Extra Exploitation Technique: Implicit Malloc and Free in glibc

Introduction

In the Heap Exploitation on House of Orange, we introduce an implicit free in the allocation procedure. In this post, I hope to record the implicit malloc/free met in the function of glibc. As a start, I will introduce the implicit malloc/free in printf function. In future, I may update other functions that I come across in CTF challenges.
The version of glibc used for testing may be different on different functions. The version of glibc will be given in each part.
(*)vfprintf

Function printf

Source Code Review

Implicit Malloc in vfprintf

if (width >= WORK_BUFFER_SIZE - 32)
{
     /* We have to use a special buffer.  The "32" is just a safe
        bet for all the output which is not counted in the width.  */
     size_t needed = ((size_t) width + 32) * sizeof (CHAR_T);
     if (__libc_use_alloca (needed))
         workend = (CHAR_T *) alloca (needed) + width + 32;
     else
     {
         workstart = (CHAR_T *) malloc (needed);
         if (workstart == NULL)
         {
             done = -1;
             goto all_done;
         }
         workend = workstart + width + 32;
     }
}

Implicit Free in vfprintf

all_done:
  if (__glibc_unlikely (workstart != NULL))
    free (workstart);
  /* Unlock the stream.  */
  _IO_funlockfile (s);
  _IO_cleanup_region_end (0);

Reference

[1] http://blog.dragonsector.pl/2017/03/0ctf-2017-easiestprintf-pwn-150.html

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s