unsortedbinbin_attck died..

unsortedbin_attack died

아직 모르고 있었는데 glibc > 2.28부터는 unsortedbin의 binning code checks가 생겼다..

 

이것 때문에 정말 삽질을 많이해서 안까먹게 블로그에 올린다.

 

--- a/malloc/malloc.c
+++ b/malloc/malloc.c
@@ -3716,11 +3716,22 @@ _int_malloc (mstate av, size_t bytes)
       while ((victim = unsorted_chunks (av)->bk) != unsorted_chunks (av))
         {
           bck = victim->bk;
-          if (__builtin_expect (chunksize_nomask (victim) <= 2 * SIZE_SZ, 0)
-              || __builtin_expect (chunksize_nomask (victim)
-                                  > av->system_mem, 0))
-            malloc_printerr ("malloc(): memory corruption");
           size = chunksize (victim);
+          mchunkptr next = chunk_at_offset (victim, size);
+
+          if (__glibc_unlikely (size <= 2 * SIZE_SZ)
+              || __glibc_unlikely (size > av->system_mem))
+            malloc_printerr ("malloc(): invalid size (unsorted)");
+          if (__glibc_unlikely (chunksize_nomask (next) < 2 * SIZE_SZ)
+              || __glibc_unlikely (chunksize_nomask (next) > av->system_mem))
+            malloc_printerr ("malloc(): invalid next size (unsorted)");
+          if (__glibc_unlikely ((prev_size (next) & ~(SIZE_BITS)) != size))
+            malloc_printerr ("malloc(): mismatching next->prev_size (unsorted)");
+          if (__glibc_unlikely (bck->fd != victim)
+              || __glibc_unlikely (victim->fd != unsorted_chunks (av)))
+            malloc_printerr ("malloc(): unsorted double linked list corrupted");
+          if (__glibc_unlikely (prev_inuse(next)))
+            malloc_printerr ("malloc(): invalid next->prev_inuse (unsorted)");
 
           /*
              If a small request, try to use last remainder if it is the

https://repo.or.cz/glibc.git/commitdiff/b90ddd08f6dd688e651df9ee89ca3a69ff88cd0c?hp=6413fcde4fe0272eee469aaf41c8bb1d6e6a270f

 

diff를 확인해 보면 위와 같다.

bck->fd != victim, victim->fd != unsorted_chunks(av)