Skip to content

Latest commit

 

History

History
189 lines (150 loc) · 8.8 KB

heap-functions-security-checks.md

File metadata and controls

189 lines (150 loc) · 8.8 KB

Heap Functions Security Checks

{% hint style="success" %} Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks
{% endhint %}

unlink

For more info check:

{% content-ref url="unlink.md" %} unlink.md {% endcontent-ref %}

This is a summary of the performed checks:

  • Check if the indicated size of the chunk is the same as the prev_size indicated in the next chunk
    • Error message: corrupted size vs. prev_size
  • Check also that P->fd->bk == P and P->bk->fw == P
    • Error message: corrupted double-linked list
  • If the chunk is not small, check that P->fd_nextsize->bk_nextsize == P and P->bk_nextsize->fd_nextsize == P
    • Error message: corrupted double-linked list (not small)

_int_malloc

For more info check:

{% content-ref url="malloc-and-sysmalloc.md" %} malloc-and-sysmalloc.md {% endcontent-ref %}

  • Checks during fast bin search:
    • If the chunk is misaligned:
      • Error message: malloc(): unaligned fastbin chunk detected 2
    • If the forward chunk is misaligned:
      • Error message: malloc(): unaligned fastbin chunk detected
    • If the returned chunk has a size that isn't correct because of it's index in the fast bin:
      • Error message: malloc(): memory corruption (fast)
    • If any chunk used to fill the tcache is misaligned:
      • Error message: malloc(): unaligned fastbin chunk detected 3
  • Checks during small bin search:
    • If victim->bk->fd != victim:
      • Error message: malloc(): smallbin double linked list corrupted
  • Checks during consolidate performed for each fast bin chunk:
    • If the chunk is unaligned trigger:
      • Error message: malloc_consolidate(): unaligned fastbin chunk detected
    • If the chunk has a different size that the one it should because of the index it's in:
      • Error message: malloc_consolidate(): invalid chunk size
    • If the previous chunk is not in use and the previous chunk has a size different of the one indicated by prev_chunk:
      • Error message: corrupted size vs. prev_size in fastbins
  • Checks during unsorted bin search:
    • If the chunk size is weird (too small or too big):
      • Error message: malloc(): invalid size (unsorted)
    • If the next chunk size is weird (too small or too big):
      • Error message: malloc(): invalid next size (unsorted)
    • If the previous size indicated by the next chunk differs from the size of the chunk:
      • Error message: malloc(): mismatching next->prev_size (unsorted)
    • If not victim->bck->fd == victim or not victim->fd == av (arena):
      • Error message: malloc(): unsorted double linked list corrupted
      • As we are always checking the las one, it's fd should be pointing always to the arena struct.
    • If the next chunk isn't indicating that the previous is in use:
      • Error message: malloc(): invalid next->prev_inuse (unsorted)
    • If fwd->bk_nextsize->fd_nextsize != fwd:
      • Error message: malloc(): largebin double linked list corrupted (nextsize)
    • If fwd->bk->fd != fwd:
      • Error message: malloc(): largebin double linked list corrupted (bk)
  • Checks during large bin (by index) search:
    • bck->fd-> bk != bck:
      • Error message: malloc(): corrupted unsorted chunks
  • Checks during large bin (next bigger) search:
    • bck->fd-> bk != bck:
      • Error message: malloc(): corrupted unsorted chunks2
  • Checks during Top chunk use:
    • chunksize(av->top) > av->system_mem:
      • Error message: malloc(): corrupted top size

tcache_get_n

  • Checks in tcache_get_n:
    • If chunk is misaligned:
      • Error message: malloc(): unaligned tcache chunk detected

tcache_thread_shutdown

  • Checks in tcache_thread_shutdown:
    • If chunk is misaligned:
      • Error message: tcache_thread_shutdown(): unaligned tcache chunk detected

__libc_realloc

  • Checks in __libc_realloc:
    • If old pointer is misaligned or the size was incorrect:
      • Error message: realloc(): invalid pointer

_int_free

For more info check:

{% content-ref url="free.md" %} free.md {% endcontent-ref %}

  • Checks during the start of _int_free:
    • Pointer is aligned:
      • Error message: free(): invalid pointer
    • Size larger than MINSIZE and size also aligned:
      • Error message: free(): invalid size
  • Checks in _int_free tcache:
    • If there are more entries than mp_.tcache_count:
      • Error message: free(): too many chunks detected in tcache
    • If the entry is not aligned:
      • Error message: free(): unaligned chunk detected in tcache 2
    • If the freed chunk was already freed and is present as chunk in the tcache:
      • Error message: free(): double free detected in tcache 2
  • Checks in _int_free fast bin:
    • If the size of the chunk is invalid (too big or small) trigger:
      • Error message: free(): invalid next size (fast)
    • If the added chunk was already the top of the fast bin:
      • Error message: double free or corruption (fasttop)
    • If the size of the chunk at the top has a different size of the chunk we are adding:
      • Error message: invalid fastbin entry (free)

_int_free_merge_chunk

  • Checks in _int_free_merge_chunk:
    • If the chunk is the top chunk:
      • Error message: double free or corruption (top)
    • If the next chunk is outside of the boundaries of the arena:
      • Error message: double free or corruption (out)
    • If the chunk is not marked as used (in the prev_inuse from the following chunk):
      • Error message: double free or corruption (!prev)
    • If the next chunk has a too little size or too big:
      • Error message: free(): invalid next size (normal)
    • If the previous chunk is not in use, it will try to consolidate. But, if the prev_size differs from the size indicated in the previous chunk:
      • Error message: corrupted size vs. prev_size while consolidating

_int_free_create_chunk

  • Checks in _int_free_create_chunk:
    • Adding a chunk into the unsorted bin, check if unsorted_chunks(av)->fd->bk == unsorted_chunks(av):
      • Error message: free(): corrupted unsorted chunks

do_check_malloc_state

  • Checks in do_check_malloc_state:
    • If misaligned fast bin chunk:
      • Error message: do_check_malloc_state(): unaligned fastbin chunk detected

malloc_consolidate

  • Checks in malloc_consolidate:
    • If misaligned fast bin chunk:
      • Error message: malloc_consolidate(): unaligned fastbin chunk detected
    • If incorrect fast bin chunk size:
      • Error message: malloc_consolidate(): invalid chunk size

_int_realloc

  • Checks in _int_realloc:
    • Size is too big or too small:
      • Error message: realloc(): invalid old size
    • Size of the next chunk is too big or too small:
      • Error message: realloc(): invalid next size

{% hint style="success" %} Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks
{% endhint %}