Fastbin Dups pt. 1

OK so we've implied this is coming 2-3 times so far, but it's time to deep dive.

I imagine this sequence of chats getting scattered over future lectures as it makes sense to tackle the next level of complexity with the fastbin dup iceberg looks roughly like this:

MODALITY 1 - Fastbin Dup as a write-what-where primitive
LEVEL 1 - fastbin protection 1 (all glibcs): old != p
The basic double-free and why it could always exist
The double-free makes a UAF therefore a Write-What-Where
(If you can read a chunk then you also get a heap leak)
LEVEL 2 - fastbin protection 2 (all glibcs): sizeofchunk matches bin index
Carefully choosing your target locations
The malloc_hook trick (glibcs < 2.34)
LEVEL 3 - Targeting a place you can control (like main_arena)
LEVEL 4 - fastbin/tcache protection 3 (glibcs > 2.31): (stored pointer) = (address of fd pointer >> 12) ^ (fd pointer)
(always nice) heap-based leaking strategies
MODALITY 2 - Double Free via Consolidation
MODALITY 3 - Reverse into tcache

Level 1: standard double-free in all glibcs

The essence of this exploit is free(A) free(B) free(A) in the fastbins.

So this is an exploit of fastbins. We need to get past the tcache bins by filling them in the size we want to attack.

General strategy is therefore to malloc 9 chunks, free 7 of them, then free(A) free(B) free(A) and see that the double free happened.

Here is a working demo in glibc 2.34 with no protections:

Let's do this together and trace the gdb and get to see fastbin -> A -> B -> A

Why this might always be with us

Take a look at the malloc.c snippet that protects this double-free:

Now imagine a million chunks in this fastbin. What strategies could you devise to prevent the double-free?

Do any of them avoid a cost of O(n)?

Fastbin Dups pt. 1

Helper Script for the Heap Playground

Level 1: standard double-free in all glibcs

Why this might always be with us

malloc_hook