shellphish
Add techniques found by ArcHeap
Hi, all.
I would like to introduce my recent work, ArcHeap: https://arxiv.org/pdf/1903.00503.pdf and also found techniques by this one.
I already reported unsorted_bin_into_stack, and this repo contains other techniques (all tested in libc 2.23 from Ubuntu 16.04, but I think it will work until 2.25 before tcache).
We determine the uniqueness of the techniques in two aspects: a root cause and a capability.
| New | Old | Root causes | New capability |
|---|---|---|---|
| House of unsorted bin | House of Einherjar | Unsorted vs. Free | Does not require a heap address |
| Unaligned Double Free | Fast bin dup | Small vs. Fast | Can abuse a small bin |
| Overlapping chunk with small bin | Overlapping chunk | Small vs. Unsorted | Does not need a controllable size allocation |
| Fast bin into other bin | Fast bin dup into stack | Consolidation vs. Fast | Can allocate a non-fast chunk |
Let me know if you have a technique to add to this repo. Then I will make a pull request. Thank you.
I think the house of unsorted einherjar doesn't work conceptually anymore because of this check: https://elixir.bootlin.com/glibc/glibc-2.40.9000/source/malloc/malloc.c#L4694
/* Consolidate backward. */
if (!prev_inuse(p))
{
INTERNAL_SIZE_T prevsize = prev_size (p);
size += prevsize;
p = chunk_at_offset(p, -((long) prevsize));
if (__glibc_unlikely (chunksize(p) != prevsize)) // <- kills it
malloc_printerr ("corrupted size vs. prev_size while consolidating");
unlink_chunk (av, p);
}
regardless of the tcache. From what I can see the check was added in commit d6db68e66dff25d12c3bc5641b60cbd7fb6ab44f so glibc version 2.28 ~ 2.29 .
