Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

bug in heap command #568

Closed
matrix1001 opened this Issue Nov 7, 2018 · 3 comments

Comments

Projects
None yet
2 participants
@matrix1001
Copy link
Contributor

matrix1001 commented Nov 7, 2018

Description

Bug of command heap

Steps to reproduce

This bug is due to a strange alignment strategy in newer version of 32 bit glibc.

In a nutshell, the first 16 bytes of heap is 0 in glibc-2.26 (32bit), glibc-2.27 (32bit).

As a result, while parsing heap, the first chunk has size 0 and trigger stop.

My setup

No need for setup, just check those two glibc.

image

My fix

fix is really easy, just ignore the first chunk if size is 0.

@disconnect3d disconnect3d changed the title bug of command heap bug in heap command Nov 8, 2018

@disconnect3d

This comment has been minimized.

Copy link
Member

disconnect3d commented Nov 8, 2018

I believe the reason of this is thread cache and that a lot of bytes in there belong to tcache_perthread_struct, see #552 (comment)

The tcache_perthread_struct structure layout can be seen here - https://github.com/bminor/glibc/blob/master/malloc/malloc.c#L2898-L2902 , it starts with char[64] and then has tcache_entry*[64].

@matrix1001

This comment has been minimized.

Copy link
Contributor Author

matrix1001 commented Nov 8, 2018

I doubt that.

Check this (32bit libc-2.26).

image

So I believe the reason is _int_malloc.

And a bug view.

pwndbg> heap
0x5655a000 {
  mchunk_prev_size = 0,
  mchunk_size = 0,
  fd = 0x0,
  bk = 0x151,
  fd_nextsize = 0x0,
  bk_nextsize = 0x0
}
pwndbg>

disconnect3d added a commit that referenced this issue Feb 27, 2019

bug in heap command #568 (fix) (#571)
* add support of PIE for r2

* Update radare2.py

API update

* fix bug in command heap

* Update heap.py
@disconnect3d

This comment has been minimized.

Copy link
Member

disconnect3d commented Mar 5, 2019

I believe it was fixed with #571

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.