malloc question - what happens when chunk gets free?

zerro_at_software.com.pl
Date: 04/27/04 

Date: Tue, 27 Apr 2004 09:00:42 +0000 (UTC)

Hello,

I try to understand heap overflows (under Linux), but can not understand
one
thing with freeing memory allocated with malloc(). Here it comes:

I have a program called 1.c:
main() {
  char *a, *b, *c, *d, *e;
  a = malloc(8);
  b = malloc(8);
  c = malloc(8);
  strcpy(a, "AAA");
  strcpy(b, "BBB");
  strcpy(c, "CCC");
  free(c);
  free(b);
  free(a);
}

Well, quite simple. Now I compile it:
[piotr::18:46:23]$ gcc 1.c -o 1 -ggdb

And run it under degugger:
[piotr::18:49:31]$ gdb 1
GNU gdb 6.0-debian
(...)
(gdb) l
(...)
7 strcpy(b, "BBB");
8 strcpy(c, "CCC");
9 free(c);
10 free(b);
(gdb) b 9
Breakpoint 1 at 0x804843a: file 1.c, line 9.
(gdb) r
Starting program:
/home/piotr/kieszen/in/warsztaty_linux/heap_overflow/robo/1/1
Breakpoint 1, main () at 1.c:9
9 free(c);
Ok, memory should be allocated and filled... Let's examine it:
(gdb) x/12 a-8
0x80496d8: 0x00000000 0x00000011 0x00414141 0x00000000
0x80496e8: 0x00000000 0x00000011 0x00424242 0x00000000
0x80496f8: 0x00000000 0x00000011 0x00434343 0x00000000
Seems that 0x11 is an information about chunk of memory... Bit "1" is
set, because previous chunk is in use. Let's see what happen when it's
freed.

I skip three lines in debugger...
(gdb) n
10 free(b);
(gdb) n
11 free(a);
(gdb) n
12 }

Now let's see at the same location in memory after it's freed.
(gdb) x/12 a-8
0x80496d8: 0x00000000 0x00000011 0x080496e8 0x00000000
0x80496e8: 0x00000000 0x00000011 0x080496f8 0x00000000
0x80496f8: 0x00000000 0x00000011 0x00000000 0x00000000
Ey, what's up?! Bit "1" is still set, even though chunks have been
freed?!

Do you know how is it? I even read sources of malloc.c and tried to look
at malloc.c under debugger, but it seems that line that should set that bit
to "0" is just skipped... Maybe some of you have more experience with
it? 

-- 
zerro - root@[127.0.0.1]
Galeria tekstów - czytaj i komentuj cudze, pokaż innym swoje.
http://www.rozrywka.jawsieci.pl/galeria_tekstow/

Relevant Pages

  • [UNIX] HPUX ftpd remote issue via REST
    ... to the REST command can be used to specify a memory address to read from. ... This allows an attacker for example to easily read the root password from ... If we take a look in gdb we can see how this bug becomes exploitable. ... frieza elguapo $ ftp 192.168.1.111 ...
    (Securiteam)
  • malloc question - what happens when chunk gets free?
    ... GNU gdb 6.0-debian ... memory should be allocated and filled... ... Seems that 0x11 is an information about chunk of memory... ... I skip three lines in debugger... ...
    (comp.os.linux.security)
  • malloc() Question: Chunk overheads / the storage on the heap
    ... I am currently trying to understand the dynamic memory management of my ... chunk would indicate the size of the ed) previous chunk... ... ausgabe (void *p, char *cname) ...
    (comp.os.linux.development.system)
  • Re: Question about void pointers
    ... debugger renders bits of pointer as numbers. ... OTOH, if I ask my debugger to do a stringdump of memory, all floating ... Here's a gdb session I just ran: ...
    (comp.lang.c)
  • Re: Is this a leakage in virtual memory abstraction?
    ... A memory leak involves losing pointers to dynamically allocated memory ... char three; ... The GDB session is as follows ... x/x tells your debugger to display a *FOUR BYTE INTEGER*, ...
    (comp.lang.c.moderated)