Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

bug in heap command #568

matrix1001 opened this Issue Nov 7, 2018 · 3 comments


None yet
2 participants
Copy link

matrix1001 commented Nov 7, 2018


Bug of command heap

Steps to reproduce

This bug is due to a strange alignment strategy in newer version of 32 bit glibc.

In a nutshell, the first 16 bytes of heap is 0 in glibc-2.26 (32bit), glibc-2.27 (32bit).

As a result, while parsing heap, the first chunk has size 0 and trigger stop.

My setup

No need for setup, just check those two glibc.


My fix

fix is really easy, just ignore the first chunk if size is 0.

@disconnect3d disconnect3d changed the title bug of command heap bug in heap command Nov 8, 2018


This comment has been minimized.

Copy link

disconnect3d commented Nov 8, 2018

I believe the reason of this is thread cache and that a lot of bytes in there belong to tcache_perthread_struct, see #552 (comment)

The tcache_perthread_struct structure layout can be seen here - , it starts with char[64] and then has tcache_entry*[64].


This comment has been minimized.

Copy link
Contributor Author

matrix1001 commented Nov 8, 2018

I doubt that.

Check this (32bit libc-2.26).


So I believe the reason is _int_malloc.

And a bug view.

pwndbg> heap
0x5655a000 {
  mchunk_prev_size = 0,
  mchunk_size = 0,
  fd = 0x0,
  bk = 0x151,
  fd_nextsize = 0x0,
  bk_nextsize = 0x0

disconnect3d added a commit that referenced this issue Feb 27, 2019

bug in heap command #568 (fix) (#571)
* add support of PIE for r2

* Update

API update

* fix bug in command heap

* Update

This comment has been minimized.

Copy link

disconnect3d commented Mar 5, 2019

I believe it was fixed with #571

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.