pwn study concluded (eight) - Heap (continually updated)

Foreword

Learning from "glibc memory management ptmalloc source code analysis," Zhuang Mingjiang the
section reference information from the Internet

chunk

Description :

1. When the user malloc isochronous function for the space actually allocate memory from the heap
2. Currently the standard Linux distributions using glibc heap allocator : ptmalloc2
3. ptmalloc according to the needs of users, users are assigned different types of chunk

Structure :

struct malloc_chunk {
    INTERNAL_SIZE_T prev_size; /* Size of previous chunk (if free). */
    INTERNAL_SIZE_T size; /* Size in bytes, including overhead. */
    
    struct malloc_chunk* fd; /* double links -- used only if free. */
    struct malloc_chunk* bk;
    
    /* Only used for large blocks: pointer to next larger size. */
    struct malloc_chunk* fd_nextsize; /* double links -- used only if free. */
    struct malloc_chunk* bk_nextsize;
};

(After dispensing) use

chunk start: Chunk start address
previous size:

1. The size of a chunk , 32 occupies 4 bytes, 8 bytes occupy 64
2. Only when the last chunk is in an idle state when effective

size：

1. The current size of the chunk , 32 occupies 4 bytes, 8 bytes occupy 64
2. After three bits are A | M | P flags, each representing a different meaning
   A: 0 indicates that the chunk belongs to the main distribution area of 1 indicates that the chunk belongs to the non-primary distribution zone
   M : indicates the current chunk is obtained from the memory area which Virtual Memory. 1 indicates that the chunk is from mmap allocation map region, or from the heap area assigned
   P: before being used as a chunk 1 represents the current chunk is invalid prev_size not carry out any operation on the previous chunk. A first P heap always set to 1, to prevent a program area referenced to the absence of

memory: Malloc function, etc. back to the user's chunk data area pointer

Idle (after release)

Description :

1. The free chunk M is not present, only the A | P state
2. user data is assigned two head members, fd and bk
   

fd: Point before a free chunk start address, 32-bit occupies 4 bytes, 8 bytes 64
bk: point after a free chunk start address, occupies 4 bytes 32, 64 occupies 8 bytes

Note : in fact, after the release of the large block , there are still two other members: fd_nextsize and bk_nextsize , for subsequent re-introduced

Heap block size

32-bit operating system :

1. Assign the user to a minimum heap block size 17B: the prev_size (4B) + size (4B) + FD (4B) + BK (4B) + next_chunk-> P (. IB)
2. If the size of the user request exceeds a minimum size stacks, and will 8B aligned

64-bit operating system :

1. Assign the user to a minimum heap block size 33B: the prev_size (8B) + size (8B) + FD (8B) + BK (8B) + next_chunk-> P (. IB)
2. If the size of the user request exceeds a minimum size stacks, and will 16B aligned

Spatial multiplexing

Description : When a chunk is in use, its next chunk of prev_size invalid . So the next chunk of the current chunk prev_size can also be used, which is a chunk of space multiplexing

bins

Description :

1. User free memory is not out of the system will be immediately returned to, ptmalloc will heap unified management and mmap mapped area free chunk
2. When a request for allocation under the user, ptmalloc will first try to pick a free chunk to the user, so that you avoid the frequent system calls, reducing the memory allocation of overhead
3. The chunk size ptmalloc similar bidirectional linked list, such a list is referred to as a bin
4. ptmalloc maintains a total of 128 bin, and use an array to store the bin
5. According to the characteristics heap manager, will be divided into four stacks: fastbin | unsortedbin | smallbin | largebin
6. Array bin 1 to bin the unsorted ; bin bin 2 to 63 Small ; bin large bin 64 to 126

fastbin

Description :

1. In the 32-bit operating system, when the user releases the heap block size is less than 64B using fastbin management, i.e. the maximum space of 80 bytes chunk
2. fastbin use only fd member of a singly linked list structure
3. fastbin not on the P-bit operation, which means that it will not take the initiative to merge; only under certain circumstances, the heap manager will merge to fastbin
4. fastbinY to manage fastbin array, each member separately managed fastbin list of different sizes, and the end point to the current node the linked list, when the end node is assigned, through which the fd pointer to the previous node
5. When the user applies chunk size smaller than or equal to MAX_FAST_SIZE , the first search fastbins from the corresponding free block, and the rule LIFO (Last in, first out, LIFO)
   

Use ideas

1. 申请2个fastbin堆块：chunk1和chunk2
2. 依次释放chunk2和chunk1
3. 重新申请一个fastbin堆块，将会分配到chunk1（后释放的先分配）
4. 对chunk1进行写入，溢出并覆盖chunk2的fd区域
5. 再申请一个堆块，将分配到chunk2，由于chunk2->fd不为0，堆管理器中的空闲chunk指针指向chunk2->fd
6. 第三次申请堆块时，将会分配到chunk2->fd处

unsorted bin

描述：

1. 当释放较小或较大的chunk的时候，为了增加分配效率，系统会先将最近释放的chunk添加到unsorted bin中
2. unsorted bin 为一个双向循环链表，对chunk的大小没有限制，即任何大小的chunk都可以放入unsorted bin链表中

small bin

描述：

1. 在32位操作系统中，当用户释放的堆块大小大于64B，小于等于512B时使用small bin进行管理
2. small bin 为双向循环链表，且使用 FIFO（First in, first out, 先入先出） 算法
3. 当满足small bin条件的chunk被释放后，会优先被放入unosrted bin，只有在一定情况下，才会被分配到small bin中
4. Adjacent free chunk will be merged into a larger fee chunk, increase memory utilization