上一篇，大家详细介绍了一种Double free技术性。而且完成了对malloc_hook的fastbin_attack。

此次将详细介绍怎样利用malloc中的consolidate体制来完成double free。文中会涉及到一些源码，若有表述不正确，恳求诸位高手纠正。

0x01 利用consolidate的Double Free

1.1 fastbin_dup_consolidate剖析

更先剖析一下实例编码

#include

#include

#include

int main(){

void* p1=malloc(0x40);

void* p2=malloc(0x40);

fprintf(stderr, "Allocated two fastbins: p1=%p p2=%pn", p1, p2);

fprintf(stderr, "Now free p1!n");

free(p1);

void* p3=malloc(0x400);

fprintf(stderr, "Allocated large bin to trigger malloc_consolidate(): p3=%pn", p3);

fprintf(stderr, "In malloc_consolidate(), p1 is moved to the unsorted bin.n");

free(p1);

fprintf(stderr, "Trigger the double free vulnerability!n");

fprintf(stderr, "We can pass the check in malloc() since p1 is not fast top.n");

fprintf(stderr, "Now p1 is in unsorted bin and fast bin. So we'will get it twice: %p %pn", malloc(0x40), malloc(0x40));

}

编译程序时刻加-g主要参数，动态性调节中能够同歩源代码开展剖析。

1.2步骤剖析

程序流程更先malloc分派了2个0x40的运行内存p1和p2,随后free掉chunk_p1,低于64的chunkp1会被链入fastbins中。

gef? x/40gx 0x602010-0x10

0x602000: 0x0000000000000000 0x0000000000000051

0x602010: 0x0000000000000000 0x0000000000000000

0x602020: 0x0000000000000000 0x0000000000000000

0x602030: 0x0000000000000000 0x0000000000000000

0x602040: 0x0000000000000000 0x0000000000000000

0x602050: 0x0000000000000000 0x0000000000000051

0x602060: 0x0000000000000000 0x0000000000000000

0x602070: 0x0000000000000000 0x0000000000000000

0x602080: 0x0000000000000000 0x0000000000000000

0x602090: 0x0000000000000000 0x0000000000000000

0x6020a0: 0x0000000000000000 0x0000000000020f61

查询快表,能够见到被释放出来的chunk_p1

gef? heap bins fast

─────[ Fastbins for arena 0x7ffff7dd1b20 ]─────

Fastbin[3]→ UsedChunk(addr=0x602010,size=0x50)

实行分派0x400运行内存，这时看fastbin，发觉chunk_p1早已被从快表中卸掉了。而我们在 *** all bins中找到它。

gef? heap bins fast

────[ Fastbins for arena 0x7ffff7dd1b20 ]───

Fastbin[0]0x00

Fastbin[1]0x00

Fastbin[2]0x00

Fastbin[3]0x00

gef? heap bins *** all

───[ Small Bins for arena 'main_arena' ]────

[ ]Found base for bin(4): fw=0x602000, bk=0x602000

→ FreeChunk(addr=0x602010,size=0x50)

glibc在分派large chunk(>1024字节数)时，更先实际操作是分辨fast bins是不是包括chunk。假如包括，则应用malloc_consolidate涵数将fastbin中的chunk合拼，并放进unsortbins。依据尺寸放进 *** all bins/large bins。

要我根据glibc源代码开展阅读文章剖析 ，FTP下载链接,malloc的完成在/malloc/malloc.c

malloc.c在1055行各自界定了malloc free realloc涵数

static void* _int_malloc(mstate, size_t);

static void _int_free(mstate, mchunkptr, int);

static void* _int_realloc(mstate, mchunkptr, INTERNAL_SIZE_T,

? INTERNAL_SIZE_T);

在_int_malloc的Define下寻找开启consolidate的编码一部分。

更先根据have_fastchunks分辨fastbins是不是链有空余堆。

have_fastchunks的宏定义即是分辨fastbin中是不是包括chunk，flag为0的情况下表明存有chunk。

#define have_fastchunks(M) (((M)->flags & FASTCHUNKS_BIT)==0)

假如包括chunk，可能启用consolidate来合拼fastbins中的chunk，并将这种空余的chunk添加unsorted bin中。

本实例开启consolidate的源代码

/*

? If this is a large request, consolidate fastbins before continuing.

? While it might look excessive to kill all fastbins before

? even seeing if there is space available, this avoids

? fragmentation problems normally associated with fastbins.

? Also, in practice, programs tend to have runs of either *** all or

? large requests, but less often mixtures, so consolidation is not

? invoked all that often in most programs. And the programs that