@H4l0
2019-06-16T02:59:59.000000Z
字数 12753
阅读 1672
源代码分析
分析一下 free 函数过程的代码,在分析时如果遇到 pwn 中可以利用的点会概括一下利用思路。
free -> __libc_free -> _int_free
整体代码:
void__libc_free (void *mem){mstate ar_ptr;mchunkptr p; /* chunk corresponding to mem */void (*hook) (void *, const void *)= atomic_forced_read (__free_hook);if (__builtin_expect (hook != NULL, 0)){(*hook)(mem, RETURN_ADDRESS (0));return;}if (mem == 0) /* free(0) has no effect */return;p = mem2chunk (mem);if (chunk_is_mmapped (p)) /* release mmapped memory. */{/* See if the dynamic brk/mmap threshold needs adjusting.Dumped fake mmapped chunks do not affect the threshold. */if (!mp_.no_dyn_threshold&& chunksize_nomask (p) > mp_.mmap_threshold&& chunksize_nomask (p) <= DEFAULT_MMAP_THRESHOLD_MAX&& !DUMPED_MAIN_ARENA_CHUNK (p)){mp_.mmap_threshold = chunksize (p);mp_.trim_threshold = 2 * mp_.mmap_threshold;LIBC_PROBE (memory_mallopt_free_dyn_thresholds, 2,mp_.mmap_threshold, mp_.trim_threshold);}munmap_chunk (p);return;}MAYBE_INIT_TCACHE ();ar_ptr = arena_for_chunk (p);_int_free (ar_ptr, p, 0);}
void *mem // 通用类型的指针,指向 memory 区域
mstate ar_ptr; // 指向 malloc_state 结构体的指针mchunkptr p; //
malloc_state 的定义:
typedef struct malloc_state *mstate;struct malloc_state{/* Serialize access. */__libc_lock_define (, mutex);/* Flags (formerly in max_fast). */int flags;/* Set if the fastbin chunks contain recently inserted free blocks. *//* Note this is a bool but not all targets support atomics on booleans. */int have_fastchunks;/* Fastbins */mfastbinptr fastbinsY[NFASTBINS];/* Base of the topmost chunk -- not otherwise kept in a bin */mchunkptr top;/* The remainder from the most recent split of a small request */mchunkptr last_remainder;/* Normal bins packed as described above */mchunkptr bins[NBINS * 2 - 2];/* Bitmap of bins */unsigned int binmap[BINMAPSIZE];/* Linked list */struct malloc_state *next;/* Linked list for free arenas. Access to this field is serializedby free_list_lock in arena.c. */struct malloc_state *next_free;/* Number of threads attached to this arena. 0 if the arena is onthe free list. Access to this field is serialized byfree_list_lock in arena.c. */INTERNAL_SIZE_T attached_threads;/* Memory allocated from the system in this arena. */INTERNAL_SIZE_T system_mem;INTERNAL_SIZE_T max_system_mem;};
mchunkptr 为指向 malloc_chunk 结构体的指针
typedef struct malloc_chunk* mchunkptr;struct malloc_chunk {INTERNAL_SIZE_T mchunk_prev_size; /* Size of previous chunk (if free). */INTERNAL_SIZE_T mchunk_size; /* Size in bytes, including overhead. */struct malloc_chunk* fd; /* double links -- used only if free. */struct malloc_chunk* bk;/* Only used for large blocks: pointer to next larger size. */struct malloc_chunk* fd_nextsize; /* double links -- used only if free. */struct malloc_chunk* bk_nextsize;};
2 . 定义一个 hook 的函数指针,将 __free_hook 函数指针赋值给他。
void (*hook) (void *, const void *)= atomic_forced_read (__free_hook);if (__builtin_expect (hook != NULL, 0)){(*hook)(mem, RETURN_ADDRESS (0));return;}
如果 (*hook) 的值不为空就执行函数,参数为 mem 指针,和一个返回地址的定义。
#define RETURN_ADDRESS(nr) \__builtin_extract_return_addr (__builtin_return_address (nr))
__free_hook 默认是一个空指针。同样是定义在 malloc.c 中
void weak_variable (*__free_hook) (void *__ptr,const void *) = NULL;
3 . 判断 mem 是不是一个指针,如果指向 0 继续 free 的话是无影响的。
同时通过 mem2chunk 函数取得传入的 mem 对应的 chunk 的指针给变量 p。
if (mem == 0) /* free(0) has no effect */return;p = mem2chunk (mem);
mem2chunk 函数的定义:
#define mem2chunk(mem) ((mchunkptr)((char*)(mem) - 2*SIZE_SZ))
这里定义的比较清楚了,拿到 mem 的指针(void *)转换为 char 类型的指针(1 字节),减去 prev_size 和 size 的大小,就得到了指向当前 chunk 的指针。
也就是和下面表示的从 mem 指针到 chunk 指针的过程一样。
chunk-> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+| Size of previous chunk, if unallocated (P clear) |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+| Size of chunk, in bytes |A|M|P|mem-> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
4 . 检查 p 是否为 mmap 映射过来的内存区域
if (chunk_is_mmapped (p)) /* release mmapped memory. */{/* See if the dynamic brk/mmap threshold needs adjusting.Dumped fake mmapped chunks do not affect the threshold. */if (!mp_.no_dyn_threshold&& chunksize_nomask (p) > mp_.mmap_threshold&& chunksize_nomask (p) <= DEFAULT_MMAP_THRESHOLD_MAX&& !DUMPED_MAIN_ARENA_CHUNK (p)){mp_.mmap_threshold = chunksize (p);mp_.trim_threshold = 2 * mp_.mmap_threshold;LIBC_PROBE (memory_mallopt_free_dyn_thresholds, 2,mp_.mmap_threshold, mp_.trim_threshold);}munmap_chunk (p);
如果根据 size 区域的 M 指示确实是 mmap 的内存的话,经过一系列的判断就调用 munmap_chunk 函数来 free 掉这块内存。
#define IS_MMAPPED 0x2 /* check for mmap()'ed chunk */#define chunk_is_mmapped(p) ((p)->mchunk_size & IS_MMAPPED)
通过 p 结构体指针拿到他的 size 的值,与 0x2 直接异或,如果不为 0 就说明是 M 标志是 1,也就是通过 mmap 分配过来的内存。
判断的条件涉及到的东西太多就暂时不看了。
直接看 munmap_chunk 函数的定义:
munmap_chunk (mchunkptr p){size_t pagesize = GLRO (dl_pagesize);INTERNAL_SIZE_T size = chunksize (p);assert (chunk_is_mmapped (p));/* Do nothing if the chunk is a faked mmapped chunk in the dumpedmain arena. We never free this memory. */if (DUMPED_MAIN_ARENA_CHUNK (p))return;uintptr_t mem = (uintptr_t) chunk2mem (p);uintptr_t block = (uintptr_t) p - prev_size (p);size_t total_size = prev_size (p) + size;/* Unfortunately we have to do the compilers job by hand here. Normallywe would test BLOCK and TOTAL-SIZE separately for compliance with thepage size. But gcc does not recognize the optimization possibility(in the moment at least) so we combine the two values into one beforethe bit test. */if (__glibc_unlikely ((block | total_size) & (pagesize - 1)) != 0|| __glibc_unlikely (!powerof2 (mem & (pagesize - 1))))malloc_printerr ("munmap_chunk(): invalid pointer");atomic_decrement (&mp_.n_mmaps);atomic_add (&mp_.mmapped_mem, -total_size);/* If munmap failed the process virtual memory address space is in abad shape. Just leave the block hanging around, the process willterminate shortly anyway since not much can be done. */__munmap ((char *) block, total_size);}
前面也是两个定义:
获取 pagesize 和 chunk 的 size 的大小。
size_t pagesize = GLRO (dl_pagesize);INTERNAL_SIZE_T size = chunksize (p);
获取 chunk 的 mem 指针,并获取上一个 chunk 的地址和这两个 chunk 总的大小(total_size),看样子要进行合并操作。
uintptr_t mem = (uintptr_t) chunk2mem (p);uintptr_t block = (uintptr_t) p - prev_size (p);size_t total_size = prev_size (p) + size;typedef unsigned long int uintptr_t;
合法性判断:
if (__glibc_unlikely ((block | total_size) & (pagesize - 1)) != 0|| __glibc_unlikely (!powerof2 (mem & (pagesize - 1))))malloc_printerr ("munmap_chunk(): invalid pointer");# define __glibc_unlikely(cond) __builtin_expect ((cond), 0)
具体的步骤太复杂了,大概意思就是减少 mmap 的内存大小,从函数名字也可以看得出来。
atomic_decrement (&mp_.n_mmaps);atomic_add (&mp_.mmapped_mem, -total_size);
错误判断。
__munmap ((char *) block, total_size);int__munmap (void *addr, size_t len){__set_errno (ENOSYS);return -1;}
所以这里主要对 mmap 进行操作就是 atomic_decrement、atomic_add 这两个函数。
5 . 回到 __libc_free 函数中继续往下
这里涉及到 tcache 机制的就暂时先不看了。
MAYBE_INIT_TCACHE (); // 判断是否使用 tcache ,存在的话就调用 tcache_init() 进行初始化
检查这个块是不是位于主分配区,如果是的话就拿到 main_arena 的地址。
ar_ptr = arena_for_chunk (p);#define arena_for_chunk(ptr) \(chunk_main_arena (ptr) ? &main_arena : heap_for_ptr (ptr)->ar_ptr)
将 ar_ptr,p 传入 _int_free 中,交给 _int_free 处理。
_int_free (ar_ptr, p, 0);
至此,__libc_free 函数的代码就大概分析完了,总结一下他做了什么事。
1. 判断 __free_hook 是否存在(pwn 中经常通过写 one_gadget 到这里触发)
2. 判读是不是 mmap 过来的区域,是的话直接就交给 munmap_chunk 处理了。
3. 各种检查性判断。
整体代码:
static void_int_free (mstate av, mchunkptr p, int have_lock){INTERNAL_SIZE_T size; /* its size */mfastbinptr *fb; /* associated fastbin */mchunkptr nextchunk; /* next contiguous chunk */INTERNAL_SIZE_T nextsize; /* its size */int nextinuse; /* true if nextchunk is used */INTERNAL_SIZE_T prevsize; /* size of previous contiguous chunk */mchunkptr bck; /* misc temp for linking */mchunkptr fwd; /* misc temp for linking */size = chunksize (p);/* Little security check which won't hurt performance: theallocator never wrapps around at the end of the address space.Therefore we can exclude some size values which might appearhere by accident or by "design" from some intruder. */if (__builtin_expect ((uintptr_t) p > (uintptr_t) -size, 0)|| __builtin_expect (misaligned_chunk (p), 0))malloc_printerr ("free(): invalid pointer");/* We know that each chunk is at least MINSIZE bytes in size or amultiple of MALLOC_ALIGNMENT. */if (__glibc_unlikely (size < MINSIZE || !aligned_OK (size)))malloc_printerr ("free(): invalid size");check_inuse_chunk(av, p);....../*If eligible, place chunk on a fastbin so it can be foundand used quickly in malloc.*/if ((unsigned long)(size) <= (unsigned long)(get_max_fast ())#if TRIM_FASTBINS/*If TRIM_FASTBINS set, don't place chunksbordering top into fastbins*/&& (chunk_at_offset(p, size) != av->top)#endif) {if (__builtin_expect (chunksize_nomask (chunk_at_offset (p, size))<= 2 * SIZE_SZ, 0)|| __builtin_expect (chunksize (chunk_at_offset (p, size))>= av->system_mem, 0)){bool fail = true;/* We might not have a lock at this point and concurrent modificationsof system_mem might result in a false positive. Redo the test aftergetting the lock. */if (!have_lock){__libc_lock_lock (av->mutex);fail = (chunksize_nomask (chunk_at_offset (p, size)) <= 2 * SIZE_SZ|| chunksize (chunk_at_offset (p, size)) >= av->system_mem);__libc_lock_unlock (av->mutex);}if (fail)malloc_printerr ("free(): invalid next size (fast)");}free_perturb (chunk2mem(p), size - 2 * SIZE_SZ);atomic_store_relaxed (&av->have_fastchunks, true);unsigned int idx = fastbin_index(size);fb = &fastbin (av, idx);/* Atomically link P to its fastbin: P->FD = *FB; *FB = P; */mchunkptr old = *fb, old2;if (SINGLE_THREAD_P){/* Check that the top of the bin is not the record we are going toadd (i.e., double free). */if (__builtin_expect (old == p, 0))malloc_printerr ("double free or corruption (fasttop)");p->fd = old;*fb = p;}elsedo{/* Check that the top of the bin is not the record we are going toadd (i.e., double free). */if (__builtin_expect (old == p, 0))malloc_printerr ("double free or corruption (fasttop)");p->fd = old2 = old;}while ((old = catomic_compare_and_exchange_val_rel (fb, p, old2))!= old2);/* Check that size of fastbin chunk at the top is the same assize of the chunk that we are adding. We can dereference OLDonly if we have the lock, otherwise it might have already beenallocated again. */if (have_lock && old != NULL&& __builtin_expect (fastbin_index (chunksize (old)) != idx, 0))malloc_printerr ("invalid fastbin entry (free)");}/*Consolidate other non-mmapped chunks as they arrive.*/else if (!chunk_is_mmapped(p)) {/* If we're single-threaded, don't lock the arena. */if (SINGLE_THREAD_P)have_lock = true;if (!have_lock)__libc_lock_lock (av->mutex);nextchunk = chunk_at_offset(p, size);/* Lightweight tests: check whether the block is already thetop block. */if (__glibc_unlikely (p == av->top))malloc_printerr ("double free or corruption (top)");/* Or whether the next chunk is beyond the boundaries of the arena. */if (__builtin_expect (contiguous (av)&& (char *) nextchunk>= ((char *) av->top + chunksize(av->top)), 0))malloc_printerr ("double free or corruption (out)");/* Or whether the block is actually not marked used. */if (__glibc_unlikely (!prev_inuse(nextchunk)))malloc_printerr ("double free or corruption (!prev)");nextsize = chunksize(nextchunk);if (__builtin_expect (chunksize_nomask (nextchunk) <= 2 * SIZE_SZ, 0)|| __builtin_expect (nextsize >= av->system_mem, 0))malloc_printerr ("free(): invalid next size (normal)");free_perturb (chunk2mem(p), size - 2 * SIZE_SZ);/* consolidate backward */if (!prev_inuse(p)) {prevsize = prev_size (p);size += prevsize;p = chunk_at_offset(p, -((long) prevsize));if (__glibc_unlikely (chunksize(p) != prevsize))malloc_printerr ("corrupted size vs. prev_size while consolidating");unlink_chunk (av, p);}if (nextchunk != av->top) {/* get and clear inuse bit */nextinuse = inuse_bit_at_offset(nextchunk, nextsize);/* consolidate forward */if (!nextinuse) {unlink_chunk (av, nextchunk);size += nextsize;} elseclear_inuse_bit_at_offset(nextchunk, 0);/*Place the chunk in unsorted chunk list. Chunks arenot placed into regular bins until after they havebeen given one chance to be used in malloc.*/bck = unsorted_chunks(av);fwd = bck->fd;if (__glibc_unlikely (fwd->bk != bck))malloc_printerr ("free(): corrupted unsorted chunks");p->fd = fwd;p->bk = bck;if (!in_smallbin_range(size)){p->fd_nextsize = NULL;p->bk_nextsize = NULL;}bck->fd = p;fwd->bk = p;set_head(p, size | PREV_INUSE);set_foot(p, size);check_free_chunk(av, p);}/*If the chunk borders the current high end of memory,consolidate into top*/else {size += nextsize;set_head(p, size | PREV_INUSE);av->top = p;check_chunk(av, p);}/*If freeing a large space, consolidate possibly-surroundingchunks. Then, if the total unused topmost memory exceeds trimthreshold, ask malloc_trim to reduce top.Unless max_fast is 0, we don't know if there are fastbinsbordering top, so we cannot tell for sure whether thresholdhas been reached unless fastbins are consolidated. But wedon't want to consolidate on each free. As a compromise,consolidation is performed if FASTBIN_CONSOLIDATION_THRESHOLDis reached.*/if ((unsigned long)(size) >= FASTBIN_CONSOLIDATION_THRESHOLD) {if (atomic_load_relaxed (&av->have_fastchunks))malloc_consolidate(av);if (av == &main_arena) {#ifndef MORECORE_CANNOT_TRIMif ((unsigned long)(chunksize(av->top)) >=(unsigned long)(mp_.trim_threshold))systrim(mp_.top_pad, av);#endif} else {/* Always try heap_trim(), even if the top chunk is notlarge, because the corresponding heap might go away. */heap_info *heap = heap_for_ptr(top(av));assert(heap->ar_ptr == av);heap_trim(heap, mp_.top_pad);}}if (!have_lock)__libc_lock_unlock (av->mutex);}/*If the chunk was allocated via mmap, release via munmap().*/else {munmap_chunk (p);}}
代码有些长,其中把 use_tcache 的判断都去掉了。还是一步步来看。
定义的变量如下,获取堆块的基本信息。
INTERNAL_SIZE_T size; /* sizeof(unsigned long int) */mfastbinptr *fb; /* 指向 chunk 结构体的指针*/typedef struct malloc_chunk *mfastbinptr;mchunkptr nextchunk; /* 指向 chunk 结构体的指针 */typedef struct malloc_chunk* mchunkptr;INTERNAL_SIZE_T nextsize; /* sizeof(unsigned long int) */int nextinuse; /* 指示下一个 chunk 是否是已经使用的 */INTERNAL_SIZE_T prevsize; /* prevsize */mchunkptr bck; /* 指向 chunk 结构体的指针,bk 指针 */mchunkptr fwd; /* m指向 chunk 结构体的指针,fd 指针 */
获取除去标志位的真实 chunk 的 size 的大小。
size = chunksize (p);=>#define SIZE_BITS (PREV_INUSE | IS_MMAPPED | NON_MAIN_ARENA)#define chunksize(p) (chunksize_nomask (p) & ~(SIZE_BITS))=>#define chunksize_nomask(p) ((p)->mchunk_size)