目前正在学习堆利用,但有些奇怪我不明白:
这是通过调用malloc(0x80)分配的下一个块:
0x602090: 0x0000000000000000 0x0000000000000091
0x6020a0: 0x00007ffff7dd1b78 0x0000000000601120
...
在此之后调用另一个malloc(0x80),我的目标是返回0x601130。这有效,但仅限于0x601128 == 0x90:
0x601120: 0x0000000000602010 0x0000000000000090
0x601130: 0x0000000000602130 0x00000000006021c0
如果我将90更改为任何其他值,则会导致内存损坏:
*** Error in `censored': malloc(): memory corruption: 0x00000000006021d0 **
...
#0 0x00007ffff7a42428 in __GI_raise (sig=sig@entry=0x6) at ../sysdeps/unix/sysv/linux/raise.c:54
#1 0x00007ffff7a4402a in __GI_abort () at abort.c:89
#2 0x00007ffff7a847ea in __libc_message (do_abort=0x2, fmt=fmt@entry=0x7ffff7b9de98 "*** Error in `%s': %s: 0x%s ***\n")
at ../sysdeps/posix/libc_fatal.c:175
#3 0x00007ffff7a8f13e in malloc_printerr (ar_ptr=0x7ffff7dd1b20 <main_arena>, ptr=0x6021d0,
str=0x7ffff7b9acff "malloc(): memory corruption", action=<optimized out>) at malloc.c:5006
#4 _int_malloc (av=av@entry=0x7ffff7dd1b20 <main_arena>, bytes=bytes@entry=0x80) at malloc.c:3474
以下是GLIBC_2.2.5中的代码,位于malloc:3474:
bck = victim->bk;
if (__builtin_expect (chunksize_nomask (victim) <= 2 * SIZE_SZ, 0)
|| __builtin_expect (chunksize_nomask (victim)
> av->system_mem, 0))
malloc_printerr (check_action, "malloc(): memory corruption",
chunk2mem (victim), av);
size = chunksize (victim);
现在,从我所阅读的内容和我对此代码的理解来看,受害者chunksize应该大于2 * SIZE_SZ(64位大于16字节)并小于av-&gt; system_mem。这里av-&gt; system_mem等于:
gdb-peda$ p av->system_mem
$1 = 0x21000
所以我希望0x10和0x21000之间的任何值都能通过检查。为什么不呢?