glibc-malloc源码分析

2020-09-28

字数统计: 15.8k字 | 阅读时长≈ 76分

做了很久pwn题，但是还没有系统的对 glibc 源码进行过分析与总结。这样的感觉，总觉得自己学得东西很片面，不够系统，也不够牢固。所以觉得自己还是需要花一些时间好好研究一下源码，特别是堆机制的重点。虽然自己写代码很烂，看代码的能力也很烂，但是加油吧。

源码调试

之前在windows里用windbg可以使用调试符号，对于调试很方便，所以就想到linux下应该也有。结果 glibc更爽直接有源码，加入 Glibc 源码调试的方法吧，这样可以迅速定位自己报错的原因，对于glib里的各项检查，也能够有更清晰的认识吧。

首先下载源代码和调试符号：（下面示例是2.23的）

1
2
3

sudo apt-get install glibc-source 
sudo apt-get install libc6-dbg 
sudo tar xf /usr/src/glibc/glibc-2.23.tar.xz

随后在 pwndbg里输入，就能加载malloc文件夹下的源代码了：

1	pwndbg> directory /usr/src/glibc/glibc-2.23/malloc/

然后就可以在 malloc 或者 free 等函数里下断点了。

基本结构

malloc_chunk

由 malloc 申请的内存为chunk，其申请的数据结构为 malloc_chunk 结构体来表示。当一个chunk 执行 free 函数时，malloc_chunk 会被加入到相应的空闲管理列表。malloc_chunk 结构体如下，其中我加入了中文注释，更细节的讲解可以参考https://ctf-wiki.github.io/ctf-wiki/pwn/linux/glibc-heap/heap_structure-zh/。

struct malloc_chunk {
    //如果前一块被释放，该处存储前一块的大小
    INTERNAL_SIZE_T mchunk_prev_size; /* Size of previous chunk (if free).  */
    //本块的大小，包含堆头
    INTERNAL_SIZE_T mchunk_size;      /* Size in bytes, including overhead. */
    //双链表结构，只有当堆块被释放时使用
    struct malloc_chunk *fd; /* double links -- used only if free. */
    struct malloc_chunk *bk;
    //只有在本堆块为large chunk时，且被释放才会使用
    //指向前一个large chunk 和 后一个 large chunk 的大小
    /* Only used for large blocks: pointer to next larger size.  */
    struct malloc_chunk *fd_nextsize; /* double links -- used only if free. */
    struct malloc_chunk *bk_nextsize;
};

/*
   malloc_chunk details:

    (The following includes lightly edited explanations by Colin Plumb.)

    Chunks of memory are maintained using a `boundary tag' method as
    described in e.g., Knuth or Standish.  (See the paper by Paul
    Wilson ftp://ftp.cs.utexas.edu/pub/garbage/allocsrv.ps for a
    survey of such techniques.)  Sizes of free chunks are stored both
    in the front of each chunk and at the end.  This makes
    consolidating fragmented chunks into bigger chunks very fast.  The
    size fields also hold bits representing whether chunks are free or
    in use.

    An allocated chunk looks like this:


    chunk-> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
        |             Size of previous chunk, if unallocated (P clear)  |
        +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
        |             Size of chunk, in bytes                     |A|M|P|
      mem-> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
        |             User data starts here...                          .
        .                                                               .
        .             (malloc_usable_size() bytes)                      .
        .                                                               |
nextchunk-> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
        |             (size of chunk, but used for application data)    |
        +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
        |             Size of next chunk, in bytes                |A|0|1|
        +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    //mem 地址是系统将会给用户返回的指针
    Where "chunk" is the front of the chunk for the purpose of most of
    the malloc code, but "mem" is the pointer that is returned to the
    user.  "Nextchunk" is the beginning of the next contiguous chunk.
    //Nextchunk是与本块连续的堆块
    Chunks always begin on even word boundaries, so the mem portion
    (which is returned to the user) is also on an even word boundary, and
    thus at least double-word aligned.
    //被释放的堆块格式如下
    Free chunks are stored in circular doubly-linked lists, and look like this:

    chunk-> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
        |             Size of previous chunk, if unallocated (P clear)  |
        +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    `head:' |             Size of chunk, in bytes                     |A|0|P|
      mem-> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
        |             Forward pointer to next chunk in list             |
        +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
        |             Back pointer to previous chunk in list            |
        +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
        |             Unused space (may be 0 bytes long)                .
        .                                                               .
        .                                                               |
nextchunk-> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    `foot:' |             Size of chunk, in bytes                           |
        +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
        |             Size of next chunk, in bytes                |A|0|0|
        +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    //堆头 P 1bit标志位表示该块的前一个堆块是否处于使用状态，使用为1，被释放为0
    //当P 标志位被置0，那么 previouse chunk size 地址将会存储前一个堆块的 size大小
    //这样即可快速的 查找到前一个空闲堆块的堆头
    //第一个堆块的 P 标志位都是被置为1，这样既可防止访问前面的内存区域
    The P (PREV_INUSE) bit, stored in the unused low-order bit of the
    chunk size (which is always a multiple of two words), is an in-use
    bit for the *previous* chunk.  If that bit is *clear*, then the
    word before the current chunk size contains the previous chunk
    size, and can be used to find the front of the previous chunk.
    The very first chunk allocated always has this bit set,
    preventing access to non-existent (or non-owned) memory. If
    prev_inuse is set for any given chunk, then you CANNOT determine
    the size of the previous chunk, and might even get a memory
    addressing fault when trying to do so.
    // 堆头 A 1 bit 标志位在堆被初始化时会被清空，表示该堆块是 主线程分配的堆块
    //如果非主线程分配了堆块，则 A 标志位则会被设置
    The A (NON_MAIN_ARENA) bit is cleared for chunks on the initial,
    main arena, described by the main_arena variable.  When additional
    threads are spawned, each thread receives its own arena (up to a
    configurable limit, after which arenas are reused for multiple
    threads), and the chunks in these arenas have the A bit set.  To
    find the arena for a chunk on such a non-main arena, heap_for_ptr
    performs a bit mask operation and indirection through the ar_ptr
    member of the per-heap header heap_info (see arena.c).
    //当前堆块的堆尾 是指 其下一个堆块的 prev_size 的位置
    Note that the `foot' of the current chunk is actually represented
    as the prev_size of the NEXT chunk. This makes it easier to
    deal with alignments etc but can be very confusing when trying
    to extend or adapt this code.
    //三个注意

    The three exceptions to all this are:
    //top 堆块永远存在，并且不存在 prev_size字段，因为其后面没有连续的堆块
     1. The special chunk `top' doesn't bother using the
    trailing size field since there is no next contiguous chunk
    that would have to index off it. After initialization, `top'
    is forced to always exist.  If it would become less than
    MINSIZE bytes long, it is replenished.
    //通过 mmap 分配的堆块 其 M 被置位
     2. Chunks allocated via mmap, which have the second-lowest-order
    bit M (IS_MMAPPED) set in their size fields.  Because they are
    allocated one-by-one, each must contain its own trailing size
    field.  If the M bit is set, the other bits are ignored
    (because mmapped chunks are neither in an arena, nor adjacent
    to a freed chunk).  The M bit is also used for chunks which
    originally came from a dumped heap via malloc_set_state in
    hooks.c.
    //fastbin 中的chunk 其 P 标志位被置位，可以防止堆块合并
    //fastbin 堆块只有在 bulk 或者 malloc_consolidate函数时才会发生堆合并
     3. Chunks in fastbins are treated as allocated chunks from the
    point of view of the chunk allocator.  They are consolidated
    with their neighbors only in bulk, in malloc_consolidate.
*/

malloc_stats

每个分配区即一个 malloc_state 结构体实例，ptmalloc 使用这个结构来管理每一个分配区，而参数的管理使用的是 malloc_par 结构体，全局拥有一个该结构体的实例。关于此结构体的讲解，可以参考https://www.lyyl.online/2019/09/28/malloc%E5%92%8Cfree%E6%BA%90%E7%A0%81%E5%88%86%E6%9E%90/。

struct malloc_state {
    /* Serialize access.  */
    //进程互斥锁
    __libc_lock_define(, mutex);

    /* Flags (formerly in max_fast).  */
    //标志位用来表示当前arena中是否存在fastbin或者内存是否连续等
    int flags;

    /* Fastbins */
    //存放每个fastbin链表的头指针，最多支持的bin的个数为10个
    mfastbinptr fastbinsY[ NFASTBINS ];

    /* Base of the topmost chunk -- not otherwise kept in a bin */
    //top chunk堆头
    mchunkptr top;

    /* The remainder from the most recent split of a small request */
    //指向上一个chunk分配出一个small chunk之后剩余的部分
    mchunkptr last_remainder;

    /* Normal bins packed as described above */
    //存储unsortedbin、small bin、large bin的链表头
    mchunkptr bins[ NBINS * 2 - 2 ];

    /* Bitmap of bins */
    //每一个bit表示对应的bin中是否存在空闲chunk
    unsigned int binmap[ BINMAPSIZE ];

    /* Linked list */
    struct malloc_state *next;

    /* Linked list for free arenas.  Access to this field is serialized
       by free_list_lock in arena.c.  */
    struct malloc_state *next_free;

    /* Number of threads attached to this arena.  0 if the arena is on
       the free list.  Access to this field is serialized by
       free_list_lock in arena.c.  */
    INTERNAL_SIZE_T attached_threads;

    /* Memory allocated from the system in this arena.  */
    //当前内存的分配量
    INTERNAL_SIZE_T system_mem;
    INTERNAL_SIZE_T max_system_mem;
};

分配区是为了加速多线程分配内存而引入的，主分配区和子分配区形成一个环形链表，每一个线程都存在一个私有的变量存放分配区指针，在分配内存的时候，查看哪个分配区没有上锁，即在哪个分配区分配内存，如果分配区全部被占用，则建立一个新的分配区。

主分配区可使用 sbrk 和 mmap 两种分配方式，相对的子分配区则是预先使用 mmap 申请一块较大的内存。关于 sbrk 和 mmap 的区别，会在 house of orange 中需要注意。

/* offset 2 to use otherwise unindexable first 2 bins */
#define fastbin_index(sz)                                                      \
    ((((unsigned int) (sz)) >> (SIZE_SZ == 8 ? 4 : 3)) - 2)

/* The maximum fastbin request size we support */
#define MAX_FAST_SIZE (80 * SIZE_SZ / 4)

#define NFASTBINS (fastbin_index(request2size(MAX_FAST_SIZE)) + 1)

SIZE_SZ 在64位中是 64 位无符号整数，32位中是 32 位无符号整数。

那么对于 64 位系统 MAX_FAS_SIZE = 160字节，32系统 MAX_FAST_SIZE = 80 字节；此处的数据大小都是不包含 chunk 头部的。

根据请求的 sz 计算 fastbin_index 是通过将 sz 64位系统左移4位，32位系统左移 3 位，减去 2。减2 是因为 fastbin 最小的 CHUNK_SIZE 不是从 0 开始的，而是 64位从 0x20 开始，32位从 0x10 开始。

bins 变量中存储了 unsortedbin, small bin(62), large bin(63) 的链表头指针，其中 bins[0]，bins[127] 都不存在，bins[1] 中存储了 unsortedbin 的 chunk 的链表头部，mchunkptr 是 malloc_chunk 的结构体指针。

mchunkptr bins[ NBINS * 2 - 2 ]：
bins[1]: unsorted bin
bins[2]: small bin(1)
...
bins[63]: small bin(62)
bins[64]: large bin(1)
bins[65]: large bin(2)
...
bins[126]: large bin(63)

small bin：根据用户请求的 sz 大小得到 small bin的下标的方法是：chunk_size = MALLOC_ALIGNMENT * indx，其中 MALLOC_ALIGNMENT = 2 * SIZE_SZ。所以对于 32位，最大 chunk 为 504字节，对于64最大为 1008 字节。

/*
   Indexing

    Bins for sizes < 512 bytes contain chunks of all the same size, spaced
    8 bytes apart. Larger bins are approximately logarithmically spaced:

    64 bins of size       8
    32 bins of size      64
    16 bins of size     512
     8 bins of size    4096
     4 bins of size   32768
     2 bins of size  262144
     1 bin  of size what's left

    There is actually a little bit of slop in the numbers in bin_index
    for the sake of speed. This makes no difference elsewhere.

    The bins top out around 1MB because we expect to service large
    requests via mmap.

    Bin 0 does not exist.  Bin 1 is the unordered list; if that would be
    a valid chunk size the small bins are bumped up one.
 */
//bins 总的数量
#define NBINS 128
//Small bin大小
#define NSMALLBINS 64
#define SMALLBIN_WIDTH MALLOC_ALIGNMENT
//是否需要对 small bin的下标进行纠正
#define SMALLBIN_CORRECTION (MALLOC_ALIGNMENT > 2 * SIZE_SZ)
#define MIN_LARGE_SIZE ((NSMALLBINS - SMALLBIN_CORRECTION) * SMALLBIN_WIDTH)
//small bin 的size范围小于large chunk的最小sizec
#define in_smallbin_range(sz)                                                  \
    ((unsigned long) (sz) < (unsigned long) MIN_LARGE_SIZE)
//根据sz得到smallbin 的序号
#define smallbin_index(sz)                                                     \
    ((SMALLBIN_WIDTH == 16 ? (((unsigned) (sz)) >> 4)                          \
                           : (((unsigned) (sz)) >> 3)) +                       \
     SMALLBIN_CORRECTION)

large bin：共包含 63 个 bin，每个 bin 中的chunk 大小不一致，而是在一定范围之内，63个 bin 被分成 6 组，每组 Bin 的 chunk 的大小之间的公差一致。

largebin 排列方式从大到小依次排列，链表头的 bk 指针指向最小的堆块：

//根据sz计算其处于的不同large bin链表，最终得到最适合的large bin
#define largebin_index_32(sz)                                                  \
    (((((unsigned long) (sz)) >> 6) <= 38)                                     \
         ? 56 + (((unsigned long) (sz)) >> 6)                                  \
         : ((((unsigned long) (sz)) >> 9) <= 20)                               \
               ? 91 + (((unsigned long) (sz)) >> 9)                            \
               : ((((unsigned long) (sz)) >> 12) <= 10)                        \
                     ? 110 + (((unsigned long) (sz)) >> 12)                    \
                     : ((((unsigned long) (sz)) >> 15) <= 4)                   \
                           ? 119 + (((unsigned long) (sz)) >> 15)              \
                           : ((((unsigned long) (sz)) >> 18) <= 2)             \
                                 ? 124 + (((unsigned long) (sz)) >> 18)        \
                                 : 126)

#define largebin_index_32_big(sz)                                              \
    (((((unsigned long) (sz)) >> 6) <= 45)                                     \
         ? 49 + (((unsigned long) (sz)) >> 6)                                  \
         : ((((unsigned long) (sz)) >> 9) <= 20)                               \
               ? 91 + (((unsigned long) (sz)) >> 9)                            \
               : ((((unsigned long) (sz)) >> 12) <= 10)                        \
                     ? 110 + (((unsigned long) (sz)) >> 12)                    \
                     : ((((unsigned long) (sz)) >> 15) <= 4)                   \
                           ? 119 + (((unsigned long) (sz)) >> 15)              \
                           : ((((unsigned long) (sz)) >> 18) <= 2)             \
                                 ? 124 + (((unsigned long) (sz)) >> 18)        \
                                 : 126)

// XXX It remains to be seen whether it is good to keep the widths of
// XXX the buckets the same or whether it should be scaled by a factor
// XXX of two as well.
#define largebin_index_64(sz)                                                  \
    (((((unsigned long) (sz)) >> 6) <= 48)                                     \
         ? 48 + (((unsigned long) (sz)) >> 6)                                  \
         : ((((unsigned long) (sz)) >> 9) <= 20)                               \
               ? 91 + (((unsigned long) (sz)) >> 9)                            \
               : ((((unsigned long) (sz)) >> 12) <= 10)                        \
                     ? 110 + (((unsigned long) (sz)) >> 12)                    \
                     : ((((unsigned long) (sz)) >> 15) <= 4)                   \
                           ? 119 + (((unsigned long) (sz)) >> 15)              \
                           : ((((unsigned long) (sz)) >> 18) <= 2)             \
                                 ? 124 + (((unsigned long) (sz)) >> 18)        \
                                 : 126)

#define largebin_index(sz)                                                     \
    (SIZE_SZ == 8 ? largebin_index_64(sz) : MALLOC_ALIGNMENT == 16             \
                                                ? largebin_index_32_big(sz)    \
                                                : largebin_index_32(sz))

#define bin_index(sz)                                                          \
    ((in_smallbin_range(sz)) ? smallbin_index(sz) : largebin_index(sz))

binmap 中的每一位表示对应的 bin 中是否存在空闲的 chunk，4 个 block 来管理，每个 block 有 4 字节，也就是 128个 bit

malloc_par

struct malloc_par {
    /* Tunable parameters */
    //收缩阈值
    unsigned long   trim_threshold;
    //分配内存时是否添加额外的pad，默认为0
    INTERNAL_SIZE_T top_pad;
    //mmap 的分配阈值
    INTERNAL_SIZE_T mmap_threshold;
    //最小分配区
    INTERNAL_SIZE_T arena_test;
    //最大分配区
    INTERNAL_SIZE_T arena_max;

    /* Memory map support */
    //当前进程使用mmap()分配的内存块的个数
    int n_mmaps;
    //mmap()可以分配的最大的内存块个数
    int n_mmaps_max;
    int max_n_mmaps;
    /* the mmap_threshold is dynamic, until the user sets
       it manually, at which point we need to disable any
       dynamic behavior. */
    //是否开启mmap分配阈值动态调整，0表示开启，默认为0
    int no_dyn_threshold;

    /* Statistics */
    //mmap分配的内存大小
    INTERNAL_SIZE_T mmapped_mem;
    //mmap分配的最大内存大小
    INTERNAL_SIZE_T max_mmapped_mem;

    /* First address handed out by MORECORE/sbrk.  */
    char *sbrk_base;
};

thrim_threshold 字段表示收缩阈值，默认为 128KB ，当 top chunk 的大小大于这个阈值时，再调用 free 函数的时候可能会缩小 top chunk，收缩内存。收缩阈值可以通过 mallocopt 函数设置，由于 mmap 分配阈值动态调整，free 函数最大可以将收缩阈值设置为分配阈值的 2 倍。
mmap_threshold 表示分配阈值，默认值为 128KB，32位系统中最大值位 512KB，64 系统中的最大值为 32MB。默认开启 mmap 分配阈值的动态调整，但不会超过最大值
arena_test 和 arena_max ，当每个进程中的分配区数量大于 arena_max 的时候不会创建新的分配区，当分配区数量小于 arena_test 的时候不会重用现有的分配区。

heap_info

typedef struct _heap_info
{
  mstate ar_ptr; /* Arena for this heap. */
  struct _heap_info *prev; /* Previous heap. */
  size_t size;   /* Current size in bytes. */
  size_t mprotect_size; /* Size in bytes that has been mprotected
                           PROT_READ|PROT_WRITE.  */
  /* Make sure the following data is properly aligned, particularly
     that sizeof (heap_info) + 2 * SIZE_SZ is a multiple of
     MALLOC_ALIGNMENT. */
  char pad[-6 * SIZE_SZ & MALLOC_ALIGN_MASK];
} heap_info;

该结构体主要是为了非主线程分配内存使用，也即在非主分配区分配内存。因为在主分配区内存可以直接使用 sbrk 方式拓展内存，只有一个堆。而非主线程的 heap 是提前分配好的，因此当该 heap 资源用完时，就需要重新申请内存空间，因为一般情况下申请的内存空间是不连续的，因此需要记录一个线程中不同的 heap 的链接结构。

ar_ptr表示该堆所对应的分配区
prev该线程的上一个堆结构，注意到这里是采用单链表的形式来记录一个线程的所有堆结构的。
size堆的大小

重要函数

malloc

void *__libc_malloc(size_t bytes) {
    //可用的分配区
    mstate ar_ptr;
    void * victim;
    //读取 malloc_hook
    void *(*hook)(size_t, const void *) = atomic_forced_read(__malloc_hook);
    //查看是否有设置 malloc_hook
    if (__builtin_expect(hook != NULL, 0))
        //若被设置，则直接调用 malloc_hook
        return (*hook)(bytes, RETURN_ADDRESS(0));
    //调用arena_get 函数获取一个可用的分配区
    arena_get(ar_ptr, bytes);
    //调用 _int_malloc 函数
    victim = _int_malloc(ar_ptr, bytes);
    /* Retry with another arena only if we were able to find a usable arena
       before.  */
    //如果chunk为空，但是 分配区指针不为空，再次调用 _int_malloc 获取
    if (!victim && ar_ptr != NULL) {
        LIBC_PROBE(memory_malloc_retry, 1, bytes);
        ar_ptr = arena_get_retry(ar_ptr, bytes);
        victim = _int_malloc(ar_ptr, bytes);
    }
    //给内存分配区 解锁
    if (ar_ptr != NULL) __libc_lock_unlock(ar_ptr->mutex);
    //对分配的chunk 指针进行地址检查
    assert(!victim || chunk_is_mmapped(mem2chunk(victim)) ||
           ar_ptr == arena_for_chunk(mem2chunk(victim)));
    return victim;
}

每一步的注释，都以加到上面代码中。

我们需要关注，当执行 malloc 时，如果 malloc_hook有值，程序会先执行 malloc_hook 所指向的函数。这就给我们 getshell 提供了一种思路。就是修改 malloc_hook 的值为一个 gadget值，然后再执行 malloc 函数就能够 getshell。

_int_malloc

static void *_int_malloc(mstate av, size_t bytes) {
    INTERNAL_SIZE_T nb;  /* normalized request size */
    unsigned int    idx; /* associated bin index */
    mbinptr         bin; /* associated bin */

    mchunkptr       victim;       /* inspected/selected chunk*/
    INTERNAL_SIZE_T size;         /* its size */
    int             victim_index; /* its bin index */

    mchunkptr     remainder;      /* remainder from a split */
    unsigned long remainder_size; /* its size */

    unsigned int block; /* bit map traverser */
    unsigned int bit;   /* bit map traverser */
    unsigned int map;   /* current word of binmap */

    mchunkptr fwd; /* misc temp for linking 	fdÖ¸ÏòµÄ¿é*/
    mchunkptr bck; /* misc temp for linking 	bkÖ¸ÏòµÄ¿é*/

    const char *errstr = NULL;

    /*
       Convert request size to internal form by adding SIZE_SZ bytes
       overhead plus possibly more to obtain necessary alignment and/or
       to obtain a size of at least MINSIZE, the smallest allocatable
       size. Also, checked_request2size traps (returning 0) request sizes
       that are so large that they wrap around zero when padded and
       aligned.
     */
	//chunk size 
  //将用户请求的size大小对齐，并判断传入的参数大小是否符合要求
  //如果请求的size小于MIN_SIZE,则将请求的size改为MIN_SIZE
    checked_request2size(bytes, nb);

    /* There are no usable arenas.  Fall back to sysmalloc to get a chunk from mmap.
	   */
    //如果没有可用的分配区，则调用 sysmalloc 使用mmap分配新的堆区
    if (__glibc_unlikely(av == NULL)) {
        void *p = sysmalloc(nb, av);
        if (p != NULL) alloc_perturb(p, bytes);
        return p;
    }

首先是会检查用户的请求的size 大小，然后再去检查是否有可用的 malloc_state 分配区，如果没有，则调用 sysmalloc 使用 mmap 函数分配。

如果第一次调用 malloc 时 malloc_hook 不为空其值为 malloc_hook_ini 函数，通过调用 _init_malloc 实现一些初始化操作。

随后系统会遍历查找 fastbin

fastbin

   /*
      If the size qualifies as a fastbin, first check corresponding bin.
      This code is safe to execute even if av is not yet initialized, so we
      can try it without checking, which saves some time on this fast path.
    */
//判断请求的chunk 大小 nb 是否满足 fastbin 的范围，get_max_fast 可以得到 fastbin的最大chunk大小
   if ((unsigned long) (nb) <= (unsigned long) (get_max_fast())) {
   	// 根据nb 获取fast bins 数组的下标
       idx = fastbin_index(nb);
       //得到链表头指针 fb 与 pp
       mfastbinptr *fb = &fastbin(av, idx);
       mchunkptr    pp = *fb;
       //如果当前链表存在chunk，则分配该链表第一个chunk
       do {
           victim = pp;
           if (victim == NULL) break;
       } while ((pp = catomic_compare_and_exchange_val_acq(fb, victim->fd,
                                                           victim)) != victim);
       //如果找到chunk，检查所分配的chunk 的size 与所在链表的size
       if (victim != 0) {
           if (__builtin_expect(fastbin_index(chunksize(victim)) != idx, 0)) {
               errstr = "malloc(): memory corruption (fast)";
           errout:
               malloc_printerr(check_action, errstr, chunk2mem(victim), av);
               return NULL;
           }
           //对chunk 结构体的标志位进行检查，主要检查该chunk是否是malloc_state所表示的分配区内
           check_remalloced_chunk(av, victim, nb);
           //根据chunk得到用户数据指针p,并返回
		void *p = chunk2mem(victim);
           alloc_perturb(p, bytes);
           //
		return p;
       }
   }

check_remalloced_chunk 函数对 chunk 结构体的标志位进行了检查，主要有该 chunk 是否是 malloc_state 所表示的分配区，该 chunk 是否已经分配，是否重复分配和一些大小和地址检查。

static void do_check_remalloced_chunk(mstate av, mchunkptr p,
                                      INTERNAL_SIZE_T s) {
    //当前chunk 的size 去除 P 和 A 标志位，得到sz
    INTERNAL_SIZE_T sz = p->size & ~(PREV_INUSE | NON_MAIN_ARENA);
    //M标志位不存在，检查chunk 与 分配区是否一致
    if (!chunk_is_mmapped(p)) {
        assert(av == arena_for_chunk(p));
        if (chunk_main_arena(p))
            assert(av == &main_arena);
        else
            assert(av != &main_arena);
    }
    //检查chunk 的 inuse位
    do_check_inuse_chunk(av, p);

    /* Legal size ... */
    //检查size对齐和size大小
    assert((sz & MALLOC_ALIGN_MASK) == 0);
    assert((unsigned long) (sz) >= MINSIZE);
    /* ... and alignment */
    assert(aligned_OK(chunk2mem(p)));
    /* chunk is less than MINSIZE more than request */
    assert((long) (sz) - (long) (s) >= 0);
    assert((long) (sz) - (long) (s + MINSIZE) < 0);
}

如果分配出错，会通过 malloc_printerr 函数打印错误信息。会调用 __libc_message 函数输出，调用 abort 函数退出程序。

static void malloc_printerr(int action, const char *str, void *ptr,
                            mstate ar_ptr) {
    /* Avoid using this arena in future.  We do not attempt to synchronize this
       with anything else because we minimally want to ensure that
       __libc_message
       gets its resources safely without stumbling on the current corruption. */
    if (ar_ptr) set_arena_corrupt(ar_ptr);

    if ((action & 5) == 5)
        __libc_message(action & 2, "%s\n", str);
    else if (action & 1) {
        char buf[ 2 * sizeof(uintptr_t) + 1 ];

        buf[ sizeof(buf) - 1 ] = '\0';
        char *cp = _itoa_word((uintptr_t) ptr, &buf[ sizeof(buf) - 1 ], 16, 0);
        while (cp > buf)
            *--cp = '0';

        __libc_message(action & 2, "*** Error in `%s': %s: 0x%s ***\n",
                       __libc_argv[ 0 ] ?: "<unknown>", str, cp);
    } else if (action & 2)c
    //执行abort函数
        abort();
}

而在 abort 函数里，在 glibc 2.23 版本会调用 fflush stream，而这也是 FSOP 攻击的原理，通过 abort 函数直接调用 fflush 函数，最后调用_IO_FILE_plus.vtable 中的 _IO_overflow，实现 getshell。

/* Flush all streams.  We cannot close them now because the user
   might have registered a handler for SIGABRT.  */
if (stage == 1)
  {
    ++stage;
    fflush (NULL);
  }

如果 fastbin 找不到，随后会去 small bin 中寻找。

small bin

   /*
      If a small request, check regular bin.  Since these "smallbins"
      hold one size each, no searching within bins is necessary.
      (For a large request, we need to wait until unsorted chunks are
      processed to find best fit. But for small ones, fits are exact
      anyway, so we can check now, which is faster.)
    */
//chunk size在 small bin的范围内
   if (in_smallbin_range(nb)) {
   	//根据chunk size获得 small bin数组的下标
       idx = smallbin_index(nb);
       //得到small bin的链表头地址
       bin = bin_at(av, idx);
	    //获取 small bin的最后一个 chunk
       //若结果 victime = bin，说明 该 small bin为空
       if ((victim = last(bin)) != bin) {
       	//合并fastbin到unsortedbin
           if (victim == 0) /* initialization check */
               malloc_consolidate(av);
           else {
               //获取small bin 的 倒数第二个 chunk
               bck = victim->bk;
               // 检查 倒数第二个 chunk 的 fd 指针是否指向最后一个 chunk，防止伪造 
               if (__glibc_unlikely(bck->fd != victim)) {
                   errstr = "malloc(): smallbin double linked list corrupted";
                   goto errout;
               }
               //设置victim的下一个chunk的 inuse位
               set_inuse_bit_at_offset(victim, nb);
               //将最后一个 chunk 从small bin中解链，重新设置small bin的 链表
               bin->bk = bck;
               bck->fd = bin;
			        //如果不是 Main_arena，则设置 A 标志位
               if (av != &main_arena) set_non_main_arena(victim);
               //与fastbin检查相同
               check_malloced_chunk(av, victim, nb);
               void *p = chunk2mem(victim);
               alloc_perturb(p, bytes);
               return p;
           }
       }
   }

从代码中检查 small bin是否为空的操作，即初始化的 small bin 的 bk 指针是指向自身的。

从最后分配 small bin的操作可知，small bin 头部 chunk 的 bk 指针指向链表尾部 chunk，链表尾部 chunk 的 fd 指针指向链表头部。

当 small bin 没有初始化时，所有的指针均为空，这时程序就会调用 malloc_consolidate 函数将 fastbin 链表中的所有 chunk 进行合并，并将合并后的 chunk 插入到 unsortedin中。

如果small bin中不满足，则会进入 large bin。

large bin

//获取请求的size在large bin中的下标
   else {
       idx = largebin_index(nb);
       //合并 fastbin 到 unsortedbin
       if (have_fastchunks(av)) malloc_consolidate(av);
   }

随后进入 unsortedbin 处理：

	//进入unsortedbin 处理
    for (;;) {
        int iters = 0;
        // walk from the unsorted head to end to find one chunk
        // First In First Out
        // 当unsortedbin 不为空
        while ((victim = unsorted_chunks(av)->bk) != unsorted_chunks(av)) {
            bck = victim->bk;
            //´判断当前申请的size是否合法，大于2*SIZE_SZ，小于 av->system_mem 
            if (__builtin_expect(chunksize_nomask(victim) <= 2 * SIZE_SZ, 0) ||
                __builtin_expect(chunksize_nomask(victim) > av->system_mem, 0))
                malloc_printerr(check_action, "malloc(): memory corruption",
                                chunk2mem(victim), av);
            //合法获取size
            size = chunksize(victim);

            /*
               If a small request, try to use last remainder if it is the
               only chunk in unsorted bin.  This helps promote locality for
               runs of consecutive small requests. This is the only
               exception to best-fit, and applies only when there is
               no exact fit for a small chunk.
             */
			       //如果申请的大小等于输入small bin的范围，且unsorted bin链表中只有一个chunk并指向 last_remainder
             //且该chunk的size大小大于用户申请的szie大小
            if (in_smallbin_range(nb) && bck == unsorted_chunks(av) &&
                victim == av->last_remainder &&
                (unsigned long) (size) > (unsigned long) (nb + MINSIZE)) {
                /* split and reattach remainder */
                //对该chunk 进行拆分
                //获取剩下的last_remainder的大小和开始地址
                remainder_size          = size - nb;
                remainder               = chunk_at_offset(victim, nb);
                //将unsorted bin的bk指针指向更新的remainder
                unsorted_chunks(av)->bk = unsorted_chunks(av)->fd = remainder;
                //更新分配区last_remainder的值
                av->last_remainder                                = remainder;
                //将remainder的 bk和 fd都设置为 unsorted bin
                remainder->bk = remainder->fd = unsorted_chunks(av);
                //如果remainder的大小不输入small bin的范围将其fd_nextsize 和 bk_nextsize都置为NULL
                if (!in_smallbin_range(remainder_size)) {
                    remainder->fd_nextsize = NULL;
                    remainder->bk_nextsize = NULL;
                }
                //设置分配给用户的chunk的堆头标志位
                set_head(victim, nb | PREV_INUSE |
                                     (av != &main_arena ? NON_MAIN_ARENA : 0));
                //设置remainder的堆头标志位
                set_head(remainder, remainder_size | PREV_INUSE);
                //设置remainder的prev_size值
                set_foot(remainder, remainder_size);
                //检查分配的chunk
                check_malloced_chunk(av, victim, nb);
                void *p = chunk2mem(victim);
                alloc_perturb(p, bytes);
                return p;
            }

            /* remove from unsorted list */
            //将当前的chunk从unsortedbin 链表里解除
            unsorted_chunks(av)->bk = bck;
            bck->fd                 = unsorted_chunks(av);

            /* Take now instead of binning if exact fit */
			      //如果当前用户申请的size刚好与解链的chunk大小相同，则返回
            if (size == nb) {
            	 
                set_inuse_bit_at_offset(victim, size);
                if (av != &main_arena) set_non_main_arena(victim);
                check_malloced_chunk(av, victim, nb);
                void *p = chunk2mem(victim);
                alloc_perturb(p, bytes);
                return p;
            }

            /* place chunk in bin */
			       //如果chunk的size是small bin，则将该chunk插入small bin中
            if (in_smallbin_range(size)) {
                victim_index = smallbin_index(size);
                bck          = bin_at(av, victim_index);
                fwd          = bck->fd;
            } else {
                //否则将插入large bin中
                victim_index = largebin_index(size);
                bck          = bin_at(av, victim_index);
                fwd          = bck->fd;
					
                /* maintain large bins in sorted order */
                //largebin 非空
                if (fwd != bck) {
                    /* Or with inuse bit to speed comparisons */
                    //去除 P标志位
                    size |= PREV_INUSE;
                    /* if smaller than smallest, bypass loop below */
                    //检查A标志位
                    assert(chunk_main_arena(bck->bk));
                    //如果chunk的size 比large bins的最小堆块还小
                    if ((unsigned long) (size) <
                        (unsigned long) chunksize_nomask(bck->bk)) {
                        //指向链表最后一个堆块
                        fwd = bck;
                        bck = bck->bk;
                        //则将当前chunk插入到large bin的最后一块
                        victim->fd_nextsize = fwd->fd;
                        victim->bk_nextsize = fwd->fd->bk_nextsize;
                        //将链表首堆块的bk_nextsize和原链表最后一个堆块的fd_nextsize指向当前的chunk
                        fwd->fd->bk_nextsize =
                            victim->bk_nextsize->fd_nextsize = victim;
                    } else {
                      //将当前的chunk插入到large bin链表中的合适位置
                        assert(chunk_main_arena(fwd));
                        //遍历large chunk查找合适位置
                        while ((unsigned long) size < chunksize_nomask(fwd)) {
                            fwd = fwd->fd_nextsize;
                            assert(chunk_main_arena(fwd));
                        }
                        //此时fwd指向的是大小恰好小于等于当前chunk的堆块
                        if ((unsigned long) size ==
                            (unsigned long) chunksize_nomask(fwd))
                            /* Always insert in the second position.  */
                            //当前大小的chunk数组不为空，则将当前堆块插入到数组的第二个位置中
                            fwd = fwd->fd;
                        else {
                            victim->fd_nextsize              = fwd;
                            victim->bk_nextsize              = fwd->bk_nextsize;
                            fwd->bk_nextsize                 = victim;
                            victim->bk_nextsize->fd_nextsize = victim;
                        }
                        bck = fwd->bk;
                    }
                } else
                    //large bin链表为空，则只需要加入链表即可
                    victim->fd_nextsize = victim->bk_nextsize = victim;
            }
            //上面我们只对不同大小的largebin数组进行链表的链接，
            //还需要在大小相同的largebin chunk组成的数组中进行插入
            mark_bin(av, victim_index);
            victim->bk = bck;
            victim->fd = fwd;
            //该语句相当于fwd->bk->fd=victim;如果我们控制了fwd的bk指针就可以在任意地址+0x10写入堆地址
            fwd->bk    = victim;
            bck->fd    = victim;
c
#define MAX_ITERS 10000
            if (++iters >= MAX_ITERS) break;
        }

代码比较长，主要步骤如下：

1. 查找unsortedbin 是否为空
2. unsortedbin 中只有一个chunk且为last_remainder时，进行last_remainder切分，返回
如果有多个chunk，则需要：
4. 将chunk从 unsortedbin中解链，如果大小满足则返回
5. 如果chunk大小不满足， 是否满足small bin大小，并插入small bin中
6. 如果chunk大小不满足small bin，是否满足larg bin，并插入 large bin中
7. 对下一个chunk 进行处理

注意，当取得unsorted bin chunk与我们申请的chunk 大小相同时，程序进行了如下操作：

/* remove from unsorted list */
//将当前的chunk从unsortedbin 链表里解除
unsorted_chunks(av)->bk = bck;
bck->fd                 = unsorted_chunks(av);

如果我们能控制 av 的bk指针，那么就能向 bk 的 fd 指针写入 av的值，发生 unsortedbin attack。

当unsorted bin中没有合适的chunk时，则会遍历查找请求的size 所对应的 bin中chunk

//large bin 
      if (!in_smallbin_range(nb)) {
          bin = bin_at(av, idx);

          /* skip scan if empty or largest chunk is too small */
          //如果用户请求的size小于large bin中最大的chunk size
          if ((victim = first(bin)) != bin &&
              (unsigned long) chunksize_nomask(victim) >=
                  (unsigned long) (nb)) {
              //获取刚好小于用户请求的size 的large bin
              victim = victim->bk_nextsize;
              while (((unsigned long) (size = chunksize(victim)) <
                      (unsigned long) (nb)))
                  victim = victim->bk_nextsize;

              /* Avoid removing the first entry for a size so that the skip
                 list does not have to be rerouted.  */
              if (victim != last(bin) &&
                  chunksize_nomask(victim) == chunksize_nomask(victim->fd))
                  victim = victim->fd;
              //拆分符合要求的large chunk
              remainder_size = size - nb;
              //将large chunk从large bin中解链
              unlink(av, victim, bck, fwd);

              /* Exhaust */
              //对剩余部分进行检查
              if (remainder_size < MINSIZE) {
                  set_inuse_bit_at_offset(victim, size);
                  if (av != &main_arena) set_non_main_arena(victim);
              }
              /* Split */
              else {
                  //将剩余部分chunk 插入unsortedbin 中
                  remainder = chunk_at_offset(victim, nb);
                  /* We cannot assume the unsorted list is empty and therefore
                     have to perform a complete insert here.  */
                  bck = unsorted_chunks(av);
                  fwd = bck->fd;
                  if (__glibc_unlikely(fwd->bk != bck)) {
                      errstr = "malloc(): corrupted unsorted chunks";
                      goto errout;
                  }
                  remainder->bk = bck;
                  remainder->fd = fwd;
                  bck->fd       = remainder;
                  fwd->bk       = remainder;
                  //remainder 不满足 small bin
                  if (!in_smallbin_range(remainder_size)) {
                      remainder->fd_nextsize = NULL;
                      remainder->bk_nextsize = NULL;
                  }
                  //设置分配的chunk堆头
                  set_head(victim,
                           nb | PREV_INUSE |
                               (av != &main_arena ? NON_MAIN_ARENA : 0));
                  //设置remainder的堆头和prev_size
                  set_head(remainder, remainder_size | PREV_INUSE);
                  set_foot(remainder, remainder_size);
              }
              check_malloced_chunk(av, victim, nb);
              void *p = chunk2mem(victim);
              alloc_perturb(p, bytes);c
              return p;
          }
      }

如果用户申请的size所对应的large bin中不存在符合要求的chunk的情况，则在其他 size 的large bin中进行寻找。

/*
   Search for a chunk by scanning bins, starting with next largest
   bin. This search is strictly by best-fit; i.e., the smallest
   (with ties going to approximately the least recently used) chunk
   that fits is selected.

   The bitmap avoids needing to check that most blocks are nonempty.
   The particular case of skipping all bins during warm-up phases
   when no chunks have been returned yet is faster than it might look.
 */

++idx;
bin   = bin_at(av, idx);
block = idx2block(idx);
map   = av->binmap[ block ];
bit   = idx2bit(idx);

for (;;) {
    /* Skip rest of block if there are no more set bits in this block.
     */
    //根据block找到存在空闲chunk的 large bin链表
    if (bit > map || bit == 0) {
        do {
            if (++block >= BINMAPSIZE) /* out of bins */
                goto use_top;
        } while ((map = av->binmap[ block ]) == 0);

        bin = bin_at(av, (block << BINMAPSHIFT));
        bit = 1;
    }

    /* Advance to bin with set bit. There must be one. */
    //在 block 中找到存在符合要求的large bin链表头指针
    while ((bit & map) == 0) {
        bin = next_bin(bin);
        bit <<= 1;
        assert(bit != 0);
    }

    /* Inspect the bin. It is likely to be non-empty */
    victim = last(bin);

    /*  If a false alarm (empty bin), clear the bit. */
    //链表非空
    if (victim == bin) {
        av->binmap[ block ] = map &= ~bit; /* Write through */
        bin                 = next_bin(bin);
        bit <<= 1;
    }
    //找到第一个大于申请size的chunk进行堆块划分
    else {
        size = chunksize(victim);

        /*  We know the first chunk in this bin is big enough to use. */
        assert((unsigned long) (size) >= (unsigned long) (nb));
        //切割remainder与上面 largedbin 的操作类似
        remainder_size = size - nb;

        /* unlink */
        unlink(av, victim, bck, fwd);

        /* Exhaust */
        if (remainder_size < MINSIZE) {
            set_inuse_bit_at_offset(victim, size);
            if (av != &main_arena) set_non_main_arena(victim);
        }

        /* Split */
        else {
            remainder = chunk_at_offset(victim, nb);

            /* We cannot assume the unsorted list is empty and therefore
               have to perform a complete insert here.  */
            bck = unsorted_chunks(av);
            fwd = bck->fd;
            if (__glibc_unlikely(fwd->bk != bck)) {
                errstr = "malloc(): corrupted unsorted chunks 2";
                goto errout;
            }
            remainder->bk = bck;
            remainder->fd = fwd;
            bck->fd       = remainder;
            fwd->bk       = remainder;

            /* advertise as last remainder */
            if (in_smallbin_range(nb)) av->last_remainder = remainder;
            if (!in_smallbin_range(remainder_size)) {
                remainder->fd_nextsize = NULL;
                remainder->bk_nextsize = NULL;
            }
            set_head(victim,
                     nb | PREV_INUSE |
                         (av != &main_arena ? NON_MAIN_ARENA : 0));
            set_head(remainder, remainder_size | PREV_INUSE);
            set_foot(remainder, remainder_size);
        }
        check_malloced_chunk(av, victim, nb);
        void *p = chunk2mem(victim);
        alloc_perturb(p, bytes);
        return p;
    }
}

如果符合用户请求的size 的bins 中没有满足要求的 chunk，则会继续在 large bin中寻找。不断遍历，直到找到符合要求的chunk，随后进行 chunk 划分等操作。

如果 large bin 中遍历结束，仍然没有找到相应的 chunk，则需要在 top chunk中寻找。

top chunk

use_top:
    /*
       If large enough, split off the chunk bordering the end of memory
       (held in av->top). Note that this is in accord with the best-fit
       search rule.  In effect, av->top is treated as larger (and thus
       less well fitting) than any other available chunk since it can
       be extended to be as large as necessary (up to system
       limitations).

       We require that av->top always exists (i.e., has size >=
       MINSIZE) after initialization, so if it would otherwise be
       exhausted by current request, it is replenished. (The main
       reason for ensuring it exists is that we may need MINSIZE space
       to put in fenceposts in sysmalloc.)
     */
    //获取top chunk的堆头地址 和 大小
    victim = av->top;
    size   = chunksize(victim);
    //top chunk的size 满足用户请求的size
    if ((unsigned long) (size) >= (unsigned long) (nb + MINSIZE)) {
        //将top chunk 划分
        remainder_size = size - nb;
        remainder      = chunk_at_offset(victim, nb);
        av->top        = remainder;
        set_head(victim, nb | PREV_INUSE |
                             (av != &main_arena ? NON_MAIN_ARENA : 0));
        set_head(remainder, remainder_size | PREV_INUSE);

        check_malloced_chunk(av, victim, nb);
        void *p = chunk2mem(victim);
        alloc_perturb(p, bytes);
        return p;
    }

    /* When we are using atomic ops to free fast chunks we can get
       here for all block sizes.  */
    //如果top chunk不够
    //则合并fastbin，将其返回fastbin 或者 large bin
    else if (have_fastchunks(av)) {
        malloc_consolidate(av);
        /* restore original bin index */
        if (in_smallbin_range(nb))
            idx = smallbin_index(nb);
        else
            idx = largebin_index(nb);
    }

    /*
       Otherwise, relay to handle system-dependent cases
     */
    //如果仍然不够，则调用sysmalloc 继续分配堆块
    else {
        void *p = sysmalloc(nb, av);
        if (p != NULL) alloc_perturb(p, bytes);
        return p;
    }
}

最后就是在top chunk进行分配，如果top chunk满足，则划分top chunk。如果不满足，首先会进行合并fastbin到large bin或者 small bin中，在继续进行遍历。如果没有fastbin可合并，程序会直接调用 sysmalloc 函数进行分配区分配。

sysmalloc 函数如果满足如下条件

old-top chunk size 必须要对齐到内存页
size 要大于 MINSIZE(0x10)
size 要小于之后申请的 chunk size + MINSIZE(0x10)
size 的 prev inuse 位必须为 1

系统就会调用 brk 分配新的分配区。则为 House of orange 攻击做好了准备。

总结

可参考 LYYL https://www.lyyl.online/2019/09/28/malloc%E5%92%8Cfree%E6%BA%90%E7%A0%81%E5%88%86%E6%9E%90/ 博客总结，很全面，也没有错误。（这人写了8万字，我真想推荐他出本书。以后打比赛就靠他带了，逃。。。）

free

void __libc_free(void *mem) {
    mstate    ar_ptr;
    mchunkptr p; /* chunk corresponding to mem */
    //判断是否设置了free_hook
    void (*hook)(void *, const void *) = atomic_forced_read(__free_hook);
    if (__builtin_expect(hook != NULL, 0)) {
        //设置了free_hook就执行free_hook
        (*hook)(mem, RETURN_ADDRESS(0));
        return;
    }

    if (mem == 0) /* free(0) has no effect */
        return;
    //将用户mem指针转换为堆块头指针
    p = mem2chunk(mem);
    //判断chunk是否由mmap分配
    if (chunk_is_mmapped(p)) /* release mmapped memory. */
    {
        /* See if the dynamic brk/mmap threshold needs adjusting.
       Dumped fake mmapped chunks do not affect the threshold.  */
        //如果是mmap，则首先更新mmap分配和收缩阈值
        if (!mp_.no_dyn_threshold && chunksize_nomask(p) > mp_.mmap_threshold &&
            chunksize_nomask(p) <= DEFAULT_MMAP_THRESHOLD_MAX &&
            !DUMPED_MAIN_ARENA_CHUNK(p)) {
            mp_.mmap_threshold = chunksize(p);
            mp_.trim_threshold = 2 * mp_.mmap_threshold;
            LIBC_PROBE(memory_mallopt_free_dyn_thresholds, 2,
                       mp_.mmap_threshold, mp_.trim_threshold);
        }
        //然后调用 munmap_chunk释放函数
        munmap_chunk(p);
        return;
    }
    //如果不是 mmap创建，则调用 _int_free 函数
    ar_ptr = arena_for_chunk(p);
    _int_free(ar_ptr, p, 0);
}

主要对 _int_free 函数进行分析

_int_free

/* Little security check which won't hurt performance: the
   allocator never wrapps around at the end of the address space.
   Therefore we can exclude some size values which might appear
   here by accident or by "design" from some intruder.  */
//
if (__builtin_expect((uintptr_t) p > (uintptr_t) -size, 0) ||
    __builtin_expect(misaligned_chunk(p), 0)) {
    errstr = "free(): invalid pointer";
errout:
    if (!have_lock && locked) __libc_lock_unlock(av->mutex);
    malloc_printerr(check_action, errstr, chunk2mem(p), av);
    return;
}
/* We know that each chunk is at least MINSIZE bytes in size or a
   multiple of MALLOC_ALIGNMENT.  */
//检查size是否大于MINSIZE，是否对齐
if (__glibc_unlikely(size < MINSIZE || !aligned_OK(size))) {
    errstr = "free(): invalid size";
    goto errout;
}
//检查chunk是否在使用
check_inuse_chunk(av, p);

首先会对要被释放的chunk的size进行检查，查看size是否大于MINSIZE，地址是否被对齐。

随后首先进入 fastbin的判断，如果size属于fastbin 则将要被释放的chunk放入对应的fastbin链表中。

fastbin

    /*
      If eligible, place chunk on a fastbin so it can be found
      and used quickly in malloc.
    */
    //检查size是否属于fastbin块
    if ((unsigned long) (size) <= (unsigned long) (get_max_fast())
    //如果属于fastbin但与top chunk相邻时，不会立即合并到top chunk
#if TRIM_FASTBINS
        /*
      If TRIM_FASTBINS set, don't place chunks
      bordering top into fastbins
        */
        && (chunk_at_offset(p, size) != av->top)
#endif
            ) {

        if (__builtin_expect(
                chunksize_nomask(chunk_at_offset(p, size)) <= 2 * SIZE_SZ, 0) ||
            __builtin_expect(
                chunksize(chunk_at_offset(p, size)) >= av->system_mem, 0)) {
            /* We might not have a lock at this point and concurrent
               modifications
               of system_mem might have let to a false positive.  Redo the test
               after getting the lock.  */
            if (have_lock || ({
                    assert(locked == 0);
                    __libc_lock_lock(av->mutex);
                    locked = 1;
                    chunksize_nomask(chunk_at_offset(p, size)) <= 2 * SIZE_SZ ||
                        chunksize(chunk_at_offset(p, size)) >= av->system_mem;
                })) {
                errstr = "free(): invalid next size (fast)";
                goto errout;
            }
            if (!have_lock) {
                __libc_lock_unlock(av->mutex);
                locked = 0;
            }
        }
        //清理fastbin 中的数据
        free_perturb(chunk2mem(p), size - 2 * SIZE_SZ);
        //初始化fastbin
        set_fastchunks(av);
        //获取size对应的fast bin下标
        unsigned int idx = fastbin_index(size);
        fb               = &fastbin(av, idx);

        /* Atomically link P to its fastbin: P->FD = *FB; *FB = P;  */
        mchunkptr    old     = *fb, old2;
        unsigned int old_idx = ~0u;
        do {
            /* Check that the top of the bin is not the record we are going to
               add
               (i.e., double free).  */
            //判断当前fastbin 头chunk与要被释放的chunk是否相同，防止double free
            if (__builtin_expect(old == p, 0)) {
                errstr = "double free or corruption (fasttop)";
                goto errout;
            }
            /* Check that size of fastbin chunk at the top is the same as
               size of the chunk that we are adding.  We can dereference OLD
               only if we have the lock, otherwise it might have already been
               deallocated.  See use of OLD_IDX below for the actual check.  */
            //将要被释放的chunk放入fastbin头部，修改其fd 指针指向Old
            if (have_lock && old != NULL)
                old_idx = fastbin_index(chunksize(old));
            p->fd = old2 = old;
        } while ((old = catomic_compare_and_exchange_val_rel(fb, p, old2)) !=
                 old2);
        
        if (have_lock && old != NULL && __builtin_expect(old_idx != idx, 0)) {
            errstr = "invalid fastbin entry (free)";
            goto errout;
        }
    }

如果不属于fastbin，则会判断进入unsortedbin中：

unsortedbin


/*
  Consolidate other non-mmapped chunks as they arrive.
*/
	
else if (!chunk_is_mmapped(p)) {
    if (!have_lock) {
        __libc_lock_lock(av->mutex);
        locked = 1;
    }
    //得到next chunk
    nextchunk = chunk_at_offset(p, size);

    /* Lightweight tests: check whether the block is already the
       top block.  */
    //chunk是否是 top chunk头
    if (__glibc_unlikely(p == av->top)) {
        errstr = "double free or corruption (top)";
        goto errout;
    }
    /* Or whether the next chunk is beyond the boundaries of the arena.  */
    //判断next chunk是否超过分配区
    if (__builtin_expect(contiguous(av) &&
                             (char *) nextchunk >=
                                 ((char *) av->top + chunksize(av->top)),
                         0)) {
        errstr = "double free or corruption (out)";
        goto errout;
    }
    /* Or whether the block is actually not marked used.  */
    //检查next chunk的inuse位，判断要被释放的chunk是否在使用
    if (__glibc_unlikely(!prev_inuse(nextchunk))) {
        errstr = "double free or corruption (!prev)";
        goto errout;
    }
    //判断next chunk的size是否合法
    nextsize = chunksize(nextchunk);
    if (__builtin_expect(chunksize_nomask(nextchunk) <= 2 * SIZE_SZ, 0) ||
        __builtin_expect(nextsize >= av->system_mem, 0)) {
        errstr = "free(): invalid next size (normal)";
        goto errout;
    }
    //清除要被释放的chunk的内容
    free_perturb(chunk2mem(p), size - 2 * SIZE_SZ);

    /* consolidate backward */
    //如果前一个prev chunk也处于释放状态则合并两个chunk
    //执行unlink
    if (!prev_inuse(p)) {
        prevsize = prev_size(p);
        size += prevsize;
        p = chunk_at_offset(p, -((long) prevsize));
        unlink(av, p, bck, fwd);
    }
    //如果next chunk不是top chunk
    if (nextchunk != av->top) {
        /* get and clear inuse bit */
        //查看next chunk的inuse
        nextinuse = inuse_bit_at_offset(nextchunk, nextsize);

        /* consolidate forward */
        //如果next chunk也处于释放中
        //继续向下合并next chunk
        if (!nextinuse) {
            unlink(av, nextchunk, bck, fwd);
            size += nextsize;
        } else
            //清除next chunk的inuse位
            clear_inuse_bit_at_offset(nextchunk, 0);

        /*
      Place the chunk in unsorted chunk list. Chunks are
      not placed into regular bins until after they have
      been given one chance to be used in malloc.
        */
        // insert the unsorted chunk at the end of the unsorted bin
        // First In First Out
        // 获取当前unsortedbin 的末尾chunk 和链表头chunk
        bck = unsorted_chunks(av);
        fwd = bck->fd;
        if (__glibc_unlikely(fwd->bk != bck)) {
            errstr = "free(): corrupted unsorted chunks";
            goto errout;
        }
        //将当前chunk插入unsortedbin中
        p->fd = fwd;
        p->bk = bck;
        //size属于small bin
        if (!in_smallbin_range(size)) {
            p->fd_nextsize = NULL;
            p->bk_nextsize = NULL;
        }
        //更新链表头尾指针
        bck->fd = p;
        fwd->bk = p;
        //设置chunk的头部和尾部prev_size
        set_head(p, size | PREV_INUSE);
        set_foot(p, size);
        //检查chunk的free
        check_free_chunk(av, p);
    }

    /*
      If the chunk borders the current high end of memory,
      consolidate into top
    */
    //如果当前chunk临近top chunk则直接合并到top chunk中
    else {
        size += nextsize;
        set_head(p, size | PREV_INUSE);
        av->top = p;
        check_chunk(av, p);
    }

这一段代码主要是将chunk释放到unsorted bin时，会先检查当前chunk在next chunk的prev_inuse位是否被置为1，即判断要被释放的chunk是否在使用。然后会检查其prev chunk是否被释放，如果被释放，则会与prev chunk合并，并且对prev chunk执行 unlink操作，其寻找prev chunk的堆头是通过 prev_size查找。然后检查next chunk是否被释放，如果被释放，则将其与next chunk合并，执行unlink操作，寻找next chunk是通过 chunk size查找。

unlink操作如下：

unlink

/* Take a chunk off a bin list */
#define unlink(AV, P, BK, FD)                                                  \
    {                                                                          \
        FD = P->fd;                                                            \
        BK = P->bk;                                                            \
        //判断当前chunk的前后指针是否合法
        if (__builtin_expect(FD->bk != P || BK->fd != P, 0))                   \
            malloc_printerr(check_action, "corrupted double-linked list", P,   \
                            AV);                                               \
        //对chunk P执行解链操作
        else {                                                                 \
            //修改FD 和 BK的bk和fd指针
            FD->bk = BK;                                                       \
            BK->fd = FD;                                                       \
            //如果P属于large bin，还需要判断fd_nextsize和bk_nextsize是否合法
            if (!in_smallbin_range(chunksize_nomask(P)) &&                     \
                __builtin_expect(P->fd_nextsize != NULL, 0)) {                 \
                if (__builtin_expect(P->fd_nextsize->bk_nextsize != P, 0) ||   \
                    __builtin_expect(P->bk_nextsize->fd_nextsize != P, 0))     \
                    malloc_printerr(                                           \
                        check_action,                                          \
                        "corrupted double-linked list (not small)", P, AV);    \
                if (FD->fd_nextsize == NULL) {                                 \
                     //lagrebin 中仅存一组相同的chunk
                    if (P->fd_nextsize == P)                                   \
                        //移除首chunk，将后记chunk的nextsize指向其本身
                        FD->fd_nextsize = FD->bk_nextsize = FD;                \
                    else {                                                     \
                        //
                        FD->fd_nextsize             = P->fd_nextsize;          \
                        FD->bk_nextsize             = P->bk_nextsize;          \
                        P->fd_nextsize->bk_nextsize = FD;                      \
                        P->bk_nextsize->fd_nextsize = FD;                      \
                    }                                                          \
                } else {                                                       \
                    P->fd_nextsize->bk_nextsize = P->bk_nextsize;              \
                    P->bk_nextsize->fd_nextsize = P->fd_nextsize;              \
                }                                                              \
            }                                                                  \
        }                                                                      \
    }

可以看到 unlink 首先检查了 chunk 的前后指针是否指向 P，然后执行了解链操作。

这里就存在 unlink 攻击，导致我们可以伪造 P 的 fd 和 bk 指针，将一个内存地址 ptr 的值修改为 ptr-0x18 的值。

        /*
          If freeing a large space, consolidate possibly-surrounding
          chunks. Then, if the total unused topmost memory exceeds trim
          threshold, ask malloc_trim to reduce top.

          Unless max_fast is 0, we don't know if there are fastbins
          bordering top, so we cannot tell for sure whether threshold
          has been reached unless fastbins are consolidated.  But we
          don't want to consolidate on each free.  As a compromise,
          consolidation is performed if FASTBIN_CONSOLIDATION_THRESHOLD
          is reached.
        */
        //如果前面释放的chunk大小较大
        //将fast bin合并到 unsortedbin中
        if ((unsigned long) (size) >= FASTBIN_CONSOLIDATION_THRESHOLD) {
            if (have_fastchunks(av)) malloc_consolidate(av);
            //如果进程的分配区是主分配区，并且可以收缩内存
            //调用systrim收缩内存，否则获取非主分配区的heap_info，调用heap_trim收缩heap
            if (av == &main_arena) {
#ifndef MORECORE_CANNOT_TRIM
                if ((unsigned long) (chunksize(av->top)) >=
                    (unsigned long) (mp_.trim_threshold))
                    systrim(mp_.top_pad, av);
#endif
            } else {
                /* Always try heap_trim(), even if the top chunk is not
                   large, because the corresponding heap might go away.  */
                heap_info *heap = heap_for_ptr(top(av));

                assert(heap->ar_ptr == av);
                heap_trim(heap, mp_.top_pad);
            }
        }

        if (!have_lock) {
            assert(locked);
            __libc_lock_unlock(av->mutex);
        }
    }
    /*
      If the chunk was allocated via mmap, release via munmap().
    */
    //如果是mmap()分配就调用munmap释放该chunk
    else {
        munmap_chunk(p);
    }
}

总结

首先检查 free_hook是否被初始化，如果被初始化则执行 free_hook指向的函数地址（存在通过free_hook来getshell）；为被初始化进入下一步；
如果chunk是通过 mmap分配，则通过 munmap函数释放chunk；否则调用 _int_free 函数，进入下一步：
对传入的指针和其指向的 chunk size 进行合法性验证，判断传入的 chunk 为 inuse；
若 chunk size 的大小满足 fast bin的大小范围，则在经过指针和size的合法性验证之后将 chunk 插入到 fastbin链表中。若 chunk 不是由 mmap 分配的，则进入下一步，否则进入第7步。
此时 chunk size的大小超过fastbin的规定范围，将 chunk 与物理相邻的前一个chunk 进行前向合并，与物理相邻的后一个 chunk（包含 top chunk)进行后向合并，合并后的 chunk插入到 unsorted bin链表中，进入下一步；
判断释放的 chunk size的大小，超过阈值之后收缩内存；
chunk 是通过 mmap 分配的，调用 munmap 释放 chunk。

realloc

realloc(void *p, size_t n) ，拓展已经分配的内存空间。如果p指向的chunk存在连续的空闲空间，则扩展p指向的chunk。否则分配一块新的chunk，并将p指向的chunk中的数据拷贝到新chunk中释放原有的chunk，返回新chunk指针。当p为空时，realloc等价于malloc。如果新的size小于原有的size则只会拷贝size大小的数据。

void *__libc_realloc(void *oldmem, size_t bytes) {
    mstate          ar_ptr;
    INTERNAL_SIZE_T nb; /* padded request size */

    void *newp; /* chunk to return */
    //检查是否调用 realloc_hook
    void *(*hook)(void *, size_t, const void *) =
        atomic_forced_read(__realloc_hook);
    if (__builtin_expect(hook != NULL, 0))
        return (*hook)(oldmem, bytes, RETURN_ADDRESS(0));
    //如果请求的bytes为0，原有chunk存在，则调用__libc_free释放该chunk
#if REALLOC_ZERO_BYTES_FREES
    if (bytes == 0 && oldmem != NULL) {
        __libc_free(oldmem);
        return 0;
    }
#endif

    /* realloc of null is supposed to be same as malloc */
    //如果原有chunk大小为0，则调用 __libc_malloc申请bytes大小的chunk
    if (oldmem == 0) return __libc_malloc(bytes);

    /* chunk corresponding to oldmem */
    //得到堆块堆头指针
    const mchunkptr oldp = mem2chunk(oldmem);
    /* its size */
    //得到chunk的size大小
    const INTERNAL_SIZE_T oldsize = chunksize(oldp);
    //如果chunk是由mmap分配
    if (chunk_is_mmapped(oldp))
        ar_ptr = NULL;
    else
        ar_ptr = arena_for_chunk(oldp);

    /* Little security check which won't hurt performance: the allocator
       never wrapps around at the end of the address space.  Therefore
       we can exclude some size values which might appear here by
       accident or by "design" from some intruder.  We need to bypass
       this check for dumped fake mmap chunks from the old main arena
       because the new malloc may provide additional alignment.  */
    //检查chunk的size是否合法和地址是否对齐
    if ((__builtin_expect((uintptr_t) oldp > (uintptr_t) -oldsize, 0) ||
         __builtin_expect(misaligned_chunk(oldp), 0)) &&
        !DUMPED_MAIN_ARENA_CHUNK(oldp)) {
        malloc_printerr(check_action, "realloc(): invalid pointer", oldmem,
                        ar_ptr);
        return NULL;
    }
    //转换用户请求的bytes为nb
    checked_request2size(bytes, nb);
    //如果chunk是mmap分配
    if (chunk_is_mmapped(oldp)) {
        /* If this is a faked mmapped chunk from the dumped main arena,
       always make a copy (and do not free the old chunk).  */
        //调用 __libc_malloc创建新bytes大小的堆块
        if (DUMPED_MAIN_ARENA_CHUNK(oldp)) {
            /* Must alloc, copy, free. */
            void *newmem = __libc_malloc(bytes);
            if (newmem == 0) return NULL;
            /* Copy as many bytes as are available from the old chunk
               and fit into the new size.  NB: The overhead for faked
               mmapped chunks is only SIZE_SZ, not 2 * SIZE_SZ as for
               regular mmapped chunks.  */
            if (bytes > oldsize - SIZE_SZ) bytes = oldsize - SIZE_SZ;
            //拷贝数据到新块
            memcpy(newmem, oldmem, bytes);
            return newmem;
        }

        void *newmem;

#if HAVE_MREMAP
        newp = mremap_chunk(oldp, nb);
        if (newp) return chunk2mem(newp);
#endif
        /* Note the extra SIZE_SZ overhead. */
        if (oldsize - SIZE_SZ >= nb) return oldmem; /* do nothing */

        /* Must alloc, copy, free. */
        //调用 __libc_malloc分配新的chunk
        newmem = __libc_malloc(bytes);
        if (newmem == 0) return 0; /* propagate failure */
        //拷贝数据到新的chunk
        memcpy(newmem, oldmem, oldsize - 2 * SIZE_SZ);
        //释放原来的chunk
        munmap_chunk(oldp);
        return newmem;
    }
    //获取分配区锁
    __libc_lock_lock(ar_ptr->mutex);
    //调用 _int_realloc 拓展原有chunk
    newp = _int_realloc(ar_ptr, oldp, oldsize, nb);
    //释放锁
    __libc_lock_unlock(ar_ptr->mutex);
    assert(!newp || chunk_is_mmapped(mem2chunk(newp)) ||
           ar_ptr == arena_for_chunk(mem2chunk(newp)));

    if (newp == NULL) {
        /* Try harder to allocate memory in other arenas.  */
        LIBC_PROBE(memory_realloc_retry, 2, bytes, oldmem);
        newp = __libc_malloc(bytes);
        if (newp != NULL) {
          //拷贝原数据到新的堆块
            memcpy(newp, oldmem, oldsize - SIZE_SZ);
            _int_free(ar_ptr, oldp, 0);
        }
    }

    return newp;
}

如果原有chunk不是通过mmap 分配的，则系统会调用 _int_realloc 函数来执行拓展内存的操作。如果调用失败，则在尝试在其他的 arena 处分配内存。

_int_realloc

void *_int_realloc(mstate av, mchunkptr oldp, INTERNAL_SIZE_T oldsize,
                   INTERNAL_SIZE_T nb) {
    mchunkptr       newp;    /* chunk to return */
    INTERNAL_SIZE_T newsize; /* its size */
    void *          newmem;  /* corresponding user mem */

    mchunkptr next; /* next contiguous chunk after oldp */

    mchunkptr     remainder;      /* extra space at end of newp */
    unsigned long remainder_size; /* its size */

    mchunkptr bck; /* misc temp for linking */
    mchunkptr fwd; /* misc temp for linking */

    unsigned long    copysize; /* bytes to copy */
    unsigned int     ncopies;  /* INTERNAL_SIZE_T words to copy */
    INTERNAL_SIZE_T *s;        /* copy source */
    INTERNAL_SIZE_T *d;        /* copy destination */

    const char *errstr = NULL;

    /* oldmem size */
    //检查原有chunk的大小
    if (__builtin_expect(chunksize_nomask(oldp) <= 2 * SIZE_SZ, 0) ||
        __builtin_expect(oldsize >= av->system_mem, 0)) {
        errstr = "realloc(): invalid old size";
    errout:
        malloc_printerr(check_action, errstr, chunk2mem(oldp), av);
        return NULL;
    }
    //查看原有chunk是否在使用状态
    check_inuse_chunk(av, oldp);

    /* All callers already filter out mmap'ed chunks.  */
    //原有chunk不是通过 mmap分配
    assert(!chunk_is_mmapped(oldp));
    //获取原有chunk 的下一个 next chunk,及大小 nextsize
    next                     = chunk_at_offset(oldp, oldsize);
    INTERNAL_SIZE_T nextsize = chunksize(next);
    //检查next chunk 大小
    if (__builtin_expect(chunksize_nomask(next) <= 2 * SIZE_SZ, 0) ||
        __builtin_expect(nextsize >= av->system_mem, 0)) {
        errstr = "realloc(): invalid next size";
        goto errout;
    }
    //如果原来chunk的size大于用户请求的大小
    //则新块等于原来的size
    if ((unsigned long) (oldsize) >= (unsigned long) (nb)) {
        /* already big enough; split below */
        newp    = oldp;
        newsize = oldsize;
    }
    //如果next chunk是 top chunk
    //直接增大原有chunk的size，更新top chunk的头
    else {
        /* Try to expand forward into top */
        if (next == av->top &&
            (unsigned long) (newsize = oldsize + nextsize) >=
                (unsigned long) (nb + MINSIZE)) {
            set_head_size(oldp, nb | (av != &main_arena ? NON_MAIN_ARENA : 0));
            av->top = chunk_at_offset(oldp, nb);
            set_head(av->top, (newsize - nb) | PREV_INUSE);
            check_inuse_chunk(av, oldp);
            return chunk2mem(oldp);
        }

        /* Try to expand forward into next chunk;  split off remainder below */
        //如果next chunk不是 top chunk，且其没有被使用
        //并且原有chunk和next chunk的大小合起来大于用户请求size
        else if (next != av->top && !inuse(next) &&
                 (unsigned long) (newsize = oldsize + nextsize) >=
                     (unsigned long) (nb)) {
            //直接将新next chunk解链，合并到chunk中
            newp = oldp;
            unlink(av, next, bck, fwd);
        }

        /* allocate, copy, free */
        //如果next chunk不为空闲块，调用 _int_malloc 分配新的用户请求size的块
        else {
            newmem = _int_malloc(av, nb - MALLOC_ALIGN_MASK);
            if (newmem == 0) return 0; /* propagate failure */

            newp    = mem2chunk(newmem);
            newsize = chunksize(newp);

            /*
               Avoid copy if newp is next chunk after oldp.
             */
            //如果新的chunk就是next chunk，则直接将原有chunk和新的chunk合并
            //返回给用户的chunk不变
            if (newp == next) {
                newsize += oldsize;
                newp = oldp;
            } else {
                /*
                   Unroll copy of <= 36 bytes (72 if 8byte sizes)
                   We know that contents have an odd number of
                   INTERNAL_SIZE_T-sized words; minimally 3.
                 */
                //获取拷贝数据的大小，起始地址和终止地址
                copysize = oldsize - SIZE_SZ;
                s        = (INTERNAL_SIZE_T *) (chunk2mem(oldp));
                d        = (INTERNAL_SIZE_T *) (newmem);
                ncopies  = copysize / sizeof(INTERNAL_SIZE_T);
                assert(ncopies >= 3);
                //拷贝数据
                if (ncopies > 9)
                    memcpy(d, s, copysize);
                //拷贝不足依次copies的数据
                else {
                    *(d + 0) = *(s + 0);
                    *(d + 1) = *(s + 1);
                    *(d + 2) = *(s + 2);
                    if (ncopies > 4) {
                        *(d + 3) = *(s + 3);
                        *(d + 4) = *(s + 4);
                        if (ncopies > 6) {
                            *(d + 5) = *(s + 5);
                            *(d + 6) = *(s + 6);
                            if (ncopies > 8) {
                                *(d + 7) = *(s + 7);
                                *(d + 8) = *(s + 8);
                            }
                        }
                    }
                }
                //释放原有 chunk
                _int_free(av, oldp, 1);
                check_inuse_chunk(av, newp);
                return chunk2mem(newp);
            }
        }
    }

    /* If possible, free extra space in old or extended chunk */
    //如果新的chunk大于用户请求的size
    assert((unsigned long) (newsize) >= (unsigned long) (nb));
    //切割新的chunk
    remainder_size = newsize - nb;
    //设置剩下的remainder的堆头和inuse位
    if (remainder_size < MINSIZE) /* not enough extra to split off */
    {
        set_head_size(newp, newsize | (av != &main_arena ? NON_MAIN_ARENA : 0));
        set_inuse_bit_at_offset(newp, newsize);
    } else /* split remainder */
    {
        //释放remainder堆块
        remainder = chunk_at_offset(newp, nb);
        set_head_size(newp, nb | (av != &main_arena ? NON_MAIN_ARENA : 0));
        set_head(remainder, remainder_size | PREV_INUSE |
                                (av != &main_arena ? NON_MAIN_ARENA : 0));
        /* Mark remainder as inuse so free() won't complain */
        set_inuse_bit_at_offset(remainder, remainder_size);
        _int_free(av, remainder, 1);
    }

    check_inuse_chunk(av, newp);
    return chunk2mem(newp);
}

_int_realloc ，主要有：

判断现有chunk 的下一个next chunk是否空闲，如果空闲直接将现有 chunk 拓展到 next chunk即可；
如果next chunk是 top chunk也可以直接拓展；
如果next chunk是使用状态，则直接调用 _int_malloc 分配新的 chunk；
如果新的 chunk 是紧邻的原有 chunk，则直接将原有chunk 也合并到新的 chunk；
拷贝原有数据到新的chunk
释放原来的chunk
如果新的 chunk大于用户请求的size，则实行堆块划分，将多余剩下的chunk 释

malloc_consolidate

主要作用是对堆进行初始化，以及将 fastbin 中的空闲 chunk 合并到 unsorted bin

/*
  ------------------------- malloc_consolidate -------------------------

  malloc_consolidate is a specialized version of free() that tears
  down chunks held in fastbins.  Free itself cannot be used for this
  purpose since, among other things, it might place chunks back onto
  fastbins.  So, instead, we need to use a minor variant of the same
  code.

  Also, because this routine needs to be called the first time through
  malloc anyway, it turns out to be the perfect place to trigger
  initialization code.
*/

static void malloc_consolidate(mstate av) {
    mfastbinptr *fb;             /* current fastbin being consolidated */
    mfastbinptr *maxfb;          /* last fastbin (for loop control) */
    mchunkptr    p;              /* current chunk being consolidated */
    mchunkptr    nextp;          /* next chunk to consolidate */
    mchunkptr    unsorted_bin;   /* bin header */
    mchunkptr    first_unsorted; /* chunk to link to */

    /* These have same use as in free() */
    mchunkptr       nextchunk;
    INTERNAL_SIZE_T size;
    INTERNAL_SIZE_T nextsize;
    INTERNAL_SIZE_T prevsize;
    int             nextinuse;
    mchunkptr       bck;
    mchunkptr       fwd;

    /*
      If max_fast is 0, we know that av hasn't
      yet been initialized, in which case do so below
    */
    //如果fastbin未初始化，则 global_max_fast 为0
    if (get_max_fast() != 0) {
        clear_fastchunks(av);
        //获得unsorted bin链表头
        unsorted_bin = unsorted_chunks(av);

        /*
          Remove each chunk from fast bin and consolidate it, placing it
          then in unsorted bin. Among other reasons for doing this,
          placing in unsorted bin avoids needing to calculate actual bins
          until malloc is sure that chunks aren't immediately going to be
          reused anyway.
        */
        //得到size最大的fast bin 链表头
        maxfb = &fastbin(av, NFASTBINS - 1);
        //得到第一个fast bin的链表头
        fb    = &fastbin(av, 0);
        do {
          //当前fast bin链表的头指针
            p = atomic_exchange_acq(fb, NULL);
            //链表不为空
            if (p != 0) {
                do {
                  //检查 chunk p 的inuse位
                    check_inuse_chunk(av, p);
                    //获取下一个next chunk
                    nextp = p->fd;

                    /* Slightly streamlined version of consolidation code in
                     * free() */
                    //获取 chunk p 的size和next chunk的头指针和大小
                    size      = chunksize(p);
                    nextchunk = chunk_at_offset(p, size);
                    nextsize  = chunksize(nextchunk);
                    //判断物理相邻的上一个堆块Prev chunk是否在使用
                    if (!prev_inuse(p)) {
                        //prev chunk 释放时，向前合并 prev chunk
                        prevsize = prev_size(p);
                        size += prevsize;
                        p = chunk_at_offset(p, -((long) prevsize));
                        unlink(av, p, bck, fwd);
                    }
                    //next chunk不是 top chunk
                    if (nextchunk != av->top) {
                        nextinuse = inuse_bit_at_offset(nextchunk, nextsize);
                        //next chunk未使用
                        if (!nextinuse) {
                          //后向合并 next chunk
                            size += nextsize;
                            unlink(av, nextchunk, bck, fwd);
                        } else
                            clear_inuse_bit_at_offset(nextchunk, 0);
                        //得到unsorted bin链表的链表头
                        first_unsorted     = unsorted_bin->fd;
                        //将 P 插入当前 unsortedbin 链表头
                        unsorted_bin->fd   = p;
                        first_unsorted->bk = p;
                        //large chunk需要设置 fd_nextsize和bk_nextsize
                        if (!in_smallbin_range(size)) {
                            p->fd_nextsize = NULL;
                            p->bk_nextsize = NULL;
                        } 
                        //设置新的chunk p的堆头和标志位
                        set_head(p, size | PREV_INUSE);
                        //将chunk P插入unsorted bin链表头
                        p->bk = unsorted_bin;
                        p->fd = first_unsorted;
                        set_foot(p, size);
                    }

                    else {
                      //将 chunk P 合并到 top chunk
                        size += nextsize;
                        set_head(p, size | PREV_INUSE);
                        av->top = p;
                    }

                } while ((p = nextp) != 0);
            }
        } while (fb++ != maxfb);
    } else {
        //初始化堆块
        malloc_init_state(av);
        check_malloc_state(av);
    }
}

首先通过 get_max_fast 判断堆是否初始化，若为初始化，则初始化堆，否则进入下一步
将 malloc_state 中表示fast bin 中含有空闲 chunk 的标志位清空，进入下一步
对 fast bin 中的每个 chunk 进行下列操作：
1. 与其物理相邻的chunk 进行前向合并
2. 若与 top chunk相邻，则与 top chunk 进行合并
3. 与其物理相邻的 chunk 进行后向合并

Glibc 2.26 Tcache

基本结构

tcache_entry

tcache_entry 用于链接空闲的 chunk 结构体，其中的 next 指针指向下一个大小相同的 chunk。

此处 next 指针指向 chunk 的 user data，而不是fastbin 的fd 指向堆头。

/* We overlay this structure on the user-data portion of a chunk when
   the chunk is stored in the per-thread cache.  */
typedef struct tcache_entry
{
  //指向下一个大小相同的 chunk
  struct tcache_entry *next;
} tcache_entry;

tcache_perthread_struct

每个线程都会维护一个 tcache_perthread_struct结构，他是整个 tcache 的管理结构，一共有 TCACHE_MAX_BINS 个计数器和 TCACHE_MAX_BINS 项 tcache_entry。

/* There is one of these for each thread, which contains the
   per-thread cache (hence "tcache_perthread_struct").  Keeping
   overall size low is mildly important.  Note that COUNTS and ENTRIES
   are redundant (we could have just counted the linked list each
   time), this is for performance reasons.  */
typedef struct tcache_perthread_struct
{
  //每个tcache链表的大小
  char counts[TCACHE_MAX_BINS];
  //每个tcache链表的头指针
  tcache_entry *entries[TCACHE_MAX_BINS];
} tcache_perthread_struct;

# define TCACHE_MAX_BINS                64c

static __thread tcache_perthread_struct *tcache = NULL;

tcache_entry 用单链表的方式链接了相同大小的处于空闲状态(free 后) 的chunk，与 fast bin类似；

counts 记录了 tcache_entry 链上空闲 chunk 的数目，每条链上最多可以有 7 个 chunk

如下图所示：（图来自：CTF WIKI）

重要函数

__libc_malloc

相比于 2.23版本，2.26版本的 _libc_malloc 会首先进入 tcache 判断是否能分配tcache，先于原有的 fastbin分配。

void *
__libc_malloc (size_t bytes)
{
    ......
    ......
#if USE_TCACHE
  /* int_free also calls request2size, be careful to not pad twice.  */
  size_t tbytes;
  // 根据 malloc 传入的参数计算 chunk 实际大小，并计算 tcache 对应的下标
  checked_request2size (bytes, tbytes);
  size_t tc_idx = csize2tidx (tbytes);

  // 初始化 tcache
  MAYBE_INIT_TCACHE ();
  DIAG_PUSH_NEEDS_COMMENT;
  //判断对应size的tcache链表内是否有tcache
  if (tc_idx < mp_.tcache_bins  // 根据 size 得到的 idx 在合法的范围内
      /*&& tc_idx < TCACHE_MAX_BINS*/ /* to appease gcc */
      && tcache
      && tcache->entries[tc_idx] != NULL) // tcache->entries[tc_idx] 有 chunk
    {
      return tcache_get (tc_idx);
    }
  DIAG_POP_NEEDS_COMMENT;
#endif
    ......
    ......
}

在 tcache为空，即第一次调用 __libc_malloc 时，函数 MAYBE_INIT_TCACHE 会调用 tcache_init函数对 tcache进行初始化。

tcache_init(void)
{
  mstate ar_ptr;
  void *victim = 0;
  const size_t bytes = sizeof (tcache_perthread_struct);
  if (tcache_shutting_down)
    return;
  arena_get (ar_ptr, bytes); // 找到可用的 arena
  victim = _int_malloc (ar_ptr, bytes); // 申请一个 sizeof(tcache_prethread_struct) 大小的 chunk
  //未分配成功，重新更新分配区分配 tcache_prethread_struct
  if (!victim && ar_ptr != NULL)
    {
      ar_ptr = arena_get_retry (ar_ptr, bytes);
      victim = _int_malloc (ar_ptr, bytes);
    }
  if (ar_ptr != NULL)
    __libc_lock_unlock (ar_ptr->mutex);
  /* In a low memory situation, we may not be able to allocate memory
     - in which case, we just keep trying later.  However, we
     typically do this very early, so either there is sufficient
     memory, or there isn't enough memory to do non-trivial
     allocations anyway.  */
  if (victim) // 初始化 tcache
    {
      tcache = (tcache_perthread_struct *) victim;
      //将tcache初始化为0
      memset (tcache, 0, sizeof (tcache_perthread_struct));
    }
}

接下来就是从 tcache中申请内存：

  // 从 tcache list 中获取内存
  if (tc_idx < mp_.tcache_bins // 由 size 计算的 idx 在合法范围内
      /*&& tc_idx < TCACHE_MAX_BINS*/ /* to appease gcc */
      && tcache
      && tcache->entries[tc_idx] != NULL) // 该条 tcache 链不为空
    {
      return tcache_get (tc_idx);
    }
  DIAG_POP_NEEDS_COMMENT;
#endif
  // 进入与无 tcache 时类似的流程
  if (SINGLE_THREAD_P)
    {
      victim = _int_malloc (&main_arena, bytes);
      assert (!victim || chunk_is_mmapped (mem2chunk (victim)) ||
              &main_arena == arena_for_chunk (mem2chunk (victim)));
      return victim;
    }

当tcache 不为空时，会使用 tcache_get 函数来获取 tcache。如果 tcache 为空，则进入与 2.23一致的内存申请流程。

tcache_get()

/* Caller must ensure that we know tc_idx is valid and there's
   available chunks to remove.  */
static __always_inline void *
tcache_get (size_t tc_idx)
{
  //获取对应大小的tcache链表链表头
  tcache_entry *e = tcache->entries[tc_idx];
  //如果该链表idx没有超过tcache最大的链表数
  assert (tc_idx < TCACHE_MAX_BINS);
  //对应的链表非空
  assert (tcache->entries[tc_idx] > 0);
  //将对应的tcache链表头指向 当前链表头的下一个节点
  tcache->entries[tc_idx] = e->next;
  //减小当前tcache链表中的节点数
  --(tcache->counts[tc_idx]); // 获得一个 chunk，counts 减一
  return (void *) e;
}

tcache_get流程比较简单，而且可以看到从 tcache链表中，获取tcache没有做太多保护，仅仅检查了链表idx 和链表非空。那么我们从 tcache 中获取伪造的 chunk 将会特别简单。

__libc_free

void
__libc_free (void *mem)
{
  ......
  ......
  MAYBE_INIT_TCACHE ();
  ar_ptr = arena_for_chunk (p);
  _int_free (ar_ptr, p, 0);
}

在 _libc_free 函数中并没有太多的变化，重点变化是在 _int_free 函数中。

_int_free

static void
_int_free (mstate av, mchunkptr p, int have_lock)
{
  ......
  ......
#if USE_TCACHE
  {
    //获取对应大小的tcache链表的索引
    size_t tc_idx = csize2tidx (size);
    //tcache存在，且idx未超过tcache限制
    //当前大小的tcache链表未满
    if (tcache
        && tc_idx < mp_.tcache_bins // 64
        && tcache->counts[tc_idx] < mp_.tcache_count) // 7
      {
        //将当前chunk放入tcache中
        tcache_put (p, tc_idx);
        return;
      }
  }
#endif
  ......
  ......

判断 tc_idx 合法，tcache->sounts[tc_idx] 在 7 个以内，就进入 tcache_put() ，传递的两个参数是要释放的 chuk 和该 chunk 对应的 size 在 tcache中的下标。

tcache_put()

/* Caller must ensure that we know tc_idx is valid and there's room
   for more chunks.  */
static __always_inline void
tcache_put (mchunkptr chunk, size_t tc_idx)
{
  //将用户区指针转为chunk堆头
  tcache_entry *e = (tcache_entry *) chunk2mem (chunk);
  //判断当前size的tcache链表索引是否合法
  assert (tc_idx < TCACHE_MAX_BINS);
  //将用户chunk的next指向当前tcache链表头
  e->next = tcache->entries[tc_idx];
  //将当前链表头设为用户chunk
  tcache->entries[tc_idx] = e;
  //增加tcache 数量
  ++(tcache->counts[tc_idx]);
}

tcache_puts 完成了把释放的 chunk 插入到 tcache->entries[tc_idx] 链表头部的操作，也没有太多的保护，没有把 P 位置为 0，也就是存在 free 伪造块和 double free 漏洞。

漏洞原因分析

off-by-one

1.溢出字节为可控制任意字节：通过修改大小造成块结构之间出现重叠，从而泄露其它块数据，或是覆盖其他快数据。

原理：由于向前合并和向后合并是通过本块 chunk的size和 prev_size找到的，如果伪造 size 或者 prev_size 就能向前覆盖或者向后覆盖。

2.溢出自己为NULL字节：（1）覆盖 prev_in_use位为0，会让前块被认为是 free块，在free当前块时会与前块进行合并，前块会执行 unlink 解链操作。unlink操作存在漏洞；（2）当prev_in_use位被置为0，prev_chunk的 prev_size 会存储前块的大小，通过伪造prev_size 实现向前合并到指定地址。

原理： 由于 prev_inuse 标识前一块是否被释放，执行堆合并时，前块不是fastbin时会执行 unlink操作，unlink存在漏洞。堆合并时向前合并是通过 prev_size 和本块的 size 向前找到前一块的堆头，如果伪造 prev_size 和前一块堆头，就能使得向前合并到我们想要的地址。并且合并时，没有检查前一个块的 size 是否与 prev_size 相同。

Chunk Extend

对 inuse 的fastbin 进行 extend

申请两个 fastbin chunk1 和 chunk2，大小都为 0x21，如果修改 chunk1 的大小为 0x41，然后释放chunk1。那么再申请一个 0x41 的chunk3，chunk3 就能够覆盖 chunk2 的数据。

原理： free fastbin 堆块时，只检查当前堆块是否在使用状态，通过 chunk_ptr + chunk_size 得到相邻的下一个chunk的堆头的 prev_inuse位来检查；所以修改当前 chunk 的size 后，只要能保证其物理相邻的下一个chunk的 prev_inuse 被置为1 ，就能对该 fastbin进行释放。

对 inuse 的 smallbin 进行 extend

申请一个 chunk1 大小为 0xa1, 申请 chunk2 大小为 0x21，申请 chunk3 大小为 0x21(隔断 top chunk)。修改 chunk1 的size 为 0xc1，并释放该chunk。最后再申请 chunk 3 大小为 0xc1，那么 chunk3 就能够覆盖 chunk2的数据区。

原理: 释放一个 smallbin时，会先将 chunk 放入 unsortedbin，并且执行前向合并和后向合并。只要保证当前 chunk 的 prev_inuse 位被置为1，则不会进行前向合并。保证通过 fake_chunk_size 找到的后一个 chunk 的堆头正确，即 prev_inuse 被置为1，则成功。

对 free 的 smallbin 进行 extend

一个释放的 smallbin chunk1 的size 为 0xa1，其相邻的在使用的 chunk2 大小为 0x21，chunk3 也在使用状态。然后修改 chunk1 的size 为 0xc1，然后分配 0xc1 的chunk4，那么 chunk4 就能够覆盖chunk2。

原理：

通过extend 后向 overlapping

int main()
{
    void *ptr,*ptr1;

    ptr=malloc(0x10);//分配第1个 0x80 的chunk1
    malloc(0x10); //分配第2个 0x10 的chunk2
    malloc(0x10); //分配第3个 0x10 的chunk3
    malloc(0x10); //分配第4个 0x10 的chunk4    
    *(int *)((int)ptr-0x8)=0x61;
    free(ptr);
    ptr1=malloc(0x50);
}

原理： 释放一个堆块时仅通过当前 chunk 的 size 找到后一个堆块的 prev_inuse位在使用；申请一个fastbin 堆块时，先检查了 fastbin 中链表是否有满足大小的 chunk。

通过 extend 前向 overlapping

int main(void)
{
    void *ptr1,*ptr2,*ptr3,*ptr4;
    ptr1=malloc(128);//smallbin1
    ptr2=malloc(0x10);//fastbin1
    ptr3=malloc(0x10);//fastbin2
    ptr4=malloc(128);//smallbin2
    malloc(0x10);//防止与top合并
    free(ptr1);
    *(int *)((long long)ptr4-0x8)=0x90;//修改pre_inuse域
    *(int *)((long long)ptr4-0x10)=0xd0;//修改pre_size域
    free(ptr4);//unlink进行前向extend
    malloc(0x150);//占位块

}

原理： 释放大于 fastbin 的堆块时，会进行前向和后向合并。前向合并仅检查当前堆块的 prev_inuse 确定前一个堆块为释放状态，通过 prev_size 找到前一个堆块头，然后将前一个堆块 unlink，然后堆块合并返回。

Unlink

在大于 small bin 的堆块 free 时，会检查其前一个堆块和后一个堆块是否在释放状态，然后执行前向合并和后向合并。合并时，会执行 unlink 操作，unlink操作需要用到 Prev chunk 的 fd 和 bk 指针执行如下操作：

1
2
3

//修改FD 和 BK的bk和fd指针
FD->bk = BK;                                                       
BK->fd = FD;

unlink 检查为：

1
2
3

// fd bk
if (__builtin_expect (FD->bk != P || BK->fd != P, 0))                      \
  malloc_printerr (check_action, "corrupted double-linked list", P, AV);  \

通过如下绕过：

32位：
*P = P - 8
*P = P - 12
64位：
*P = P - 0x10
*P = P - 0x18

Fastbin Attack

Fastbin Double Free

int main(void)
{
    void *chunk1,*chunk2,*chunk3;
    chunk1=malloc(0x10);
    chunk2=malloc(0x10);

    free(chunk1);
    free(chunk2);
    free(chunk1);
    return 0;
}

原理：

fastbin 的堆块被释放后 next_chunk 的 pre_inuse 位不会被清空
fastbin 在执行 free 的时候仅验证了 main_arena 直接指向的块，即链表指针头部的块。对于链表后面的块，并没有进行验证。

House of Spirit

在目标位置伪造 fastbin chunk，并将其释放，从而达到分配指定地址的 chunk 的目的。

伪造条件：

fake chunk 的 ISMMAP 位不能为 1，因为 free 时，如果是 mmap 的 chunk，会单独处理。
fake chunk 地址需要对齐， MALLOC_ALIGN_MASK
fake chunk 的 size 大小需要满足对应的 fastbin 的需求，同时也得对齐。
fake chunk 的 next chunk 的大小不能小于 2 * SIZE_SZ，同时也不能大于av->system_mem 。
fake chunk 对应的 fastbin 链表头部不能是该 fake chunk，即不能构成 double free 的情况。

原理： free 函数 free 一个堆块时，只会对该堆块进行如上检测，将检测都符合那么就会正常释放该堆块。然后即可正常 malloc 出来。

Alloc to Stack & Arbitrary Alloc

劫持一个释放的 fastbin 的 fd 指针到我们指定的目的地址，只需要在目的地址伪造满足条件的堆头，fake size满足 fastbin 大小，fake chunk的堆头地址是对齐的。

Unsorted bin Attack

释放一个 chunk 到 unsortedbin中，然后修改该 chunk 的 bk 指针指向我们想要修改的内存地址-0x10，然后分配该大小的 chunk，就会将我们想要修改的内存地址设置为 unsortedbin 堆块的地址。

原理：当分配一个恰好合适的 unsortedbin 时，会执行以下代码：

/* remove from unsorted list */
if (__glibc_unlikely (bck->fd != victim))
  malloc_printerr ("malloc(): corrupted unsorted chunks 3");
unsorted_chunks (av)->bk = bck;
bck->fd = unsorted_chunks (av);

Tcache Attack

tcache poisoning

修改 tcache 结构的 next 指针为我们想要的内存地址，而且没有了对伪造chunk size的限制。能够成功在想要的内存地址伪造堆块。

tcache dup

因为 tcache_put 对 free tcache 时也没有太多检查，所以可以对同一个 tcache 释放两次，造成double free 漏洞。

tcache perthread corruption

tcache_prethread_struct 也在堆上，可以通过掌控这个结构来掌管整个 malloc 的情况

tcache house of spirit

在栈上伪造块的 size，然后释放该地址，即能够将该地址放入 tcache 链表内，再分配出来即可控制该 stack 地址。

smallbin unlink

在 smallbin 中包含有空闲块的时候，会同时将同大小的其他空闲块，放入 tcache 中，此时也会出现解链操作，但相比于 unlink宏，缺少了链完整性检验，因此原本的 unlink 操作在该条件下也可以使用。

tcache stashing unlink attack

这种攻击利用的是 tcache bin 有剩余 (数量小于 TCACHE_MAX_BINS ) 时，同大小的 small bin 会放进 tcache 中 (这种情况可以用 calloc 分配同大小堆块触发，因为 calloc 分配堆块时不从 tcache bin 中选取)。在获取到一个 smallbin 中的一个 chunk 后会如果 tcache 仍有足够空闲位置，会将剩余的 small bin 链入 tcache ，在这个过程中只对第一个 bin 进行了完整性检查，后面的堆块的检查缺失。当攻击者可以写一个 small bin 的 bk 指针时，其可以在任意地址上写一个 libc 地址 (类似 unsorted bin attack 的效果)。构造得当的情况下也可以分配 fake chunk 到任意地址。

参考文献

https://www.lyyl.online/2019/09/28/malloc%E5%92%8Cfree%E6%BA%90%E7%A0%81%E5%88%86%E6%9E%90/

https://ctf-wiki.github.io/ctf-wiki/pwn/linux/glibc-heap/implementation/tcache-zh/

本文作者： A1ex
本文链接： http://yoursite.com/2020/09/28/glibc-malloc源码分析/
版权声明： 本博客所有文章除特别声明外，均采用 MIT 许可协议。转载请注明出处！