malloc misalignment in pwn demos
k4lizen opened this issue · comments
Some pwn demos (I found this in tcache linked list, more may be susceptible) crash due to malloc misalignment. i.e. in that particular case, the target
variable does not have an address divisible by 0x10. We can see how how2heap handles this:
size_t stack_var[0x10];
size_t *target = NULL;
// choose a properly aligned target address
for(int i=0; i<0x10; i++) {
if(((long)&stack_var[i] & 0xf) == 0) {
target = &stack_var[i];
break;
}
}
here: https://github.com/shellphish/how2heap/blob/master/glibc_2.35/tcache_poisoning.c