-
-
Notifications
You must be signed in to change notification settings - Fork 719
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix: add capability to glibc heap commands for bruteforcing the main_arena #932
Conversation
FYI: This PR is still a work-in-progress but because I didn't have a lot of time to work on it lately I wanted to put it out there so others can take a look. On my amd64 machine two of the tests are still failing:
Also I have not yet added tests for the PR:
EDIT: |
The bruteforce method explained in the linked issue assumes an alignment of For testing I used Currently, I try to check if there are multiple possible candidates for the Using the early exit approach, finding the EDIT: Also, the bruteforcing is only used in case the |
I now added two new configuration options:
I also changed the algorithm to exit on the first main_arena candidate for now - but I can easily revert that change if other people have other opinions about this. |
I am not quite sure how to write additional tests that test the changes because our CI's glibc versions are smaller than 2.34 and thereby the whole bruteforce thing is not necessary. Any suggestions? |
For testing on powerpc (ppc64el) I used qemu-system-ppc64 with a Debian 11 Bullseye image (4G memory). Here is a list of unrelated tests that failed on ppc64- tests/commands/format_string_helper.py::FormatStringHelperCommand::test_cmd_format_string_helper- tests/commands/heap_analysis.py::HeapAnalysisCommand::test_cmd_heap_analysis - tests/commands/pcustom.py::PcustomCommand::test_cmd_pcustom_show - tests/config/__init__.py::TestGefConfigUnit::test_config_show_opcodes_size - tests/functions/elf_sections.py::ElfSectionGdbFunction::test_func_got |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
some minor stuff to change (from me and graz) but I think we can roll it
gef.py
Outdated
if self.ar_ptr - self.address < 0x60: | ||
# special case: first heap of non-main-arena | ||
arena = GlibcArena(f"*{self.ar_ptr:#x}") | ||
return arena.heap_addr() |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
type
return arena.heap_addr() | |
return arena.heap_addr() or 0 |
I have fixed all suggestions, apart from the caching of |
Description/Motivation/Screenshots
Fixes #927 by adding the capability of bruteforcing the
main_arena
from the.data
section of the glibc if all other methods (finding symbols and offset to__malloc_hook
) fail.EDIT:
Also, the PR fixes a regression error we had in which
heap chunks
only ever displays the same chunks from the main_arena for every arena in the binary. To fix this I also had to fix and extend theGlibcHeapInfo
struct. A test to make sure that each arena has distinct chunks is included.Against which architecture was this tested ?
Checklist
dev
branch, notmain
.