mirror of
https://github.com/carlospolop/hacktricks
synced 2024-11-30 00:20:59 +00:00
382 lines
13 KiB
Markdown
382 lines
13 KiB
Markdown
# free
|
||
|
||
{% hint style="success" %}
|
||
学习并练习AWS黑客技术:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks培训AWS红队专家(ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
|
||
学习并练习GCP黑客技术:<img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks培训GCP红队专家(GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
||
|
||
<details>
|
||
|
||
<summary>支持HackTricks</summary>
|
||
|
||
* 检查[**订阅计划**](https://github.com/sponsors/carlospolop)!
|
||
* **加入** 💬 [**Discord群组**](https://discord.gg/hRep4RUj7f) 或 [**电报群组**](https://t.me/peass) 或 **关注**我们的**Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
|
||
* 通过向[**HackTricks**](https://github.com/carlospolop/hacktricks)和[**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github仓库提交PR来分享黑客技巧。
|
||
|
||
</details>
|
||
{% endhint %}
|
||
|
||
## Free函数总结 <a href="#libc_free" id="libc_free"></a>
|
||
|
||
(本摘要未解释任何检查,并为简洁起见省略了一些情况)
|
||
|
||
1. 如果地址为null,则不执行任何操作
|
||
2. 如果块是mmaped,则解除映射并完成
|
||
3. 调用`_int_free`:
|
||
1. 如果可能,将块添加到tcache
|
||
2. 如果可能,将块添加到快速bin
|
||
3. 调用`_int_free_merge_chunk`以合并块(如果需要)并将其添加到未排序列表
|
||
|
||
## \_\_libc\_free <a href="#libc_free" id="libc_free"></a>
|
||
|
||
`Free`调用`__libc_free`。
|
||
|
||
* 如果传递的地址为Null(0),则不执行任何操作。
|
||
* 检查指针标签
|
||
* 如果块是`mmaped`,则解除映射并完成
|
||
* 如果不是,则添加颜色并调用`_int_free`。
|
||
```c
|
||
void
|
||
__libc_free (void *mem)
|
||
{
|
||
mstate ar_ptr;
|
||
mchunkptr p; /* chunk corresponding to mem */
|
||
|
||
if (mem == 0) /* free(0) has no effect */
|
||
return;
|
||
|
||
/* Quickly check that the freed pointer matches the tag for the memory.
|
||
This gives a useful double-free detection. */
|
||
if (__glibc_unlikely (mtag_enabled))
|
||
*(volatile char *)mem;
|
||
|
||
int err = errno;
|
||
|
||
p = mem2chunk (mem);
|
||
|
||
if (chunk_is_mmapped (p)) /* release mmapped memory. */
|
||
{
|
||
/* See if the dynamic brk/mmap threshold needs adjusting.
|
||
Dumped fake mmapped chunks do not affect the threshold. */
|
||
if (!mp_.no_dyn_threshold
|
||
&& chunksize_nomask (p) > mp_.mmap_threshold
|
||
&& chunksize_nomask (p) <= DEFAULT_MMAP_THRESHOLD_MAX)
|
||
{
|
||
mp_.mmap_threshold = chunksize (p);
|
||
mp_.trim_threshold = 2 * mp_.mmap_threshold;
|
||
LIBC_PROBE (memory_mallopt_free_dyn_thresholds, 2,
|
||
mp_.mmap_threshold, mp_.trim_threshold);
|
||
}
|
||
munmap_chunk (p);
|
||
}
|
||
else
|
||
{
|
||
MAYBE_INIT_TCACHE ();
|
||
|
||
/* Mark the chunk as belonging to the library again. */
|
||
(void)tag_region (chunk2mem (p), memsize (p));
|
||
|
||
ar_ptr = arena_for_chunk (p);
|
||
_int_free (ar_ptr, p, 0);
|
||
}
|
||
|
||
__set_errno (err);
|
||
}
|
||
libc_hidden_def (__libc_free)
|
||
```
|
||
</details>
|
||
|
||
## \_int\_free <a href="#int_free" id="int_free"></a>
|
||
|
||
### \_int\_free 开始 <a href="#int_free" id="int_free"></a>
|
||
|
||
它从一些检查开始,确保:
|
||
|
||
* **指针**是**对齐**的,否则会触发错误 `free(): invalid pointer`
|
||
* **大小**不小于最小值,并且**大小**也是**对齐**的,否则会触发错误:`free(): invalid size`
|
||
|
||
<details>
|
||
|
||
<summary>_int_free start</summary>
|
||
```c
|
||
// From https://github.com/bminor/glibc/blob/f942a732d37a96217ef828116ebe64a644db18d7/malloc/malloc.c#L4493C1-L4513C28
|
||
|
||
#define aligned_OK(m) (((unsigned long) (m) &MALLOC_ALIGN_MASK) == 0)
|
||
|
||
static void
|
||
_int_free (mstate av, mchunkptr p, int have_lock)
|
||
{
|
||
INTERNAL_SIZE_T size; /* its size */
|
||
mfastbinptr *fb; /* associated fastbin */
|
||
|
||
size = chunksize (p);
|
||
|
||
/* Little security check which won't hurt performance: the
|
||
allocator never wraps around at the end of the address space.
|
||
Therefore we can exclude some size values which might appear
|
||
here by accident or by "design" from some intruder. */
|
||
if (__builtin_expect ((uintptr_t) p > (uintptr_t) -size, 0)
|
||
|| __builtin_expect (misaligned_chunk (p), 0))
|
||
malloc_printerr ("free(): invalid pointer");
|
||
/* We know that each chunk is at least MINSIZE bytes in size or a
|
||
multiple of MALLOC_ALIGNMENT. */
|
||
if (__glibc_unlikely (size < MINSIZE || !aligned_OK (size)))
|
||
malloc_printerr ("free(): invalid size");
|
||
|
||
check_inuse_chunk(av, p);
|
||
```
|
||
</details>
|
||
|
||
### \_int\_free tcache <a href="#int_free" id="int_free"></a>
|
||
|
||
首先,它将尝试在相关的 tcache 中分配此块。但是,先前执行了一些检查。它将循环遍历与释放的块相同索引的 tcache 的所有块,并执行以下操作:
|
||
|
||
- 如果条目数超过 `mp_.tcache_count`:`free(): too many chunks detected in tcache`
|
||
- 如果条目未对齐:`free(): unaligned chunk detected in tcache 2`
|
||
- 如果已释放的块已在 tcache 中作为块存在:`free(): double free detected in tcache 2`
|
||
|
||
如果一切顺利,该块将被添加到 tcache 中,并返回函数。
|
||
```c
|
||
// From https://github.com/bminor/glibc/blob/f942a732d37a96217ef828116ebe64a644db18d7/malloc/malloc.c#L4515C1-L4554C7
|
||
#if USE_TCACHE
|
||
{
|
||
size_t tc_idx = csize2tidx (size);
|
||
if (tcache != NULL && tc_idx < mp_.tcache_bins)
|
||
{
|
||
/* Check to see if it's already in the tcache. */
|
||
tcache_entry *e = (tcache_entry *) chunk2mem (p);
|
||
|
||
/* This test succeeds on double free. However, we don't 100%
|
||
trust it (it also matches random payload data at a 1 in
|
||
2^<size_t> chance), so verify it's not an unlikely
|
||
coincidence before aborting. */
|
||
if (__glibc_unlikely (e->key == tcache_key))
|
||
{
|
||
tcache_entry *tmp;
|
||
size_t cnt = 0;
|
||
LIBC_PROBE (memory_tcache_double_free, 2, e, tc_idx);
|
||
for (tmp = tcache->entries[tc_idx];
|
||
tmp;
|
||
tmp = REVEAL_PTR (tmp->next), ++cnt)
|
||
{
|
||
if (cnt >= mp_.tcache_count)
|
||
malloc_printerr ("free(): too many chunks detected in tcache");
|
||
if (__glibc_unlikely (!aligned_OK (tmp)))
|
||
malloc_printerr ("free(): unaligned chunk detected in tcache 2");
|
||
if (tmp == e)
|
||
malloc_printerr ("free(): double free detected in tcache 2");
|
||
/* If we get here, it was a coincidence. We've wasted a
|
||
few cycles, but don't abort. */
|
||
}
|
||
}
|
||
|
||
if (tcache->counts[tc_idx] < mp_.tcache_count)
|
||
{
|
||
tcache_put (p, tc_idx);
|
||
return;
|
||
}
|
||
}
|
||
}
|
||
#endif
|
||
```
|
||
</details>
|
||
|
||
### \_int\_free 快速分配区 <a href="#int_free" id="int_free"></a>
|
||
|
||
首先检查大小是否适合快速分配区,并检查是否可能将其设置为接近顶部块。
|
||
|
||
然后,在执行一些检查的同时,将释放的块添加到快速分配区的顶部:
|
||
|
||
- 如果块的大小无效(太大或太小),触发:`free(): invalid next size (fast)`
|
||
- 如果添加的块已经是快速分配区的顶部:`double free or corruption (fasttop)`
|
||
- 如果顶部的块大小与我们正在添加的块的大小不同:`invalid fastbin entry (free)`
|
||
```c
|
||
// From https://github.com/bminor/glibc/blob/f942a732d37a96217ef828116ebe64a644db18d7/malloc/malloc.c#L4556C2-L4631C4
|
||
|
||
/*
|
||
If eligible, place chunk on a fastbin so it can be found
|
||
and used quickly in malloc.
|
||
*/
|
||
|
||
if ((unsigned long)(size) <= (unsigned long)(get_max_fast ())
|
||
|
||
#if TRIM_FASTBINS
|
||
/*
|
||
If TRIM_FASTBINS set, don't place chunks
|
||
bordering top into fastbins
|
||
*/
|
||
&& (chunk_at_offset(p, size) != av->top)
|
||
#endif
|
||
) {
|
||
|
||
if (__builtin_expect (chunksize_nomask (chunk_at_offset (p, size))
|
||
<= CHUNK_HDR_SZ, 0)
|
||
|| __builtin_expect (chunksize (chunk_at_offset (p, size))
|
||
>= av->system_mem, 0))
|
||
{
|
||
bool fail = true;
|
||
/* We might not have a lock at this point and concurrent modifications
|
||
of system_mem might result in a false positive. Redo the test after
|
||
getting the lock. */
|
||
if (!have_lock)
|
||
{
|
||
__libc_lock_lock (av->mutex);
|
||
fail = (chunksize_nomask (chunk_at_offset (p, size)) <= CHUNK_HDR_SZ
|
||
|| chunksize (chunk_at_offset (p, size)) >= av->system_mem);
|
||
__libc_lock_unlock (av->mutex);
|
||
}
|
||
|
||
if (fail)
|
||
malloc_printerr ("free(): invalid next size (fast)");
|
||
}
|
||
|
||
free_perturb (chunk2mem(p), size - CHUNK_HDR_SZ);
|
||
|
||
atomic_store_relaxed (&av->have_fastchunks, true);
|
||
unsigned int idx = fastbin_index(size);
|
||
fb = &fastbin (av, idx);
|
||
|
||
/* Atomically link P to its fastbin: P->FD = *FB; *FB = P; */
|
||
mchunkptr old = *fb, old2;
|
||
|
||
if (SINGLE_THREAD_P)
|
||
{
|
||
/* Check that the top of the bin is not the record we are going to
|
||
add (i.e., double free). */
|
||
if (__builtin_expect (old == p, 0))
|
||
malloc_printerr ("double free or corruption (fasttop)");
|
||
p->fd = PROTECT_PTR (&p->fd, old);
|
||
*fb = p;
|
||
}
|
||
else
|
||
do
|
||
{
|
||
/* Check that the top of the bin is not the record we are going to
|
||
add (i.e., double free). */
|
||
if (__builtin_expect (old == p, 0))
|
||
malloc_printerr ("double free or corruption (fasttop)");
|
||
old2 = old;
|
||
p->fd = PROTECT_PTR (&p->fd, old);
|
||
}
|
||
while ((old = catomic_compare_and_exchange_val_rel (fb, p, old2))
|
||
!= old2);
|
||
|
||
/* Check that size of fastbin chunk at the top is the same as
|
||
size of the chunk that we are adding. We can dereference OLD
|
||
only if we have the lock, otherwise it might have already been
|
||
allocated again. */
|
||
if (have_lock && old != NULL
|
||
&& __builtin_expect (fastbin_index (chunksize (old)) != idx, 0))
|
||
malloc_printerr ("invalid fastbin entry (free)");
|
||
}
|
||
```
|
||
### \_int\_free 最终步骤 <a href="#int_free" id="int_free"></a>
|
||
|
||
如果块尚未分配到任何 bin 上,则调用 `_int_free_merge_chunk`。
|
||
```c
|
||
/*
|
||
Consolidate other non-mmapped chunks as they arrive.
|
||
*/
|
||
|
||
else if (!chunk_is_mmapped(p)) {
|
||
|
||
/* If we're single-threaded, don't lock the arena. */
|
||
if (SINGLE_THREAD_P)
|
||
have_lock = true;
|
||
|
||
if (!have_lock)
|
||
__libc_lock_lock (av->mutex);
|
||
|
||
_int_free_merge_chunk (av, p, size);
|
||
|
||
if (!have_lock)
|
||
__libc_lock_unlock (av->mutex);
|
||
}
|
||
/*
|
||
If the chunk was allocated via mmap, release via munmap().
|
||
*/
|
||
|
||
else {
|
||
munmap_chunk (p);
|
||
}
|
||
}
|
||
```
|
||
</details>
|
||
|
||
## \_int\_free\_merge\_chunk
|
||
|
||
该函数将尝试将大小为SIZE字节的块P与其相邻块合并。将结果块放入未排序的bin列表中。
|
||
|
||
执行一些检查:
|
||
|
||
- 如果块是顶部块:`double free or corruption (top)`
|
||
- 如果下一个块在arena边界之外:`double free or corruption (out)`
|
||
- 如果块未标记为已使用(在以下块的`prev_inuse`中):`double free or corruption (!prev)`
|
||
- 如果下一个块的大小太小或太大:`free(): invalid next size (normal)`
|
||
- 如果前一个块未被使用,它将尝试合并。但是,如果prev\_size与前一个块中指示的大小不同:`corrupted size vs. prev_size while consolidating`
|
||
|
||
<details>
|
||
|
||
<summary>_int_free_merge_chunk 代码</summary>
|
||
```c
|
||
// From https://github.com/bminor/glibc/blob/f942a732d37a96217ef828116ebe64a644db18d7/malloc/malloc.c#L4660C1-L4702C2
|
||
|
||
/* Try to merge chunk P of SIZE bytes with its neighbors. Put the
|
||
resulting chunk on the appropriate bin list. P must not be on a
|
||
bin list yet, and it can be in use. */
|
||
static void
|
||
_int_free_merge_chunk (mstate av, mchunkptr p, INTERNAL_SIZE_T size)
|
||
{
|
||
mchunkptr nextchunk = chunk_at_offset(p, size);
|
||
|
||
/* Lightweight tests: check whether the block is already the
|
||
top block. */
|
||
if (__glibc_unlikely (p == av->top))
|
||
malloc_printerr ("double free or corruption (top)");
|
||
/* Or whether the next chunk is beyond the boundaries of the arena. */
|
||
if (__builtin_expect (contiguous (av)
|
||
&& (char *) nextchunk
|
||
>= ((char *) av->top + chunksize(av->top)), 0))
|
||
malloc_printerr ("double free or corruption (out)");
|
||
/* Or whether the block is actually not marked used. */
|
||
if (__glibc_unlikely (!prev_inuse(nextchunk)))
|
||
malloc_printerr ("double free or corruption (!prev)");
|
||
|
||
INTERNAL_SIZE_T nextsize = chunksize(nextchunk);
|
||
if (__builtin_expect (chunksize_nomask (nextchunk) <= CHUNK_HDR_SZ, 0)
|
||
|| __builtin_expect (nextsize >= av->system_mem, 0))
|
||
malloc_printerr ("free(): invalid next size (normal)");
|
||
|
||
free_perturb (chunk2mem(p), size - CHUNK_HDR_SZ);
|
||
|
||
/* Consolidate backward. */
|
||
if (!prev_inuse(p))
|
||
{
|
||
INTERNAL_SIZE_T prevsize = prev_size (p);
|
||
size += prevsize;
|
||
p = chunk_at_offset(p, -((long) prevsize));
|
||
if (__glibc_unlikely (chunksize(p) != prevsize))
|
||
malloc_printerr ("corrupted size vs. prev_size while consolidating");
|
||
unlink_chunk (av, p);
|
||
}
|
||
|
||
/* Write the chunk header, maybe after merging with the following chunk. */
|
||
size = _int_free_create_chunk (av, p, size, nextchunk, nextsize);
|
||
_int_free_maybe_consolidate (av, size);
|
||
}
|
||
```
|
||
</details>
|
||
|
||
{% hint style="success" %}
|
||
学习并练习AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks 培训 AWS 红队专家 (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
|
||
学习并练习GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks 培训 GCP 红队专家 (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
||
|
||
<details>
|
||
|
||
<summary>支持 HackTricks</summary>
|
||
|
||
* 检查[**订阅计划**](https://github.com/sponsors/carlospolop)!
|
||
* **加入** 💬 [**Discord 群组**](https://discord.gg/hRep4RUj7f) 或 [**电报群组**](https://t.me/peass) 或 **关注**我们的**Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
|
||
* 通过向[**HackTricks**](https://github.com/carlospolop/hacktricks)和[**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github 仓库提交 PR 来分享黑客技巧。
|
||
|
||
</details>
|
||
{% endhint %}
|