* Bin understanding of heap

During the program running, use the bins structure to manage the released heap blocks to reduce memory overhead applied to the system and improve efficiency.

Chunk Data Structure

All heap blocks applied from memory use the same data structure --Malloc_chunkBut in the inuse and free states, the presentation forms are slightly different.

chunk-> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+        |             Size of previous chunk, if unallocated (P clear)  |        +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+        |             Size of chunk, in bytes                     |A|M|P|  mem-> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+        |             User data starts here...                          .        .                                                               .        .             (malloc_usable_size() bytes)                      .next    .                                                               |chunk-> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+        |             (size of chunk, but used for application data)    |        +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+        |             Size of next chunk, in bytes                |A|0|1|        +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

The above is the structure of the chunk obtained by malloc. The first two size_t are chunk_headers, respectively saving the size of the previous (physically adjacent) chunk.(If the previous Chunk is idle, save its size. If it is in use, the previous Chunk is used as the usrdata region)And the size of the chunk. Because the allocated space is aligned to 2 * size_t, the last 3 bit is meaningless and therefore serves as three mark bits.

• A: non_main_arena, which records whether the current chunk does not belong to the main thread. 1 indicates not to belong to, and 0 indicates to belong
• M: records whether the current Chunk is allocated by MMAP.
• P: record whether the previous chunk block is allocated.

After the chunk is free, its usrdata area is reused as the linked list pointer in the bin. Its structure is as follows:

chunk-> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+        |             Size of previous chunk, if unallocated (P clear)  |        +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+`head:‘ |             Size of chunk, in bytes                     |A|0|P|  mem-> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+        |             fd                                                |        +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+        |             bk                                                |        +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+        |             (fd_nextsize)                                     |        +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+        |             (bk_nextsize)                                     |        +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+        |             Unused space (may be 0 bytes long)                .        .                                                               . next   .                                                               |chunk-> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+`foot:‘ |             Size of chunk, in bytes                           |        +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+        |             Size of next chunk, in bytes                |A|0|0|        +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

• FD and BK pointers point to the chunk before and after Bin respectively.FD points to the first entry bin; BK points to the later entry.
• Fastbin only has FD pointer and uses one-way linked list for maintenance.
• Fd_nextsize and bk_nextsize exist only in the large bin (the chunk does not need these two variables when the size of the chunk is not large, or may not have their space), which refers to a chunk with a larger size before/after.

Fastbin

For chunks with smaller size (less than max_fast), separate the chunks after release and put them into fastbin.

Max_fast:

In a 32-bit system, the chunk size in fastbin ranges from 16 to 64;

In a 64-bit system, the chunk size in fastbin ranges from 32 to 128.

Fastbin is an array in main_arena. Each element acts as the head of the linked list of idle heap blocks of a specific size and points to the chunk that is released and added to fastbin.

Fastbin linked listUnidirectional linked listConnect

, After free, the address directed to by free will be "Hung" under the corresponding size of fastbin, so that the next allocationSave time (I used to save the free pointer time rather than free, so I wasted so much time and felt bad about my countless TLE tasks)

When allocating space, first check whether there is "idle" Space under the entries corresponding to the fastbin array size. If yes, remove them directly for allocation. At the same time, modify the FD pointer to maintain a one-way linked list.

1. In the fastbin entry, whether the free space address is added or the free space address is allocatedOperate on the Root
   • When the free space is added, the newly added connection is at the root (such as adding chunk3 to the root of the chain table, and chunk3-> FD points to the chunk1 closest to the bin), similarProtein translation process
   • When allocating space, if there is idle space under the corresponding size of entries, the operation is performed in reverse order of protein translation (extract chunk3, link chunk3-> FD = chunk1 to the bin)
2. When malloc (n), the actually applied space sizeof (chunk) = (n + 4) Align to 8 (x86)
   • The actual applied space starts from the chunk. When the chunk adjacent to the physical heap is free, the size of previous chunk indicates the size of the previous chunk, otherwise, the data of the previous chunk can be stored. Next is the chunk size, because the allocation must be 24 bytes (64-bit: 28 bytes), and the last three digits are not affected as three flag bits.
   • The pointer to the malloc function range is the user available space starting from mem.

Unsorted Bin

Unsorted bin can be used as the buffer zone for chunk release and allocation. InMalloc & free profilingThe usage of unsorted bin in malloc and free activities is explained in. Here we will explain how unsorted bin works from a more microscopic perspective.

Main_arena

Main_arena, the primary distribution area, is a static global variable, which stores various variables and pointers for heap block management.

Fastbin pointers, topchunk pointers, and bins pointers exist in this variable.

The unsorted bin pointer is the first two items of the bins pointer. ptmalloc maintains a total of 128 bins, all of which are stored in the bins array.

• The first two items are unsorted bin pointers.
• The 64 elements of bins [2]-bins [65] are the small bin pointer.
• Bins [66]-bins [127] is large bin

Unsorted Bin

The following code analyzes the details of each pointer in unsorted bin when Chunk is released and allocated:

# include <stdio.h># include <stdlib.h>int main(){       void *a, *b, *c, *d, *e;    a = malloc(128);    b = malloc(128);    c = malloc(128);    d = malloc(128);    e = malloc(128);    printf("a >> %p\nb >> %p\nc >> %p\nd >> %p\ne >> %p\n",a,b,c,d,e);    puts("free d and b, remember the bins");    free(d);    free(b);    //puts("free c,look at the unsorted bin");    //free(c);    puts("malloc(128) again, what will happen?");    void * newd = malloc(128);    printf("new d -> %p\n", newd);    return 0;} //make file(x64)://gcc -o unsortedbin ./test_unosrted -no-pie

The allocated five chunk addresses are obtained after running. Because the pointer is directly returned to the user, all the addresses are directed to usrdata. The address pointing to the actual chunk header should be subtracted from 0x10.

A> 0x602010
B> 0x6020a0
C> 0x602130
D> 0x6021c0
E> 0x602250

1. Before free

   The first two bins Arrays can be seen as the FD and BK pointers of the unsorted bin. When the unsorted bin is empty, they all point to top (main_arena + 88)

   Ctfwiki is not accurate about the specific process and principles behind this process: the unsorted bin linked list header is not a malloc_chunk struct, but the first two bins lists in the main_arena variable are FD and BK pointers respectively, the position is not pre_size, but top in main_arena. Top points to top chunk. This is my understanding. If there is an error, please point it out.

2. Free (d)

   pwndbg> unsortedbin unsortedbinall: 0x6021b0 —? 0x7ffff7dd3b58 (main_arena+88) —? 0x6021b0 ?— 0x7ffff7dd3b58pwndbg> p main_arena $2 = {  mutex = 0,   flags = 1,   fastbinsY = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0},   top = 0x6026e0,   last_remainder = 0x0,   bins = {0x6021b0, 0x6021b0, 0x7ffff7dd3b68 <main_arena+104>, 0x7ffff7dd3b68 <main_arena+104>...pwndbg> telescope 0x6021b000:0000│   0x6021b0 ?— 0x001:0008│   0x6021b8 ?— 0x9102:0010│   0x6021c0 —? 0x7ffff7dd3b58 (main_arena+88) —? 0x6026e0 ?— 0x0... ↓

   At this time, the two pointers of unsorted bin point to the released d, and the FD and BK pointers of D point to the top

3. Free (B)

   pwndbg> p main_arena $3 = {  mutex = 0,   flags = 1,   fastbinsY = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0},   top = 0x6026e0,   last_remainder = 0x0,   bins = {0x602090, 0x6021b0, 0x7ffff7dd3b68 <main_arena+104>,...pwndbg> unsortedbin unsortedbinall: 0x602090 —? 0x6021b0 —? 0x7ffff7dd3b58 (main_arena+88) —? 0x602090 ?— 0x6021b0pwndbg> telescope 0x602090 00:0000│   0x602090 ?— 0x001:0008│   0x602098 ?— 0x9102:0010│   0x6020a0 —? 0x6021b0 ?— 0x003:0018│   0x6020a8 —? 0x7ffff7dd3b58 (main_arena+88) —? 0x6026e0 ?— 0x004:0020│   0x6020b0 ?— 0x0... ↓pwndbg> telescope 0x6021b000:0000│   0x6021b0 ?— 0x001:0008│   0x6021b8 ?— 0x9102:0010│   0x6021c0 —? 0x7ffff7dd3b58 (main_arena+88) —? 0x6026e0 ?— 0x003:0018│   0x6021c8 —? 0x602090 ?— 0x004:0020│   0x6021d0 ?— 0x0

   The newly released B will attach the root of unsortedbin and the relationship between each pointer.

4. Malloc (128)

   pwndbg> p main_arena $4 = {  mutex = 0,   flags = 1,   fastbinsY = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0},   top = 0x6026e0,   last_remainder = 0x0,   bins = {0x602090, 0x602090, 0x7ffff7dd3b68 <main_arena+104>, ...pwndbg> unsortedbin unsortedbinall: 0x602090 —? 0x7ffff7dd3b58 (main_arena+88) —? 0x602090 ?— 0x7ffff7dd3b58pwndbg> telescope 0x60209000:0000│   0x602090 ?— 0x001:0008│   0x602098 ?— 0x9102:0010│   0x6020a0 —? 0x7ffff7dd3b58 (main_arena+88) —? 0x6026e0 ?— 0x0... ↓04:0020│   0x6020b0 ?— 0x0

   At this time, the unsorted Bin has only one chunk, And the pointer relationship is the same as that of free (d). But in the bin, B is entered, and D is allocated again, unsorted bin followsFIFOIn principle, the first chunk will be allocated with priority when the size is appropriate.

   Unlink

   When unsorted bin is allocated, the chunk with an inappropriate size will be put into small bin or large bin. The unlink process does not check the chunk, therefore, the tampered chunk can also use unlink to destroy the FD and BK pointers in the linked list, that is, unsorted bin attack.

Small bins & large bin

The only opportunity for chunk to enter the small bin and large bin is to traverse the unsorted bin when the chunk is allocated. The chunk with an inappropriate size will be unlinked.

Both small bin and large bin use a two-way linked list for maintenance and follow the FIFO principle.

Among them, the chunk in large bin has fd_nextsize and bk_nextsize, pointing to the larger chunk before/after, respectively, to speed up searching.

If no suitable Chunk is found in the previous step during chunk allocation, the minimum Chunk is found in small bin and large bin.Large enoughIs split, unlink, and allocated.

Ref:

Security Technology Essence

CTF Wiki

 

 

 

Spicy Chicken sponi
Source: http://www.cnblogs.com/ZHijack/
If you have reposted the record, we are honored to announce that! Indicate the source at will;

* Bin understanding of heap