a);

这个时候,fastbin 形成一个 fastbin freelist
chunk A ---> chunk B
然后我们再把 a free 一次
free(a);

fprintf(stderr, Now the free list has [ %p, %p, %p ]. If we malloc 3 times, we'll get %p twice!n, a, b, a, a);
fprintf(stderr, 1st malloc(8) %pn, malloc(8));
fprintf(stderr, 2nd malloc(8) %pn, malloc(8));
fprintf(stderr, 3rd malloc(8) %pn, malloc(8));

|Chunk A| -> |chunk B| -->| chunk A|

总结

1
fastbins 可以看成一个 LIFO 的栈,使用单链表实现,通过 fastbin->fd 来遍历 fastbins。由于 free 的过程会对 free list 做检查,我们不能连续两次 free 同一个 chunk,所以这里在两次 free 之间,增加了一次对其他 chunk 的 free 过程,从而绕过检查顺利执行。然后再 malloc 三次,就在同一个地址 malloc 了两次,也就有了两个指向同一块内存区域的指针。
0%