Fastbin duplication Consolidation

黎 浩然/ 24 5 月, 2022/ PWN, 安全/SECURITY, 计算机/COMPUTER/ 0 comments

glibc-2.23

glibc分配大块内存时(512/1024 bytes)，fastbin中的块合并后会先进入unsortedbin，再进入smallbin或者largebin。

Source code:

void* p1 = malloc(0x40);
void* p2 = malloc(0x40);

free(p1); // enter unsortedbin, before smallbin

void* p3 = malloc(0x400);
free(p1); // trigger double free, p1 is also at fastbin

assert(malloc(0x40) == malloc(0x40))