Excuse the ads! We need some help to keep our site up.
"Fastbin duplicate" is an attack that exploits a list placed in fastbin.
If an application requests to free up redundant memory in the fastbin, the allocator will place those chunks in the list redundantly.
If you request multiple allocations of memory of the same size as a chunk that is registered as a duplicate, the allocator will return a pointer to that chunk as a duplicate.
- Such exploits are only possible with fastbin.
- For example, request malloc () three times to allocate 112 bytes of memory.
- When an application calls free() with a pointer to the first memory as an argument, the allocator places the chunk in fastbin.
- And when an application requests that the second memory be freed, the allocator places that chunk in the fd of the chunk placed in fastbin.
- If you request to release the first memory already freed, the chunk is placed at the end of the list in fastbin .
- In other words, the list of Fastbin  looks like "First memory (0x602000)-> Second memory (0x602080)-> First memory (0x602000)-> ...".
- The application requests malloc () to allocate the same size of memory as it is freed.
- In the first request, the memory placed last in Fastbin is reallocated.
- In the second request, the next memory is reallocated.
- In the third request, the same memory allocated in the first request is allocated.
- In other words, the application has the same pointer in the first and third memory.
- The following code asks malloc() three times for memory allocation of size 112 bytes.
- Request free() to free buf1, buf2 and then request to free buf1 again.
- Then, it requests malloc() three times to allocate a memory of size 112 bytes.
At 0x4005b7, we see that the memory placed in fastbin is placed again.
0x4005c6, 0x4005d4, and 0x4005e2 check the pointer returned by malloc().
- At the top of fastbins is the last freed memory (0x602080).
- The chunk's fd has a pointer(0x602000) of the previously freed memory.
- The fastbin list is 0x602080-> 0x602000.
- When buf1 (0x602000) is released, buf1 (0x602000) is placed on the top of fastbins .
- The fastbin list is 0x602000-> 0x602080-> 0x602000.
- Fastbin_dup implementation is now possible.
Requesting 112 bytes to malloc() will reallocate the memory(0x602010) on top of fastbinsY.
At the top of fastbinsY  is the next memory (0x602080).
In the last request, memory (0x602010) is reallocated, such as the first reallocated memory (0x602010).