浅析tcache bin的前世今生

浅析tcache bin的前世今生

tcache的传奇一生

周一 9月 01 2025
1955 字 · 16 分钟
Pwn heap tcache

前言

本文重点关注两个方面,tcache的取和放,意在帮助自己更加深入理解各个版本的tcache的行为,提高ctf做题能力。

tcahe的分水岭

2.26 tcache出现 2.28 _int_free引入key防止双重释放 2.32 PROTECT_PTR的引入 2.34 使得key随机生成,而非tcache_perthread_struct的地址

tcache机制的演变以及对应的绕过手法

glibc 2.26-2.27

tcache相关的宏定义

#if USE_TCACHE
/* We want 64 entries.  This is an arbitrary limit, which tunables can reduce.  */
# define TCACHE_MAX_BINS    64
# define MAX_TCACHE_SIZE  tidx2usize (TCACHE_MAX_BINS-1)


/* Only used to pre-fill the tunables.  */
# define tidx2usize(idx)  (((size_t) idx) * MALLOC_ALIGNMENT + MINSIZE - SIZE_SZ)


/* When "x" is from chunksize().  */
# define csize2tidx(x) (((x) - MINSIZE + MALLOC_ALIGNMENT - 1) / MALLOC_ALIGNMENT)
/* When "x" is a user-provided size.  */
# define usize2tidx(x) csize2tidx (request2size (x))


/* With rounding and alignment, the bins are...
   idx 0   bytes 0..24 (64-bit) or 0..12 (32-bit)
   idx 1   bytes 25..40 or 13..20
   idx 2   bytes 41..56 or 21..28
   etc.  */


/* This is another arbitrary limit, which tunables can change.  Each
   tcache bin will hold at most this number of chunks.  */
# define TCACHE_FILL_COUNT 7
#endif

tcache相关的结构体

malloc_par里有与tcache相关的内容

struct malloc_par
{
  /* Tunable parameters */
  unsigned long trim_threshold;
  INTERNAL_SIZE_T top_pad;
  INTERNAL_SIZE_T mmap_threshold;
  INTERNAL_SIZE_T arena_test;
  INTERNAL_SIZE_T arena_max;


  /* Memory map support */
  int n_mmaps;
  int n_mmaps_max;
  int max_n_mmaps;
  /* the mmap_threshold is dynamic, until the user sets
     it manually, at which point we need to disable any
     dynamic behavior. */
  int no_dyn_threshold;


  /* Statistics */
  INTERNAL_SIZE_T mmapped_mem;
  INTERNAL_SIZE_T max_mmapped_mem;


  /* First address handed out by MORECORE/sbrk.  */
  char *sbrk_base;


//下面是tcache相关的内容
---------------------------------------------------------------------




#if USE_TCACHE
  /* Maximum number of buckets to use.  */
  size_t tcache_bins;
  size_t tcache_max_bytes;
  /* Maximum number of chunks in each bucket.  */
  size_t tcache_count;
  /* Maximum number of chunks to remove from the unsorted list, which
     aren't used to prefill the cache.  */
  size_t tcache_unsorted_limit;
#endif
};

可以看到这里定义了malloc_par结构体名为mp_

static struct malloc_par mp_ =
{
  .top_pad = DEFAULT_TOP_PAD,
  .n_mmaps_max = DEFAULT_MMAP_MAX,
  .mmap_threshold = DEFAULT_MMAP_THRESHOLD,
  .trim_threshold = DEFAULT_TRIM_THRESHOLD,
#define NARENAS_FROM_NCORES(n) ((n) * (sizeof (long) == 4 ? 2 : 8))
  .arena_test = NARENAS_FROM_NCORES (1)
#if USE_TCACHE
  ,
  .tcache_count = TCACHE_FILL_COUNT,
  .tcache_bins = TCACHE_MAX_BINS,
  .tcache_max_bytes = tidx2usize (TCACHE_MAX_BINS-1),
  .tcache_unsorted_limit = 0 /* No limit.  */
#endif

tcache_entry

#if USE_TCACHE


/* We overlay this structure on the user-data portion of a chunk when
   the chunk is stored in the per-thread cache.  */
typedef struct tcache_entry
{
  struct tcache_entry *next;
} tcache_entry;

tcache_perthread_struct

typedef struct tcache_perthread_struct
{
  char counts[TCACHE_MAX_BINS];
  tcache_entry *entries[TCACHE_MAX_BINS];
} tcache_perthread_struct;

MAX_TCACHE_COUNT以及一些其他的东西

#define MAX_TCACHE_COUNT 127  /* Maximum value of counts[] entries.  */


static __thread bool tcache_shutting_down = false;
static __thread tcache_perthread_struct *tcache = NULL;

tcache主要行为

放入tcache bin的时候

/* Caller must ensure that we know tc_idx is valid and there's room
   for more chunks.  */
tatic __always_inline void
tcache_put (mchunkptr chunk, size_t tc_idx)
{
  tcache_entry *e = (tcache_entry *) chunk2mem (chunk);
  assert (tc_idx < TCACHE_MAX_BINS);
  e->next = tcache->entries[tc_idx];   //这里采用的是头插法
  tcache->entries[tc_idx] = e;
  ++(tcache->counts[tc_idx]);
}

申请的时候

static __always_inline void *
tcache_get (size_t tc_idx)
{
  tcache_entry *e = tcache->entries[tc_idx];
  assert (tc_idx < TCACHE_MAX_BINS);
  assert (tcache->entries[tc_idx] > 0);
  tcache->entries[tc_idx] = e->next;
  --(tcache->counts[tc_idx]);
  return (void *) e;
}

总结

这个时期的tcache存在着很大的漏洞,几乎没有防护,也为后来打patch埋下基础

glibc 2.28-2.33

tcache 相关定义

这里只展示不同之处

tcache_entry

可以看到相比于上一个阶段,这里多了个key指针,类型是struct tcache_perthread_struct *,指向的是当前线程的struct tcache_entry结构体变量,用于检测是否出现了double free

#if USE_TCACHE


/* We overlay this structure on the user-data portion of a chunk when
   the chunk is stored in the per-thread cache.  */
typedef struct tcache_entry
{
  struct tcache_entry *next;
  /* This field exists to detect double frees.  */
  struct tcache_perthread_struct *key;
} tcache_entry;

tcache_perthread_struct

可以看到原来的char counts[TCACHE_MAX_BINS]变成了uint16_t类型,也许是预防了一手类型混淆,劫持 tcache_perthread_struct结构体的时候就需要注意了

typedef struct tcache_perthread_struct
{
  uint16_t counts[TCACHE_MAX_BINS];
  tcache_entry *entries[TCACHE_MAX_BINS];
} tcache_perthread_struct;

tcache的行为

放入tcache bin

可以看到多了个PROTECT_PTR,相关宏定义,也就是放入时候的堆块的 e的next指针的地址>>12tcache->entries\[tc_idx\] 异或,也就是和当前堆块所属下标的tcache->entries指向的第一个堆块,根据头插法,其实就是和要释放堆块同属一个entries的上一个堆块异或(其实就是next指针的值) 简单来说就是e的next指针的取地址>>12e的next指针的值异或了

不过当第一个堆块放入的时候tcache->entries指向的第一个堆块为NULL, 也就是0,相当于没有xor,可以用来泄露堆地址

#define PROTECT_PTR(pos, ptr) \
  ((__typeof (ptr)) ((((size_t) pos) >> 12) ^ ((size_t) ptr)))
static __always_inline void
tcache_put (mchunkptr chunk, size_t tc_idx)
{
  tcache_entry *e = (tcache_entry *) chunk2mem (chunk);


  /* Mark this chunk as "in the tcache" so the test in _int_free will
     detect a double free.  */
  e->key = tcache;


  e->next = PROTECT_PTR (&e->next, tcache->entries[tc_idx]);
  tcache->entries[tc_idx] = e;
  ++(tcache->counts[tc_idx]);
}
/* Caller must ensure that we know tc_idx is valid and there's
   available chunks to remove.  */

申请

可以看见多了个REVEAL_PTR,其实根据xor的性质,直接还原了

#define REVEAL_PTR(ptr)  PROTECT_PTR (&ptr, ptr)

static __always_inline void *
tcache_get (size_t tc_idx)
{
  tcache_entry *e = tcache->entries[tc_idx];
  if (__glibc_unlikely (!aligned_OK (e)))
    malloc_printerr ("malloc(): unaligned tcache chunk detected");
  tcache->entries[tc_idx] = REVEAL_PTR (e->next);
  --(tcache->counts[tc_idx]);
  e->key = NULL;
  return (void *) e;
}

释放的时候

可以看到 if (__glibc_unlikely (e->key == tcache)) 如果相等就会遍历 处于相同下标 entrys的所有chunk, 来检查要释放的堆块是否已经存在,是否double free

static void
_int_free (mstate av, mchunkptr p, int have_lock)
{
  INTERNAL_SIZE_T size;        /* its size */
  mfastbinptr *fb;             /* associated fastbin */
  mchunkptr nextchunk;         /* next contiguous chunk */
  INTERNAL_SIZE_T nextsize;    /* its size */
  int nextinuse;               /* true if nextchunk is used */
  INTERNAL_SIZE_T prevsize;    /* size of previous contiguous chunk */
  mchunkptr bck;               /* misc temp for linking */
  mchunkptr fwd;               /* misc temp for linking */


  size = chunksize (p);


  /* Little security check which won't hurt performance: the
     allocator never wrapps around at the end of the address space.
     Therefore we can exclude some size values which might appear
     here by accident or by "design" from some intruder.  */
  if (__builtin_expect ((uintptr_t) p > (uintptr_t) -size, 0)
      || __builtin_expect (misaligned_chunk (p), 0))
    malloc_printerr ("free(): invalid pointer");
  /* We know that each chunk is at least MINSIZE bytes in size or a
     multiple of MALLOC_ALIGNMENT.  */
  if (__glibc_unlikely (size < MINSIZE || !aligned_OK (size)))
    malloc_printerr ("free(): invalid size");


  check_inuse_chunk(av, p);


#if USE_TCACHE
  {
    size_t tc_idx = csize2tidx (size);
    if (tcache != NULL && tc_idx < mp_.tcache_bins)
      {
  /* Check to see if it's already in the tcache.  */
  tcache_entry *e = (tcache_entry *) chunk2mem (p);


  /* This test succeeds on double free.  However, we don't 100%
     trust it (it also matches random payload data at a 1 in
     2^<size_t> chance), so verify it's not an unlikely
     coincidence before aborting.  */
  if (__glibc_unlikely (e->key == tcache))
    {
      tcache_entry *tmp;
      size_t cnt = 0;
      LIBC_PROBE (memory_tcache_double_free, 2, e, tc_idx);
      for (tmp = tcache->entries[tc_idx];
     tmp;
     tmp = REVEAL_PTR (tmp->next), ++cnt)
        {
    if (cnt >= mp_.tcache_count)
      malloc_printerr ("free(): too many chunks detected in tcache");
    if (__glibc_unlikely (!aligned_OK (tmp)))
      malloc_printerr ("free(): unaligned chunk detected in tcache 2");
    if (tmp == e)
      malloc_printerr ("free(): double free detected in tcache 2");
    /* If we get here, it was a coincidence.  We've wasted a
       few cycles, but don't abort.  */
        }
    }


  if (tcache->counts[tc_idx] < mp_.tcache_count)
    {
      tcache_put (p, tc_idx);
      return;
    }
      }
  }
#endif

glibc2.34—至今

主要不同只有一个地方,原来e->key=tcache现在e->key=tcache_key

static __always_inline void
tcache_put (mchunkptr chunk, size_t tc_idx)
{
  tcache_entry *e = (tcache_entry *) chunk2mem (chunk);


  /* Mark this chunk as "in the tcache" so the test in _int_free will
     detect a double free.  */
  e->key = tcache_key;


  e->next = PROTECT_PTR (&e->next, tcache->entries[tc_idx]);
  tcache->entries[tc_idx] = e;
  ++(tcache->counts[tc_idx]);
}

那么tcache_key哪来的呢

static void
tcache_key_initialize (void)
{
  if (__getrandom (&tcache_key, sizeof(tcache_key), GRND_NONBLOCK)
      != sizeof (tcache_key))
    {
      tcache_key = random_bits ();
#if __WORDSIZE == 64
      tcache_key = (tcache_key << 32) | random_bits ();
#endif
    }
}

实际上是tcache_key变为了一个随机数

释放的时候

可以看到if(e->key == tcache)变为了 if(e->key == tcache_key),但我们只要能获取key一样可以绕过检测

static void
_int_free (mstate av, mchunkptr p, int have_lock)
{
  INTERNAL_SIZE_T size;        /* its size */
  mfastbinptr *fb;             /* associated fastbin */
  mchunkptr nextchunk;         /* next contiguous chunk */
  INTERNAL_SIZE_T nextsize;    /* its size */
  int nextinuse;               /* true if nextchunk is used */
  INTERNAL_SIZE_T prevsize;    /* size of previous contiguous chunk */
  mchunkptr bck;               /* misc temp for linking */
  mchunkptr fwd;               /* misc temp for linking */


  size = chunksize (p);


  /* Little security check which won't hurt performance: the
     allocator never wrapps around at the end of the address space.
     Therefore we can exclude some size values which might appear
     here by accident or by "design" from some intruder.  */
  if (__builtin_expect ((uintptr_t) p > (uintptr_t) -size, 0)
      || __builtin_expect (misaligned_chunk (p), 0))
    malloc_printerr ("free(): invalid pointer");
  /* We know that each chunk is at least MINSIZE bytes in size or a
     multiple of MALLOC_ALIGNMENT.  */
  if (__glibc_unlikely (size < MINSIZE || !aligned_OK (size)))
    malloc_printerr ("free(): invalid size");


  check_inuse_chunk(av, p);


#if USE_TCACHE
  {
    size_t tc_idx = csize2tidx (size);
    if (tcache != NULL && tc_idx < mp_.tcache_bins)
      {
  /* Check to see if it's already in the tcache.  */
  tcache_entry *e = (tcache_entry *) chunk2mem (p);


  /* This test succeeds on double free.  However, we don't 100%
     trust it (it also matches random payload data at a 1 in
     2^<size_t> chance), so verify it's not an unlikely
     coincidence before aborting.  */
  if (__glibc_unlikely (e->key == tcache_key))
    {
      tcache_entry *tmp;
      size_t cnt = 0;
      LIBC_PROBE (memory_tcache_double_free, 2, e, tc_idx);
      for (tmp = tcache->entries[tc_idx];
     tmp;
     tmp = REVEAL_PTR (tmp->next), ++cnt)
        {
    if (cnt >= mp_.tcache_count)
      malloc_printerr ("free(): too many chunks detected in tcache");
    if (__glibc_unlikely (!aligned_OK (tmp)))
      malloc_printerr ("free(): unaligned chunk detected in tcache 2");
    if (tmp == e)
      malloc_printerr ("free(): double free detected in tcache 2");
    /* If we get here, it was a coincidence.  We've wasted a
       few cycles, but don't abort.  */
        }
    }


  if (tcache->counts[tc_idx] < mp_.tcache_count)
    {
      tcache_put (p, tc_idx);
      return;
    }
      }
  }
#endif
Thanks for reading!

浅析tcache bin的前世今生

周一 9月 01 2025
1955 字 · 16 分钟
Pwn heap tcache

© Caelum | CC BY-NC-SA 4.0

分享这篇博客

Share preview for 浅析tcache bin的前世今生
X (Twitter) Telegram Reddit Facebook Email

目录