Understanding glibc malloc – sploitF-U-N
https://sploitfun.wordpress.com/2015/02/10/understanding-glibc-malloc/
sploitfun@sploitfun-VirtualBox:~/ptmalloc.ppt/mthread$ ./mthread
Welcome to per thread arena example::6501
Before malloc in main thread
After malloc and before free in main thread
After free in main thread
Before malloc in thread 1
...
sploitfun@sploitfun-VirtualBox:~/ptmalloc.ppt/mthread$ cat /proc/6501/maps
08048000-08049000 r-xp 00000000 08:01 539625 /home/sploitfun/ptmalloc.ppt/mthread/mthread
08049000-0804a000 r--p 00000000 08:01 539625 /home/sploitfun/ptmalloc.ppt/mthread/mthread
0804a000-0804b000 rw-p 00001000 08:01 539625 /home/sploitfun/ptmalloc.ppt/mthread/mthread
0804b000-0806c000 rw-p 00000000 00:00 0 [heap]
b7604000-b7605000 ---p 00000000 00:00 0
b7605000-b7e07000 rw-p 00000000 00:00 0 [stack:6594]
...
sploitfun@sploitfun-VirtualBox:~/ptmalloc.ppt/mthread$
After malloc in thread1: In the below output we can see that thread1’s heap segment is created. And its lies in memory mapping segment region
(b7500000-b7521000 whose size is 132 KB) and hence this shows heap memory is created using mmap
(hps://github.com/sploitfun/lsploits/blob/master/glibc/malloc/arena.c#L546hps://github.com/sploitfun/lsploits/blob/master/glibc/malloc/arena.c#L546)
syscall unlike main thread (which uses sbrk). Again here, eventhough user requested only 1000 bytes, heap memory of size 1 MB
(hps://github.com/sploitfun/lsploits/blob/master/glibc/malloc/arena.c#L546) is mapped to process address space. Out of these 1 MB, only for 132KB
(hps://github.com/sploitfun/lsploits/blob/master/glibc/malloc/arena.c#L573) read-write permission is set and this becomes the heap memory for this
thread. This contiguous region of memory (132 KB) is called thread arena (hps://github.com/sploitfun/lsploits/blob/master/glibc/malloc/arena.c#L736).
NOTE: When user request size is more than 128 KB ( lets say malloc(132*1024)) and when there is not enough space in an arena to satisfy user request,
memory is allocated using mmap syscall (and NOT using sbrk) irrespective of whether a request is made from main arena or thread arena.
sploitfun@sploitfun-VirtualBox:~/ptmalloc.ppt/mthread$ ./mthread
Welcome to per thread arena example::6501
Before malloc in main thread
After malloc and before free in main thread
After free in main thread
Before malloc in thread 1
After malloc and before free in thread 1
...
sploitfun@sploitfun-VirtualBox:~/ptmalloc.ppt/mthread$ cat /proc/6501/maps
08048000-08049000 r-xp 00000000 08:01 539625 /home/sploitfun/ptmalloc.ppt/mthread/mthread
08049000-0804a000 r--p 00000000 08:01 539625 /home/sploitfun/ptmalloc.ppt/mthread/mthread
0804a000-0804b000 rw-p 00001000 08:01 539625 /home/sploitfun/ptmalloc.ppt/mthread/mthread
0804b000-0806c000 rw-p 00000000 00:00 0 [heap]
b7500000-b7521000 rw-p 00000000 00:00 0
b7521000-b7600000 ---p 00000000 00:00 0
b7604000-b7605000 ---p 00000000 00:00 0
b7605000-b7e07000 rw-p 00000000 00:00 0 [stack:6594]
...
sploitfun@sploitfun-VirtualBox:~/ptmalloc.ppt/mthread$
After free in thread1: In the below output we can see that freeing allocated memory region doesnt release heap memory to the operating system.
Instead allocated memory region (of size 1000 bytes) is released (hps://github.com/sploitfun/lsploits/blob/master/glibc/malloc/malloc.c#L4017) to ‘glibc
malloc’, which adds this freed block to its thread arenas bin.