Heap usage is currently being studied, but there is something strange I don’t understand:
This is the following snippet that will be assigned by calling malloc (0x80):
0x602090: 0x0000000000000000 0x0000000000000091 0x6020a0: 0x00007ffff7dd1b78 0x0000000000601120 ...
Calling another malloc (0x80) after that, my goal is to return 0x601130. This works, but only if 0x601128 == 0x90:
0x601120: 0x0000000000602010 0x0000000000000090 0x601130: 0x0000000000602130 0x00000000006021c0
If I change 90 to any other value, I get memory corruption:
*** Error in `censored': malloc(): memory corruption: 0x00000000006021d0 ** ... #0 0x00007ffff7a42428 in __GI_raise ( sig=sig@entry =0x6) at ../sysdeps/unix/sysv/linux/raise.c:54 #1 0x00007ffff7a4402a in __GI_abort () at abort.c:89 #2 0x00007ffff7a847ea in __libc_message (do_abort=0x2, fmt=fmt@entry =0x7ffff7b9de98 "*** Error in `%s': %s: 0x%s ***\n") at ../sysdeps/posix/libc_fatal.c:175 #3 0x00007ffff7a8f13e in malloc_printerr (ar_ptr=0x7ffff7dd1b20 <main_arena>, ptr=0x6021d0, str=0x7ffff7b9acff "malloc(): memory corruption", action=<optimized out>) at malloc.c:5006 #4 _int_malloc ( av=av@entry =0x7ffff7dd1b20 <main_arena>, bytes=bytes@entry =0x80) at malloc.c:3474
Here is the code in GLIBC_2.2.5, in malloc: 3474:
bck = victim->bk; if (__builtin_expect (chunksize_nomask (victim) <= 2 * SIZE_SZ, 0) || __builtin_expect (chunksize_nomask (victim) > av->system_mem, 0)) malloc_printerr (check_action, "malloc(): memory corruption", chunk2mem (victim), av); size = chunksize (victim);
Now, from what I read and understanding this code, the fragment of the victim should be more than 2 * SIZE_SZ (so more than 16 bytes in 64 bits) and less than av-> system_mem. Here av-> system_mem is:
gdb-peda$ p av->system_mem $1 = 0x21000
So, I would expect any value between 0x10 and 0x21000 to go through to check. Why is this not so?