Class Notes CPEG 476/676 Spring 2023

Heap Recap

OK just a reminder of everything:

View-After-Free (we can see what is inside a free'd chunk)
Use-After-Free (we can edit the contents of a free'd chunk)
double-free (we can free a previously free'd address)
overflow (we can edit more than intended thus walking from chunk A to chunk B meta data)
poison null-byte (the dev forgets that fgets adds a single null-byte so we overflow by a single 00 byte)

There are 64 of these (per thread) of size 0x20 up to size 0x410, each bin is a singly linked list

The linked lists are LIFO Last-in-First-out

There are also 64 counts at the top of each tcache struct which store how many chunks are in each bin

Once there are 7 chunks in a bin there will be no more added. Other things freed will go to fastbins or unsorted bin

There are 8 fastbins sized 0x20 to 0x90

They are stored in the main_arena

They are singly linked lists from main_arena to chunk to chunk etc

There is no limit to the number of chunks in a fastbin

BUT to fight fragmentation

they consolidate neighboring chunks and throw them into the unsorted bin now and again.

They also fill the tcache when possible.

The fastbin addresses are 16 bytes before the userdata.

Fastbins have two security checks:

You can't free the same chunk twice in a row
When you malloc from a fastbin the address needs to match the size of the bin you pulled from

doubly linked circular linked list from main_arena + 96 to chunk to chunk

Staging area for later sorting

After sorting the bins get put into Small or Large bins

We haven't dived too deeply into these yet.

After some office hours sessions I decided I needed to do a step-by-step of the tcache poisoning baseline.

I think the rough outline is there but maybe not the mechanics. So let's do this with a simple diagraming:

Head30->A->B is a way of saying this 0x30 chain points at A which points at B.