Excuse the ads! We need some help to keep our site up.
House of Spirit
- _int_free() request misaligned_chunk() to check if the chunk's pointer to which the memory has been freed is a correctly aligned pointer.
- If the chunk's alignment is not correct, the process exits with a "free(): invalid pointer" message.
- _int_free() checks to see if the value stored in "size" of the chunk is less than MINSIZE and its value is a normal sorted value.
- If not normal, the process terminates with the message "free (): invalid size".
- _int_free() checks that the size of the chunk corresponds to fastbin and then checks that the value stored in size of the next chunk is normal under the following conditions.
- From the value stored in the "size" of the next chunk, remove all the used flag bits and verify that the value is less than or equal to 2 * SIZE_SZ.
- Then check that the value stored in the "size" of the next chunk is greater than or equal to the value of av-> system_mem.
- If the Arena is not locked, the value stored in av→system_mem may be false.
- Therefore, after locking the Arena, the value is checked again according to the conditions identified above.
- If the condition is met, the value stored in the size of the next chunk is abnormal, so it prints the message "free (): invalid next size (fast)" and terminates the process.
- If the above conditions are met, the chunk is a normal chunk, and the chunk is stored in fastbin.
- _int_free() does not check if a pointer to the passed chunk exists on the Stack.
- House of Spirit can be implemented if it is possible to write a fake chunk to the stack and call free() at an address of that stack plus 0x10.
- Write a Fake chunk for Fastbin on the stack and request malloc() for memory allocation.
- And if you call free() with the address of Fake chunk plus 0x10, a pointer to that chunk is stored in Fastbin.
- Calling malloc () with the size of the chunk returns a pointer to the fake chunk stored in Fastbin .
- The pointer is the memory of the stack area.
- For example, create a Fake chunk on the Stack with a Fake chunk "size" of 0x80 and the next chunk with a "size" value of 0x1000:
- Request malloc() for memory allocation of size 0x3e8(1000).
- Request free() to free the pointer to the fake chunk (0x7fffffffe3d0).
- Call malloc() for allocation of memory of size 0x70.
- The allocator reallocates and returns a pointer stored in fastbinsY.
- The returned memory is a stack area.
- This code is the same code as the previous example.
- After writing the fake chunks to the stack, it allocates memory by calling malloc().
- Then call free() to free the memory stored in ptr.
- Call malloc() again to allocate memory of size 0x70.
Check for fake chunks written to stack at 0x4006c0.
Check the heap space creation and arena value at 0x4006d8.
Free the fake chunk pointer at 0x4006f9 and see the change in fastbins.
Check the pointer returned from malloc() at 0x400708.
Save the size of the fake chunk(0x80) to the QWORD PTR[0x7fffffffe470-0xa8], and the size of the next chunk(0x1000) to the QWORD PTR[0x7fffffffe470-0xa8].
- Fake chunks have been created on the stack.
- The arena has only minimal information because it was not created in heap space before malloc () asked for memory allocation.
- After malloc() allocates memory, heap space is created and the values of Arena's flags, bins, system_mem, max_system_mem, etc. are initialized.
- Transfer a pointer to the Fake chunk (0x7fffffffe3d0) to free(), and when the memory is freed, the pointer to that chunk is placed at fastbinsY.
- Call malloc() with an argument of 0x70 for reallocating the chunk.
- Malloc() then reallocates the chunks placed at fastbinsY and returns a pointer(0x7fffffffe3d0).