Heap Functions Security Checks

unlink

This is a summary of the performed checks:

• Check if the indicated size of the chunk is the same as the prev_size indicated in the next chunk* Error message: corrupted size vs. prev_size
• Check also that P->fd->bk == P and P->bk->fw == P* Error message: corrupted double-linked list
• If the chunk is not small, check that P->fd_nextsize->bk_nextsize == P and P->bk_nextsize->fd_nextsize == P* Error message: corrupted double-linked list (not small)

_int_malloc

For more info check:

{% content-ref url="malloc-and-sysmalloc.md" %} malloc-and-sysmalloc.md {% endcontent-ref %}

• Checks during fast bin search:* If the chunk is misaligned:- Error message: malloc(): unaligned fastbin chunk detected 2
  • If the forward chunk is misaligned:* Error message: malloc(): unaligned fastbin chunk detected
  • If the returned chunk has a size that isn't correct because of it's index in the fast bin:* Error message: malloc(): memory corruption (fast)
  • If any chunk used to fill the tcache is misaligned:* Error message: malloc(): unaligned fastbin chunk detected 3
• Checks during small bin search:* If victim->bk->fd != victim:- Error message: malloc(): smallbin double linked list corrupted
• Checks during consolidate performed for each fast bin chunk:* If the chunk is unaligned trigger:- Error message: malloc_consolidate(): unaligned fastbin chunk detected
  • If the chunk has a different size that the one it should because of the index it's in:* Error message: malloc_consolidate(): invalid chunk size
  • If the previous chunk is not in use and the previous chunk has a size different of the one indicated by prev_chunk:* Error message: corrupted size vs. prev_size in fastbins
• Checks during unsorted bin search:* If the chunk size is weird (too small or too big):- Error message: malloc(): invalid size (unsorted)
  • If the next chunk size is weird (too small or too big):* Error message: malloc(): invalid next size (unsorted)
  • If the previous size indicated by the next chunk differs from the size of the chunk:* Error message: malloc(): mismatching next->prev_size (unsorted)
  • If not victim->bck->fd == victim or not victim->fd == av (arena):* Error message: malloc(): unsorted double linked list corrupted
    • As we are always checking the las one, it's fd should be pointing always to the arena struct.
  • If the next chunk isn't indicating that the previous is in use:* Error message: malloc(): invalid next->prev_inuse (unsorted)
  • If fwd->bk_nextsize->fd_nextsize != fwd:* Error message: malloc(): largebin double linked list corrupted (nextsize)
  • If fwd->bk->fd != fwd:* Error message: malloc(): largebin double linked list corrupted (bk)
• Checks during large bin (by index) search:* bck->fd-> bk != bck:- Error message: malloc(): corrupted unsorted chunks
• Checks during large bin (next bigger) search:* bck->fd-> bk != bck:- Error message: malloc(): corrupted unsorted chunks2
• Checks during Top chunk use:* chunksize(av->top) > av->system_mem:- Error message: malloc(): corrupted top size

tcache_get_n

• Checks in tcache_get_n**:*** If chunk is misaligned:- Error message: malloc(): unaligned tcache chunk detected

tcache_thread_shutdown

• Checks in tcache_thread_shutdown**:*** If chunk is misaligned:- Error message: tcache_thread_shutdown(): unaligned tcache chunk detected

__libc_realloc

• Checks in __libc_realloc**:*** If old pointer is misaligned or the size was incorrect:- Error message: realloc(): invalid pointer

_int_free

For more info check:

{% content-ref url="free.md" %} free.md {% endcontent-ref %}

• Checks during the start of _int_free**:*** Pointer is aligned:- Error message: free(): invalid pointer
  • Size larger than MINSIZE and size also aligned:* Error message: free(): invalid size
• Checks in _int_free tcache:* If there are more entries than mp_.tcache_count:- Error message: free(): too many chunks detected in tcache
  • If the entry is not aligned:* Error message: free(): unaligned chunk detected in tcache 2
  • If the freed chunk was already freed and is present as chunk in the tcache:* Error message: free(): double free detected in tcache 2
• Checks in _int_free fast bin:* If the size of the chunk is invalid (too big or small) trigger:- Error message: free(): invalid next size (fast)
  • If the added chunk was already the top of the fast bin:* Error message: double free or corruption (fasttop)
  • If the size of the chunk at the top has a different size of the chunk we are adding:* Error message: invalid fastbin entry (free)

``

• Checks in _int_free_merge_chunk**:*** If the chunk is the top chunk:- Error message: double free or corruption (top)
  • If the next chunk is outside of the boundaries of the arena:* Error message: double free or corruption (out)
  • If the chunk is not marked as used (in the prev_inuse from the following chunk):* Error message: double free or corruption (!prev)
  • If the next chunk has a too little size or too big:* Error message: free(): invalid next size (normal)
  • If the previous chunk is not in use, it will try to consolidate. But, if the prev_size differs from the size indicated in the previous chunk:* Error message: corrupted size vs. prev_size while consolidating

``

• Checks in _int_free_create_chunk**:*** Adding a chunk into the unsorted bin, check if unsorted_chunks(av)->fd->bk == unsorted_chunks(av):- Error message: free(): corrupted unsorted chunks

do_check_malloc_state

• Checks in do_check_malloc_state**:*** If misaligned fast bin chunk:- Error message: do_check_malloc_state(): unaligned fastbin chunk detected

malloc_consolidate

• Checks in malloc_consolidate**:*** If misaligned fast bin chunk:- Error message: malloc_consolidate(): unaligned fastbin chunk detected
  • If incorrect fast bin chunk size:* Error message: malloc_consolidate(): invalid chunk size

_int_realloc

• Checks in _int_realloc**:*** Size is too big or too small:- Error message: realloc(): invalid old size
  • Size of the next chunk is too big or too small:* Error message: realloc(): invalid next size