mirror of
https://github.com/carlospolop/hacktricks
synced 2024-11-29 08:01:00 +00:00
189 lines
8.8 KiB
Markdown
189 lines
8.8 KiB
Markdown
# Heap Functions Security Checks
|
|
|
|
{% hint style="success" %}
|
|
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
|
|
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
|
|
|
<details>
|
|
|
|
<summary>Support HackTricks</summary>
|
|
|
|
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
|
|
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
|
|
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
|
|
|
</details>
|
|
{% endhint %}
|
|
|
|
## unlink
|
|
|
|
For more info check:
|
|
|
|
{% content-ref url="unlink.md" %}
|
|
[unlink.md](unlink.md)
|
|
{% endcontent-ref %}
|
|
|
|
This is a summary of the performed checks:
|
|
|
|
* Check if the indicated size of the chunk is the same as the `prev_size` indicated in the next chunk
|
|
* Error message: `corrupted size vs. prev_size`
|
|
* Check also that `P->fd->bk == P` and `P->bk->fw == P`
|
|
* Error message: `corrupted double-linked list`
|
|
* If the chunk is not small, check that `P->fd_nextsize->bk_nextsize == P` and `P->bk_nextsize->fd_nextsize == P`
|
|
* Error message: `corrupted double-linked list (not small)`
|
|
|
|
## \_int\_malloc
|
|
|
|
For more info check:
|
|
|
|
{% content-ref url="malloc-and-sysmalloc.md" %}
|
|
[malloc-and-sysmalloc.md](malloc-and-sysmalloc.md)
|
|
{% endcontent-ref %}
|
|
|
|
* **Checks during fast bin search:**
|
|
* If the chunk is misaligned:
|
|
* Error message: `malloc(): unaligned fastbin chunk detected 2`
|
|
* If the forward chunk is misaligned:
|
|
* Error message: `malloc(): unaligned fastbin chunk detected`
|
|
* If the returned chunk has a size that isn't correct because of it's index in the fast bin:
|
|
* Error message: `malloc(): memory corruption (fast)`
|
|
* If any chunk used to fill the tcache is misaligned:
|
|
* Error message: `malloc(): unaligned fastbin chunk detected 3`
|
|
* **Checks during small bin search:**
|
|
* If `victim->bk->fd != victim`:
|
|
* Error message: `malloc(): smallbin double linked list corrupted`
|
|
* **Checks during consolidate** performed for each fast bin chunk: 
|
|
* If the chunk is unaligned trigger:
|
|
* Error message: `malloc_consolidate(): unaligned fastbin chunk detected`
|
|
* If the chunk has a different size that the one it should because of the index it's in:
|
|
* Error message: `malloc_consolidate(): invalid chunk size`
|
|
* If the previous chunk is not in use and the previous chunk has a size different of the one indicated by prev\_chunk:
|
|
* Error message: `corrupted size vs. prev_size in fastbins`
|
|
* **Checks during unsorted bin search**:
|
|
* If the chunk size is weird (too small or too big): 
|
|
* Error message: `malloc(): invalid size (unsorted)`
|
|
* If the next chunk size is weird (too small or too big):
|
|
* Error message: `malloc(): invalid next size (unsorted)`
|
|
* If the previous size indicated by the next chunk differs from the size of the chunk:
|
|
* Error message: `malloc(): mismatching next->prev_size (unsorted)`
|
|
* If not `victim->bck->fd == victim` or not `victim->fd == av (arena)`:
|
|
* Error message: `malloc(): unsorted double linked list corrupted`
|
|
* As we are always checking the las one, it's fd should be pointing always to the arena struct.
|
|
* If the next chunk isn't indicating that the previous is in use:
|
|
* Error message: `malloc(): invalid next->prev_inuse (unsorted)`
|
|
* If `fwd->bk_nextsize->fd_nextsize != fwd`:
|
|
* Error message: `malloc(): largebin double linked list corrupted (nextsize)`
|
|
* If `fwd->bk->fd != fwd`:
|
|
* Error message: `malloc(): largebin double linked list corrupted (bk)`
|
|
* **Checks during large bin (by index) search:**
|
|
* `bck->fd-> bk != bck`:
|
|
* Error message: `malloc(): corrupted unsorted chunks`
|
|
* **Checks during large bin (next bigger) search:**
|
|
* `bck->fd-> bk != bck`:
|
|
* Error message: `malloc(): corrupted unsorted chunks2`
|
|
* **Checks during Top chunk use:**
|
|
* `chunksize(av->top) > av->system_mem`:
|
|
* Error message: `malloc(): corrupted top size`
|
|
|
|
## `tcache_get_n`
|
|
|
|
* **Checks in `tcache_get_n`:**
|
|
* If chunk is misaligned:
|
|
* Error message: `malloc(): unaligned tcache chunk detected`
|
|
|
|
## `tcache_thread_shutdown`
|
|
|
|
* **Checks in `tcache_thread_shutdown`:**
|
|
* If chunk is misaligned:
|
|
* Error message: `tcache_thread_shutdown(): unaligned tcache chunk detected`
|
|
|
|
## `__libc_realloc`
|
|
|
|
* **Checks in `__libc_realloc`:**
|
|
* If old pointer is misaligned or the size was incorrect:
|
|
* Error message: `realloc(): invalid pointer`
|
|
|
|
## `_int_free`
|
|
|
|
For more info check:
|
|
|
|
{% content-ref url="free.md" %}
|
|
[free.md](free.md)
|
|
{% endcontent-ref %}
|
|
|
|
* **Checks during the start of `_int_free`:**
|
|
* Pointer is aligned:
|
|
* Error message: `free(): invalid pointer`
|
|
* Size larger than `MINSIZE` and size also aligned:
|
|
* Error message: `free(): invalid size`
|
|
* **Checks in `_int_free` tcache:**
|
|
* If there are more entries than `mp_.tcache_count`:
|
|
* Error message: `free(): too many chunks detected in tcache`
|
|
* If the entry is not aligned:
|
|
* Error message: `free(): unaligned chunk detected in tcache 2`
|
|
* If the freed chunk was already freed and is present as chunk in the tcache:
|
|
* Error message: `free(): double free detected in tcache 2`
|
|
* **Checks in `_int_free` fast bin:**
|
|
* If the size of the chunk is invalid (too big or small) trigger:
|
|
* Error message: `free(): invalid next size (fast)`
|
|
* If the added chunk was already the top of the fast bin:
|
|
* Error message: `double free or corruption (fasttop)`
|
|
* If the size of the chunk at the top has a different size of the chunk we are adding:
|
|
* Error message: `invalid fastbin entry (free)`
|
|
|
|
## **`_int_free_merge_chunk`**
|
|
|
|
* **Checks in `_int_free_merge_chunk`:**
|
|
* If the chunk is the top chunk:
|
|
* Error message: `double free or corruption (top)`
|
|
* If the next chunk is outside of the boundaries of the arena:
|
|
* Error message: `double free or corruption (out)`
|
|
* If the chunk is not marked as used (in the prev\_inuse from the following chunk):
|
|
* Error message: `double free or corruption (!prev)`
|
|
* If the next chunk has a too little size or too big:
|
|
* Error message: `free(): invalid next size (normal)`
|
|
* If the previous chunk is not in use, it will try to consolidate. But, if the `prev_size` differs from the size indicated in the previous chunk:
|
|
* Error message: `corrupted size vs. prev_size while consolidating`
|
|
|
|
## **`_int_free_create_chunk`**
|
|
|
|
* **Checks in `_int_free_create_chunk`:**
|
|
* Adding a chunk into the unsorted bin, check if `unsorted_chunks(av)->fd->bk == unsorted_chunks(av)`:
|
|
* Error message: `free(): corrupted unsorted chunks`
|
|
|
|
## `do_check_malloc_state`
|
|
|
|
* **Checks in `do_check_malloc_state`:**
|
|
* If misaligned fast bin chunk:
|
|
* Error message: `do_check_malloc_state(): unaligned fastbin chunk detected`
|
|
|
|
## `malloc_consolidate`
|
|
|
|
* **Checks in `malloc_consolidate`:**
|
|
* If misaligned fast bin chunk:
|
|
* Error message: `malloc_consolidate(): unaligned fastbin chunk detected`
|
|
* If incorrect fast bin chunk size:
|
|
* Error message: `malloc_consolidate(): invalid chunk size`
|
|
|
|
## `_int_realloc`
|
|
|
|
* **Checks in `_int_realloc`:**
|
|
* Size is too big or too small:
|
|
* Error message: `realloc(): invalid old size`
|
|
* Size of the next chunk is too big or too small:
|
|
* Error message: `realloc(): invalid next size`
|
|
|
|
{% hint style="success" %}
|
|
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
|
|
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
|
|
|
<details>
|
|
|
|
<summary>Support HackTricks</summary>
|
|
|
|
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
|
|
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
|
|
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
|
|
|
</details>
|
|
{% endhint %}
|