堆溢出去年花了一个月业余时间,看得一知半解,今年又花了两个月业余时间才弄清楚,比较复杂。
https://github.com/shellphish/how2heap/blob/master/glibc_2.31/unsafe_unlink.c
printf("We setup the 'next_free_chunk' (fd) of our fake chunk to point near to &chunk0_ptr so that P->fd->bk = P.\n");
chunk0_ptr[2] = (uint64_t) &chunk0_ptr-(sizeof(uint64_t)*3);
printf("We setup the 'previous_free_chunk' (bk) of our fake chunk to point near to &chunk0_ptr so that P->bk->fd = P.\n");
printf("With this setup we can pass this check: (P->fd->bk != P || P->bk->fd != P) == False\n");
chunk0_ptr[3] = (uint64_t) &chunk0_ptr-(sizeof(uint64_t)*2);
这两段比较难懂,直接上图
chunk0_ptr做fake_chunk
chunk0_ptr[1]为fake_chunk size字段
chunk0_ptr[2]为fake_chunk fd字段
chunk0_ptr[3]为fake_chunk bk字段
要理解下面两句话:
chunk0_ptr[2] = (uint64_t) &chunk0_ptr-(sizeof(uint64_t)*3)
chunk0_ptr[3] = (uint64_t) &chunk0_ptr-(sizeof(uint64_t)*2);
须了解unlink原理:fake_chunk->fd->bk=fake_chunk
fake_chunk->bk->fd=fake_chunk
chunk0_ptr[2] 指向fd,要使得fake_chunk->fd->bk=fake_chunk条件满足
fake_chunk->fd要整体看,当成另外一个chunk,其chunk address须为&fake_chunk-3,->bk为3个指针偏移,即可满足。
tcache 最多有64个bins(类hash slots),每个bin是多7个chunks
chunksizes from 24 to 1032 (12 to 516 on x86) bytes, in 16 (8 on x86) byte increments
网友评论