Safe-Linking is only used for fastbins and tcaches

[zhouzq-thu]

1. Safe-Linking is only used for fastbins and tcaches

Ref: https://elixir.bootlin.com/glibc/glibc-2.35/source/malloc/malloc.c#L340

But the implementation uses safe-linking on all bins.

gef/gef.py

Line 1577 in 2e0115d

def protect_ptr(self, pos: int, pointer: int) -> int:

gef/gef.py

Line 1584 in 2e0115d

def reveal_ptr(self, pointer: int) -> int:

Failure example:

gef➤  heap bins
──────────────────────────────────────────────────────────────────────────── Tcachebins for thread 1 ────────────────────────────────────────────────────────────────────────────
All tcachebins are empty
───────────────────────────────────────────────────────────────────── Fastbins for arena at 0x7ffff7fa6c80 ─────────────────────────────────────────────────────────────────────
Fastbins[idx=0, size=0x20] 0x00
Fastbins[idx=1, size=0x30] 0x00
Fastbins[idx=2, size=0x40] 0x00
Fastbins[idx=3, size=0x50] 0x00
Fastbins[idx=4, size=0x60] 0x00
Fastbins[idx=5, size=0x70] 0x00
Fastbins[idx=6, size=0x80] 0x00
─────────────────────────────────────────────────────────────────── Unsorted Bin for arena at 0x7ffff7fa6c80 ───────────────────────────────────────────────────────────────────
[+] unsorted_bins[0]: fw=0x55555555a0f0, bk=0x555555559290
[!] Command 'heap bins unsorted' failed to execute properly, reason: Cannot access memory at address 0x55500000cd9a
──────────────────────────────────────────────────────────────────── Small Bins for arena at 0x7ffff7fa6c80 ────────────────────────────────────────────────────────────────────
[+] Found 0 chunks in 0 small non-empty bins.
──────────────────────────────────────────────────────────────────── Large Bins for arena at 0x7ffff7fa6c80 ────────────────────────────────────────────────────────────────────
[+] Found 0 chunks in 0 large non-empty bins.

2. In fact the unsorted_bin is empty, but

gef➤  heap bins
──────────────────────────────────────────────────────────────────────────── Tcachebins for thread 1 ────────────────────────────────────────────────────────────────────────────
All tcachebins are empty
───────────────────────────────────────────────────────────────────── Fastbins for arena at 0x7ffff7fa6c80 ─────────────────────────────────────────────────────────────────────
Fastbins[idx=0, size=0x20] 0x00
Fastbins[idx=1, size=0x30] 0x00
Fastbins[idx=2, size=0x40] 0x00
Fastbins[idx=3, size=0x50] 0x00
Fastbins[idx=4, size=0x60] 0x00
Fastbins[idx=5, size=0x70] 0x00
Fastbins[idx=6, size=0x80] 0x00
─────────────────────────────────────────────────────────────────── Unsorted Bin for arena at 0x7ffff7fa6c80 ───────────────────────────────────────────────────────────────────
[+] unsorted_bins[0]: fw=0x7ffff7fa6ce0, bk=0x7ffff7fa6ce0
 →   Chunk(addr=0x7ffff7fa6cf0, size=0x0, flags=PREV_INUSE | IS_MMAPPED | NON_MAIN_ARENA)
[+] Found 1 chunks in unsorted bin.
──────────────────────────────────────────────────────────────────── Small Bins for arena at 0x7ffff7fa6c80 ────────────────────────────────────────────────────────────────────
[+] Found 0 chunks in 0 small non-empty bins.
──────────────────────────────────────────────────────────────────── Large Bins for arena at 0x7ffff7fa6c80 ────────────────────────────────────────────────────────────────────
[+] Found 0 chunks in 0 large non-empty bins.

Both examples use Glibc-2.35.

3. The malloc_state struct is wrong!

gef/gef.py

Line 1267 in 2e0115d

def malloc_state_t() -> Type[ctypes.Structure]:

"have_fastchunks" is behind "flags", see https://elixir.bootlin.com/glibc/glibc-2.27/source/malloc/malloc.c#L1684

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. You can reopen it by adding a comment to this issue.