malloc在Pwn中的角色与内部机制分析<\/h1>

1. chunk结构分析<\/h2>
glibc中的内存块(chunk)是malloc管理内存的基本单位，其结构如下：<\/p>
struct<\/span> malloc_chunk {
<\/span><\/span>  INTERNAL_SIZE_T      prev_size;  \/* 前一个chunk的大小(如果前一个chunk是空闲的) *\/<\/span>
<\/span><\/span>  INTERNAL_SIZE_T      size;       \/* 当前chunk的大小，包括头部开销 *\/<\/span>
<\/span><\/span>  struct<\/span> malloc_chunk*<\/span> fd;         \/* 仅空闲时使用 - 前向指针 *\/<\/span>
<\/span><\/span>  struct<\/span> malloc_chunk*<\/span> bk;         \/* 仅空闲时使用 - 后向指针 *\/<\/span>
<\/span><\/span>  \/* 仅大块使用: 指向下一个更大尺寸块的指针 *\/<\/span>
<\/span><\/span>  struct<\/span> malloc_chunk*<\/span> fd_nextsize; 
<\/span><\/span>  struct<\/span> malloc_chunk*<\/span> bk_nextsize;
<\/span><\/span>};
<\/span><\/span><\/code><\/pre>关键点：<\/p>

prev_size<\/code>：前一个chunk空闲时存储其大小，否则可能被前一个chunk使用<\/li>
size<\/code>：当前chunk大小，包含头部开销，最低3位用作标志位<\/li>
fd<\/code>和bk<\/code>：空闲chunk的双向链表指针<\/li>
fd_nextsize<\/code>和bk_nextsize<\/code>：仅用于large bins的特殊指针<\/li>
<\/ul>
2. 基础概念和宏定义<\/h2>
2.1 关键宏定义<\/h3>
#define chunk2mem(p)   ((void*)((char*)(p) + 2*SIZE_SZ))     <\/span>\/\/ 从chunk指针转为用户内存指针
<\/span><\/span><\/span><\/span>#define mem2chunk(mem) ((mchunkptr)((char*)(mem) - 2*SIZE_SZ)) <\/span>\/\/ 从用户内存指针转为chunk指针
<\/span><\/span><\/span><\/span>
<\/span><\/span>#define MIN_CHUNK_SIZE (offsetof(struct malloc_chunk, fd_nextsize)) <\/span>\/\/ 最小chunk大小(64位0x20,32位0x10)
<\/span><\/span><\/span><\/span>
<\/span><\/span>#define PREV_INUSE 0x1        <\/span>\/\/ size字段的最低位，表示前一个chunk是否在使用中
<\/span><\/span><\/span><\/span>#define IS_MMAPPED 0x2        <\/span>\/\/ size字段的倒数第二位，表示chunk是否由mmap分配
<\/span><\/span><\/span><\/span>#define NON_MAIN_ARENA 0x4    <\/span>\/\/ size字段的倒数第三位，表示chunk是否不属于主arena
<\/span><\/span><\/span><\/span>
<\/span><\/span>#define SIZE_BITS (PREV_INUSE | IS_MMAPPED | NON_MAIN_ARENA) <\/span>\/\/ 0x7 (0111)
<\/span><\/span><\/span><\/code><\/pre>2.2 重要操作宏<\/h3>
\/\/ 获取chunk的实际大小(清除标志位)
<\/span><\/span><\/span><\/span>#define chunksize(p) ((p)->size & ~(SIZE_BITS))
<\/span><\/span><\/span><\/span>
<\/span><\/span>\/\/ 获取物理相邻的下一个chunk
<\/span><\/span><\/span><\/span>#define next_chunk(p) ((mchunkptr)(((char*)(p)) + chunksize(p)))
<\/span><\/span><\/span><\/span>
<\/span><\/span>\/\/ 获取物理相邻的前一个chunk
<\/span><\/span><\/span><\/span>#define prev_chunk(p) ((mchunkptr)(((char*)(p)) - ((p)->prev_size)))
<\/span><\/span><\/span><\/span>
<\/span><\/span>\/\/ 将请求大小转换为实际分配大小
<\/span><\/span><\/span><\/span>#define request2size(req) \
<\/span><\/span><\/span>  (((req) + SIZE_SZ + MALLOC_ALIGN_MASK < MINSIZE) ? MINSIZE : \
<\/span><\/span><\/span>   ((req) + SIZE_SZ + MALLOC_ALIGN_MASK) & ~MALLOC_ALIGN_MASK)
<\/span><\/span><\/span><\/code><\/pre>3. unlink操作分析<\/h2>
unlink是malloc中最重要的操作之一，用于从双向链表中移除一个chunk：<\/p>
#define unlink(AV, P, BK, FD) {                                 \
<\/span><\/span><\/span>    FD = P->fd;                                                 \
<\/span><\/span><\/span>    BK = P->bk;                                                 \
<\/span><\/span><\/span>    if (__builtin_expect (FD->bk != P || BK->fd != P, 0))       \
<\/span><\/span><\/span>      malloc_printerr (check_action, "corrupted double-linked list", P, AV); \
<\/span><\/span><\/span>    else {                                                      \
<\/span><\/span><\/span>        FD->bk = BK;                                            \
<\/span><\/span><\/span>        BK->fd = FD;                                            \
<\/span><\/span><\/span>        if (!in_smallbin_range (P->size)                        \
<\/span><\/span><\/span>            && __builtin_expect (P->fd_nextsize != NULL, 0)) {  \
<\/span><\/span><\/span>            if (__builtin_expect (P->fd_nextsize->bk_nextsize != P, 0) \
<\/span><\/span><\/span>            || __builtin_expect (P->bk_nextsize->fd_nextsize != P, 0)) \
<\/span><\/span><\/span>              malloc_printerr (check_action,                     \
<\/span><\/span><\/span>                   "corrupted double-linked list (not small)", P, AV); \
<\/span><\/span><\/span>            if (FD->fd_nextsize == NULL) {                      \
<\/span><\/span><\/span>                if (P->fd_nextsize == P)                        \
<\/span><\/span><\/span>                  FD->fd_nextsize = FD->bk_nextsize = FD;       \
<\/span><\/span><\/span>                else {                                          \
<\/span><\/span><\/span>                    FD->fd_nextsize = P->fd_nextsize;           \
<\/span><\/span><\/span>                    FD->bk_nextsize = P->bk_nextsize;           \
<\/span><\/span><\/span>                    P->fd_nextsize->bk_nextsize = FD;           \
<\/span><\/span><\/span>                    P->bk_nextsize->fd_nextsize = FD;           \
<\/span><\/span><\/span>                }                                               \
<\/span><\/span><\/span>            } else {                                            \
<\/span><\/span><\/span>                P->fd_nextsize->bk_nextsize = P->bk_nextsize;   \
<\/span><\/span><\/span>                P->bk_nextsize->fd_nextsize = P->fd_nextsize;   \
<\/span><\/span><\/span>            }                                                   \
<\/span><\/span><\/span>        }                                                       \
<\/span><\/span><\/span>    }                                                           \
<\/span><\/span><\/span>}
<\/span><\/span><\/span><\/code><\/pre>关键点：<\/p>

安全检查：FD->bk != P || BK->fd != P<\/code>，这是unlink攻击需要绕过的关键检查<\/li>
普通链表操作：FD->bk = BK; BK->fd = FD;<\/code><\/li>
对于large bins的额外处理：涉及fd_nextsize<\/code>和bk_nextsize<\/code>指针<\/li>
<\/ol>
4. bins的分类与管理<\/h2>
glibc使用多种bins来管理不同大小的空闲chunk：<\/p>
#define NBINS             128     <\/span>\/\/ 总bin数量
<\/span><\/span><\/span><\/span>#define NSMALLBINS         64     <\/span>\/\/ small bins数量
<\/span><\/span><\/span><\/span>#define SMALLBIN_WIDTH    MALLOC_ALIGNMENT  <\/span>\/\/ small bin宽度(通常8字节)
<\/span><\/span><\/span><\/span>#define MIN_LARGE_SIZE    ((NSMALLBINS - SMALLBIN_CORRECTION) * SMALLBIN_WIDTH)
<\/span><\/span><\/span><\/code><\/pre>bin分类：<\/p>

Fast bins<\/strong>：管理小尺寸chunk(默认<64字节)，单链表，LIFO顺序<\/li>
Small bins<\/strong>：管理<512字节的chunk，双向链表，FIFO顺序<\/li>
Large bins<\/strong>：管理≥512字节的chunk，双向链表，按大小排序<\/li>
Unsorted bin<\/strong>：临时存放刚释放的chunk，双向链表<\/li>
<\/ol>
bin大小分布：<\/p>

64个8字节间隔的small bins<\/li>
32个64字节间隔的bins<\/li>
16个512字节间隔的bins<\/li>
8个4096字节间隔的bins<\/li>
4个32768字节间隔的bins<\/li>
2个262144字节间隔的bins<\/li>
1个剩余大小的bin<\/li>
<\/ul>
5. __libc_malloc函数分析<\/h2>
void<\/span> *<\/span>__libc_malloc<\/span> (size_t bytes) {
<\/span><\/span>  mstate ar_ptr;
<\/span><\/span>  void<\/span> *<\/span>victim;
<\/span><\/span>  void<\/span> *<\/span>(*<\/span>hook) (size_t, const<\/span> void<\/span> *<\/span>) =<\/span> atomic_forced_read (__malloc_hook);
<\/span><\/span>  
<\/span><\/span>  \/\/ 检查malloc_hook，这是malloc hook攻击的关键点
<\/span><\/span><\/span><\/span>  if<\/span> (__builtin_expect (hook !=<\/span> NULL, 0<\/span>))
<\/span><\/span>    return<\/span> (*<\/span>hook)(bytes, RETURN_ADDRESS (0<\/span>));
<\/span><\/span>  
<\/span><\/span>  arena_get (ar_ptr, bytes);
<\/span><\/span>  victim =<\/span> _int_malloc (ar_ptr, bytes);
<\/span><\/span>  
<\/span><\/span>  \/\/ 如果第一次分配失败，尝试其他arena
<\/span><\/span><\/span><\/span>  if<\/span> (!<\/span>victim &&<\/span> ar_ptr !=<\/span> NULL) {
<\/span><\/span>    LIBC_PROBE (memory_malloc_retry, 1<\/span>, bytes);
<\/span><\/span>    ar_ptr =<\/span> arena_get_retry (ar_ptr, bytes);
<\/span><\/span>    victim =<\/span> _int_malloc (ar_ptr, bytes);
<\/span><\/span>  }
<\/span><\/span>  
<\/span><\/span>  if<\/span> (ar_ptr !=<\/span> NULL)
<\/span><\/span>    (void<\/span>) mutex_unlock (&<\/span>ar_ptr-><\/span>mutex);
<\/span><\/span>  
<\/span><\/span>  assert (!<\/span>victim ||<\/span> chunk_is_mmapped (mem2chunk (victim)) ||<\/span>
<\/span><\/span>          ar_ptr ==<\/span> arena_for_chunk (mem2chunk (victim)));
<\/span><\/span>  return<\/span> victim;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>关键点：<\/p>

首先检查__malloc_hook<\/code>，若不为空则调用hook函数<\/li>
获取arena并调用_int_malloc<\/code>进行实际分配<\/li>
第一次分配失败会尝试其他arena<\/li>
<\/ol>
6. _int_malloc函数分析<\/h2>
_int_malloc<\/code>是malloc的核心实现，主要流程：<\/p>
6.1 Fast bins处理<\/h3>
if<\/span> ((unsigned<\/span> long<\/span>) (nb) <=<\/span> (unsigned<\/span> long<\/span>) (get_max_fast ())) {
<\/span><\/span>    idx =<\/span> fastbin_index (nb);
<\/span><\/span>    mfastbinptr *<\/span>fb =<\/span> &<\/span>fastbin (av, idx);
<\/span><\/span>    mchunkptr pp =<\/span> *<\/span>fb;
<\/span><\/span>    
<\/span><\/span>    \/\/ 从fast bin中取出chunk
<\/span><\/span><\/span><\/span>    do<\/span> {
<\/span><\/span>      victim =<\/span> pp;
<\/span><\/span>      if<\/span> (victim ==<\/span> NULL)
<\/span><\/span>        break<\/span>;
<\/span><\/span>    } while<\/span> ((pp =<\/span> catomic_compare_and_exchange_val_acq (fb, victim-><\/span>fd, victim))
<\/span><\/span>             !=<\/span> victim);
<\/span><\/span>    
<\/span><\/span>    if<\/span> (victim !=<\/span> 0<\/span>) {
<\/span><\/span>      \/\/ 安全检查：确保取出的chunk大小与bin匹配
<\/span><\/span><\/span><\/span>      if<\/span> (__builtin_expect (fastbin_index (chunksize (victim)) !=<\/span> idx, 0<\/span>)) {
<\/span><\/span>        errstr =<\/span> "malloc(): memory corruption (fast)"<\/span>;
<\/span><\/span>        goto<\/span> errout;
<\/span><\/span>      }
<\/span><\/span>      check_remalloced_chunk (av, victim, nb);
<\/span><\/span>      void<\/span> *<\/span>p =<\/span> chunk2mem (victim);
<\/span><\/span>      alloc_perturb (p, bytes);
<\/span><\/span>      return<\/span> p;
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>6.2 Small bins处理<\/h3>
if<\/span> (in_smallbin_range (nb)) {
<\/span><\/span>    idx =<\/span> smallbin_index (nb);
<\/span><\/span>    bin =<\/span> bin_at (av, idx);
<\/span><\/span>    
<\/span><\/span>    if<\/span> ((victim =<\/span> last (bin)) !=<\/span> bin) {
<\/span><\/span>      if<\/span> (victim ==<\/span> 0<\/span>) \/* initialization check *\/<\/span>
<\/span><\/span>        malloc_consolidate (av);
<\/span><\/span>      else<\/span> {
<\/span><\/span>        bck =<\/span> victim-><\/span>bk;
<\/span><\/span>        \/\/ 安全检查：检查small bin链表完整性
<\/span><\/span><\/span><\/span>        if<\/span> (__glibc_unlikely (bck-><\/span>fd !=<\/span> victim)) {
<\/span><\/span>          errstr =<\/span> "malloc(): smallbin double linked list corrupted"<\/span>;
<\/span><\/span>          goto<\/span> errout;
<\/span><\/span>        }
<\/span><\/span>        set_inuse_bit_at_offset (victim, nb);
<\/span><\/span>        bin-><\/span>bk =<\/span> bck;
<\/span><\/span>        bck-><\/span>fd =<\/span> bin;
<\/span><\/span>        
<\/span><\/span>        if<\/span> (av !=<\/span> &<\/span>main_arena)
<\/span><\/span>          victim-><\/span>size |=<\/span> NON_MAIN_ARENA;
<\/span><\/span>        check_malloced_chunk (av, victim, nb);
<\/span><\/span>        void<\/span> *<\/span>p =<\/span> chunk2mem (victim);
<\/span><\/span>        alloc_perturb (p, bytes);
<\/span><\/span>        return<\/span> p;
<\/span><\/span>      }
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>6.3 Large bins处理<\/h3>
else<\/span> {
<\/span><\/span>    idx =<\/span> largebin_index (nb);
<\/span><\/span>    if<\/span> (have_fastchunks (av))
<\/span><\/span>      malloc_consolidate (av);
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>对于large bins，会先合并fast bins中的chunk到unsorted bin，然后进行更复杂的查找和分割操作。<\/p>
7. 安全机制与常见攻击面<\/h2>

Unlink攻击<\/strong>：需要绕过FD->bk == P && BK->fd == P<\/code>检查<\/li>
Fastbin Attack<\/strong>：利用fast bin的单链表特性进行攻击<\/li>
Unsorted bin Attack<\/strong>：通过修改unsorted bin中的chunk实现任意地址写<\/li>
House of系列攻击<\/strong>：如House of Spirit、House of Force等<\/li>
malloc_hook劫持<\/strong>：通过覆盖__malloc_hook<\/code>控制程序流<\/li>
<\/ol>
8. 总结<\/h2>
理解malloc的内部机制对于二进制安全研究至关重要，特别是在堆漏洞利用方面。关键点包括：<\/p>

chunk结构及其元数据含义<\/li>
各种bins的管理方式和分配策略<\/li>
unlink操作及其安全检查<\/li>
malloc的核心分配流程<\/li>
各种安全机制和对应的绕过方法<\/li>
<\/ul>
通过深入分析malloc源码，可以更好地理解堆漏洞的成因和利用方式，为Pwn中的堆利用打下坚实基础。<\/p>
malloc在Pwn中的角色与内部机制分析<\/h1>

2. 基础概念和宏定义<\/h2>

6. _int_malloc函数分析<\/h2> _int_malloc<\/code>是malloc的核心实现，主要流程：<\/p>

6. _int_malloc函数分析<\/h2>
`_int_malloc<\/code>是malloc的核心实现，主要流程：<\/p>`
