Extra Exploitation Technique: Implicit Malloc and Free in glibc


In the Heap Exploitation on House of Orange, we introduce an implicit free in the allocation procedure. In this post, I hope to record the implicit malloc/free met in the function of glibc. As a start, I will introduce the implicit malloc/free in printf function. In future, I may update other functions that I come across in CTF challenges.
The version of glibc used for testing may be different on different functions. The version of glibc will be given in each part.

Function printf

Source Code Review

Implicit Malloc in vfprintf

if (width >= WORK_BUFFER_SIZE - 32)
     /* We have to use a special buffer.  The "32" is just a safe
        bet for all the output which is not counted in the width.  */
     size_t needed = ((size_t) width + 32) * sizeof (CHAR_T);
     if (__libc_use_alloca (needed))
         workend = (CHAR_T *) alloca (needed) + width + 32;
         workstart = (CHAR_T *) malloc (needed);
         if (workstart == NULL)
             done = -1;
             goto all_done;
         workend = workstart + width + 32;

Implicit Free in vfprintf

  if (__glibc_unlikely (workstart != NULL))
    free (workstart);
  /* Unlock the stream.  */
  _IO_funlockfile (s);
  _IO_cleanup_region_end (0);


[1] http://blog.dragonsector.pl/2017/03/0ctf-2017-easiestprintf-pwn-150.html

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.