fix: remove misleading unnecessary bypass/comments on fake_chunk fields in House of Einherjar <2.26 #217
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
The `P->bk->size == P->prev_size` check in unlink() was introduced in GLIBC 2.26 and does not exist in the implementations of GLIBC 2.23 or 2.24. Therefore, fake_chunk[0] and fake_chunk[1] do not need to be equal in these versions. The original note explicitly stated that they should be equal, which could be misleading in many situations.
fake_chunk->size is not used in computing its value after backward consolidation. It is actually overwritten by b->size + b->prev_size. The original comment stated that fake_chunk->size must be in the smallbins range, which is incorrect.
Contributor
|
I guess the inconsistency was there for historical reasons (the repo's was meant for 2.26 before). And I'm glad that you figured it out and fixed the issue. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There were two prerequisites mentioned for House of Einherjar 2.23 & 2.24, which I believe are incorrect assumptions:
The comment HERE explicitly states that
fake_chunk->prev_sizeandfake_chunk->sizeshould be equal, which is not necessary, until GLIBC 2.26. This could be misleading, since in many cases one might be incapable of setting these two fields, which is totally fine because they play no role during exploit's run.The comment HERE also explicitly states that size of fake chunk should be in smallbins range, which is misleading because
fake_chunk->sizeplays no role during backward consolidation, and is overwritten byb->size + b->prev_size.I've covered these two fixes for both 2.23 & 2.24 in two commits (Each for one problem).