glibc2.31 how2heap

堆溢出去年花了一个月业余时间，看得一知半解，今年又花了两个月业余时间才弄清楚，比较复杂。

https://github.com/shellphish/how2heap/blob/master/glibc_2.31/unsafe_unlink.c

printf("We setup the 'next_free_chunk' (fd) of our fake chunk to point near to &chunk0_ptr so that P->fd->bk = P.\n");

chunk0_ptr[2] = (uint64_t) &chunk0_ptr-(sizeof(uint64_t)*3);

printf("We setup the 'previous_free_chunk' (bk) of our fake chunk to point near to &chunk0_ptr so that P->bk->fd = P.\n");

printf("With this setup we can pass this check: (P->fd->bk != P || P->bk->fd != P) == False\n");

chunk0_ptr[3] = (uint64_t) &chunk0_ptr-(sizeof(uint64_t)*2);

这两段比较难懂，直接上图

chunk0_ptr做fake_chunk

chunk0_ptr[1]为fake_chunk size字段

chunk0_ptr[2]为fake_chunk fd字段

chunk0_ptr[3]为fake_chunk bk字段

要理解下面两句话:

chunk0_ptr[2] = (uint64_t) &chunk0_ptr-(sizeof(uint64_t)*3)

chunk0_ptr[3] = (uint64_t) &chunk0_ptr-(sizeof(uint64_t)*2);

须了解unlink原理:fake_chunk->fd->bk=fake_chunk

fake_chunk->bk->fd=fake_chunk

chunk0_ptr[2] 指向fd，要使得fake_chunk->fd->bk=fake_chunk条件满足

fake_chunk->fd要整体看，当成另外一个chunk，其chunk address须为&fake_chunk-3，->bk为3个指针偏移，即可满足。

tcache 最多有64个bins(类hash slots)，每个bin是多7个chunks

chunksizes from 24 to 1032 (12 to 516 on x86) bytes, in 16 (8 on x86) byte increments