Heap Functions Security Checks

unlink

For more info check:

This is a summary of the performed checks:

• Check if the indicated size of the chunk is the same as the prev_size indicated in the next chunk

  • Error message: corrupted size vs. prev_size

• Check also that P->fd->bk == P and P->bk->fw == P

  • Error message: corrupted double-linked list

• If the chunk is not small, check that P->fd_nextsize->bk_nextsize == P and P->bk_nextsize->fd_nextsize == P

  • Error message: corrupted double-linked list (not small)

_int_malloc

For more info check:

• Checks during fast bin search:

  • If the chunk is misaligned:

    • Error message: malloc(): unaligned fastbin chunk detected 2

  • If the forward chunk is misaligned:

    • Error message: malloc(): unaligned fastbin chunk detected

  • If the returned chunk has a size that isn't correct because of it's index in the fast bin:

    • Error message: malloc(): memory corruption (fast)

  • If any chunk used to fill the tcache is misaligned:

    • Error message: malloc(): unaligned fastbin chunk detected 3

• Checks during small bin search:

  • If victim->bk->fd != victim:

    • Error message: malloc(): smallbin double linked list corrupted

• Checks during consolidate performed for each fast bin chunk:

  • If the chunk is unaligned trigger:

    • Error message: malloc_consolidate(): unaligned fastbin chunk detected

  • If the chunk has a different size that the one it should because of the index it's in:

    • Error message: malloc_consolidate(): invalid chunk size

  • If the previous chunk is not in use and the previous chunk has a size different of the one indicated by prev_chunk:

    • Error message: corrupted size vs. prev_size in fastbins

• Checks during unsorted bin search:

  • If the chunk size is weird (too small or too big):

    • Error message: malloc(): invalid size (unsorted)

  • If the next chunk size is weird (too small or too big):

    • Error message: malloc(): invalid next size (unsorted)

  • If the previous size indicated by the next chunk differs from the size of the chunk:

    • Error message: malloc(): mismatching next->prev_size (unsorted)

  • If not victim->bck->fd == victim or not victim->fd == av (arena):

    • Error message: malloc(): unsorted double linked list corrupted

    • As we are always checking the las one, it's fd should be pointing always to the arena struct.

  • If the next chunk isn't indicating that the previous is in use:

    • Error message: malloc(): invalid next->prev_inuse (unsorted)

  • If fwd->bk_nextsize->fd_nextsize != fwd:

    • Error message: malloc(): largebin double linked list corrupted (nextsize)

  • If fwd->bk->fd != fwd:

    • Error message: malloc(): largebin double linked list corrupted (bk)

• Checks during large bin (by index) search:

  • bck->fd-> bk != bck:

    • Error message: malloc(): corrupted unsorted chunks

• Checks during large bin (next bigger) search:

  • bck->fd-> bk != bck:

    • Error message: malloc(): corrupted unsorted chunks2

• Checks during Top chunk use:

  • chunksize(av->top) > av->system_mem:

    • Error message: malloc(): corrupted top size

tcache_get_n

• Checks in tcache_get_n:

  • If chunk is misaligned:

    • Error message: malloc(): unaligned tcache chunk detected

tcache_thread_shutdown

• Checks in tcache_thread_shutdown:

  • If chunk is misaligned:

    • Error message: tcache_thread_shutdown(): unaligned tcache chunk detected

__libc_realloc

• Checks in __libc_realloc:

  • If old pointer is misaligned or the size was incorrect:

    • Error message: realloc(): invalid pointer

_int_free

For more info check:

• Checks during the start of _int_free:

  • Pointer is aligned:

    • Error message: free(): invalid pointer

  • Size larger than MINSIZE and size also aligned:

    • Error message: free(): invalid size

• Checks in _int_free tcache:

  • If there are more entries than mp_.tcache_count:

    • Error message: free(): too many chunks detected in tcache

  • If the entry is not aligned:

    • Error message: free(): unaligned chunk detected in tcache 2

  • If the freed chunk was already freed and is present as chunk in the tcache:

    • Error message: free(): double free detected in tcache 2

• Checks in _int_free fast bin:

  • If the size of the chunk is invalid (too big or small) trigger:

    • Error message: free(): invalid next size (fast)

  • If the added chunk was already the top of the fast bin:

    • Error message: double free or corruption (fasttop)

  • If the size of the chunk at the top has a different size of the chunk we are adding:

    • Error message: invalid fastbin entry (free)

_int_free_merge_chunk

• Checks in _int_free_merge_chunk:

  • If the chunk is the top chunk:

    • Error message: double free or corruption (top)

  • If the next chunk is outside of the boundaries of the arena:

    • Error message: double free or corruption (out)

  • If the chunk is not marked as used (in the prev_inuse from the following chunk):

    • Error message: double free or corruption (!prev)

  • If the next chunk has a too little size or too big:

    • Error message: free(): invalid next size (normal)

  • If the previous chunk is not in use, it will try to consolidate. But, if the prev_size differs from the size indicated in the previous chunk:

    • Error message: corrupted size vs. prev_size while consolidating

_int_free_create_chunk

• Checks in _int_free_create_chunk:

  • Adding a chunk into the unsorted bin, check if unsorted_chunks(av)->fd->bk == unsorted_chunks(av):

    • Error message: free(): corrupted unsorted chunks

do_check_malloc_state

• Checks in do_check_malloc_state:

  • If misaligned fast bin chunk:

    • Error message: do_check_malloc_state(): unaligned fastbin chunk detected

malloc_consolidate

• Checks in malloc_consolidate:

  • If misaligned fast bin chunk:

    • Error message: malloc_consolidate(): unaligned fastbin chunk detected

  • If incorrect fast bin chunk size:

    • Error message: malloc_consolidate(): invalid chunk size

_int_realloc

• Checks in _int_realloc:

  • Size is too big or too small:

    • Error message: realloc(): invalid old size

  • Size of the next chunk is too big or too small:

    • Error message: realloc(): invalid next size