glibc 2.41 will break fastbin examples

[ngn13]

ik the repo is following the ubuntu's glibc releases, however i just wanted to give a heads-up

this patch adds tcache support to calloc, so it's no longer possible to use calloc to get into fastbin, author also explains this:

Also fix tst-safe-linking failure after enabling tcache. In previous,
calloc() is used as a way to by-pass tcache in memory allocation and
trigger safe-linking check in fastbins path. With tcache enabled, it
needs extra workarounds to bypass tcache.

so the fastbin examples that use the following technique to get into the fastbin will no longer work:

	fprintf(stderr,"Fill up tcache first.\n");

	void *ptrs[7];

	for (int i=0; i<7; i++) {
		ptrs[i] = malloc(8);
	}
	for (int i=0; i<7; i++) {
		free(ptrs[i]);
	}
        
        ...
	
        int *a = calloc(1,8);
	int *b = calloc(1,8);
	int *c = calloc(1,8);

as a, b and c will be allocated from the tcache

ofc it's still possible to get into fastbin, for example i tried fixing fastbin_dup.c:

int main() {
  setbuf(stdout, NULL);

  printf("This file demonstrates a simple double-free attack with fastbins.\n");

  printf("Allocate buffers to fill up tcache.\n");
  void *ptrs[7];

  for (int i = 0; i < 7; i++) {
    ptrs[i] = malloc(8);
  }

  printf("Allocating 3 buffers.\n");
  int *a = malloc(8);
  int *b = malloc(8);
  int *c = malloc(8);

  printf("Fill up tcache first.\n");
  for (int i = 0; i < 7; i++) {
    free(ptrs[i]);
  }

  printf("1st malloc(8): %p\n", a);
  printf("2nd malloc(8): %p\n", b);
  printf("3rd malloc(8): %p\n", c);

  printf("Freeing the first one...\n");
  free(a);

  printf("If we free %p again, things will crash because %p is at the top of the free list.\n", a, a);
  // free(a);

  printf("So, instead, we'll free %p.\n", b);
  free(b);

  printf("Now, we can free %p again, since it's not the head of the free list.\n", a);
  free(a);

  printf("In order to use the free list for allocation, we'll need to empty the tcache.\n");
  for (int i = 0; i < 7; i++) {
    ptrs[i] = malloc(8);
  }

  printf("Now the free list has [ %p, %p, %p ]. If we malloc 3 times, we'll get %p twice!\n", a, b, a, a);
  a = malloc(8);
  b = malloc(8);
  c = malloc(8);
  printf("1st malloc(8): %p\n", a);
  printf("2nd malloc(8): %p\n", b);
  printf("3rd malloc(8): %p\n", c);
}

but from an exploitation standpoint it's significantly less viable now

[Kyle-Kyle]

It is good to know that the examples will break in the next release. Thank you so much for that.
I'll leave the issue open. So when the next ubuntu release is out, I'll be able to fix the examples.

==
And yeah, it seems fastbin is less relevant in terms of exploitation now that we cannot directly access them. But they should still be in the repo for education purposes.

[dmur1]

just a note for https://github.com/shellphish/how2heap/blob/master/glibc_2.35/house_of_spirit.c i tested it under glibc_2.41 and it will work provided that single calloc at the end is changed to 8 mallocs ( as suggested by the comment )

not sure if you want to make a 2.41 version of house_of_spirit that ends in 8 mallocs or not.. but if you do it works :)

btw if you want me to make a pr for that ( if it makes sense ) then i can do so just lmk

[oliness]

just a note for https://github.com/shellphish/how2heap/blob/master/glibc_2.35/house_of_spirit.c i tested it under glibc_2.41 and it will work provided that single calloc at the end is changed to 8 mallocs ( as suggested by the comment )

not sure if you want to make a 2.41 version of house_of_spirit that ends in 8 mallocs or not.. but if you do it works :)

btw if you want me to make a pr for that ( if it makes sense ) then i can do so just lmk

Please do so would be very helpful.

[dmur1]

Please do so would be very helpful.

#207