fabian specht's website

PTMALLOC2

malloc_chunk structure

struct malloc_chunk {
    INTERNAL_SIZE_T mchunk_prev_size;  /* Size of previous chunk (if free).  */
    INTERNAL_SIZE_T mchunk_size;       /* Size in bytes, including overhead. */
  
    struct malloc_chunk* fd;         /* double links -- used only if free. */
    struct malloc_chunk* bk;
  
    /* Only used for large blocks: pointer to next larger size.  */
    struct malloc_chunk* fd_nextsize; /* double links -- used only if free. */
    struct malloc_chunk* bk_nextsize;
};

mchunk_size lower three bits are A | M | P

NON_MAIN_ARENA:
Is the chunk part of the main heap or not?

IS_MMAPPED
Is the chunk allocated using mmap? Relevant for deallocation

PREV_INUSE
Is the chunk currently in use? Relevant during free of the prev chunk when chunks are combined

Top Chunk

Top chunk (aka wilderness): represents the end of available memory and is not allocated. PREV_INUSE is always set. Top chunk can be enlarged using sbrk().

Bins

ptmalloc introduces bins to cache chunks of memory for improved performance. When a chunk is freed, a pointer to it is cached in these bins. Also reduces fragmentation.

fastbin
- Collection of 10 singly linked LIFO lists from size 0x20 to 0x80 on 64bit
- All entries in a bin have the same size
- PREV_INUSE is always set to prevent the chunks from being consolidated
- Use malloc_consolidate to explicitly release all chunks from the fastbin and merge them with adjacent chunks. This function is called when an allocation larger than FASTBIN_CONSOLIDATION_THRESHOLD is made OR if an allocation is too large to be satisfied using the fastbin and smallbin
- SECURITY MEASURES:
  - malloc:
    - alloc_size == stored_size
  - free:
    - valid stored size
    - addr != top
    - valid next size
    - addr != head

smallbin
- Collection of 62 doubly linked FIFO bins with sizes ranging from 0x80 to 0x400 on 64bit
- All entries in a bin have the same size
- SECURITY MEASURES:
  - malloc:
    - bk.fd == addr
  - free:
    - valid stored size
    - addr != top
    - chunk is in-use
    - unsorted head in valid

largebin
- Collection of 63 doubly linked FIFO bins with sizes ranging from 0x400 to 0x20000 on 64bit
- NOT all entries in a bin have the same size, they are approx. logarithmically grouped by ranges
- If an allocation exeeds the largebins capabilities, the memory allocator will use mmap
- largebin uses fd_nextsize and bk_nextsize
- SECURITY MEASURES:

tcache
- Collections of singly linked lists for all size ranging from 0x20 to 0x80
- All bins have a capacity of only 7 with all entries of the same size
- Exist per-thread, thus circumventing any performance problems regarding locks for multithreading
- glibc will the bk field to store tcache key to detect double-frees
- SECURITY MEASURES:
  - lree:
    - valid stored size
    - key/bk != tcache_key || chunk not in tcache list

unsorted chunks
- Doubly linked list holding free chunks of any size
- Every chunk has to go through the unsorted bin to get into the normal bins. When chunks are freed and too large for tcache or fastbin, glibc will place the chunk in the unsorted bin. It holds the chunk until the next allocation request occurs, when the memory allocator will check for a perfect match in size.
- If the requested size is smaller than the chunk in to unsorted bin, the chunk is split and with the remainder remaining in the unsorted bin. Otherwise, the chunk will land in the normal bins.
- SECURITY MEASURES:

Hooks

Until versions < 2.34, glibc included several hooks in the from of global variables, which if set, would be called instead of the original function:

__malloc_hook/ __free_hook / __realloc_hook
__memalign_hook will be called if set upon a call of aligned_alloc(), memalign(), posix_memalign() or valloc()
__after_morecore_hook will be called if set after more memory has been requested from the kernel using sbrk
__malloc_initialize_hook is called if set after glibc's malloc implementation is initialized
_dl_open_hook called upon abort in glibc

Common attacks

Leaking Libc Address

Unsortedbin attack