From 1f2987a134e793718cbd0335a2951c6ee3a5f129 Mon Sep 17 00:00:00 2001 From: gfelber <@users.noreply.github.com> Date: Mon, 8 Apr 2024 13:12:19 +0200 Subject: [PATCH] fixed wrong target top size calculation, only relevant for Constants printed at top --- glibc_2.23/sysmalloc_int_free.c | 2 +- glibc_2.27/house_of_tangerine.c | 2 +- glibc_2.27/sysmalloc_int_free.c | 2 +- glibc_2.31/house_of_tangerine.c | 2 +- glibc_2.31/sysmalloc_int_free.c | 2 +- glibc_2.34/house_of_tangerine.c | 2 +- glibc_2.34/sysmalloc_int_free.c | 2 +- glibc_2.39/house_of_tangerine.c | 2 +- glibc_2.39/sysmalloc_int_free.c | 2 +- 9 files changed, 9 insertions(+), 9 deletions(-) diff --git a/glibc_2.23/sysmalloc_int_free.c b/glibc_2.23/sysmalloc_int_free.c index 43e508d..ea0dc9a 100644 --- a/glibc_2.23/sysmalloc_int_free.c +++ b/glibc_2.23/sysmalloc_int_free.c @@ -58,7 +58,7 @@ int main() { printf("fencepost size \t\t= 0x%lx\n", FENCEPOST); printf("freed size \t\t= 0x%lx\n", FREED_SIZE); - printf("target top chunk size \t= 0x%lx\n", CHUNK_FREED_SIZE + FENCEPOST); + printf("target top chunk size \t= 0x%lx\n", CHUNK_HDR_SZ + MALLOC_ALIGN + CHUNK_FREED_SIZE); // probe the current size of the top_chunk, // can be skipped if it is already known or predictable diff --git a/glibc_2.27/house_of_tangerine.c b/glibc_2.27/house_of_tangerine.c index 645dec8..6fcf24f 100644 --- a/glibc_2.27/house_of_tangerine.c +++ b/glibc_2.27/house_of_tangerine.c @@ -66,7 +66,7 @@ int main() { printf("fencepost size = 0x%lx\n", FENCEPOST); printf("size_1 = 0x%lx\n", SIZE_1); - printf("target tcache top size = 0x%lx\n", CHUNK_SIZE_1 + FENCEPOST); + printf("target tcache top size = 0x%lx\n", CHUNK_HDR_SZ + MALLOC_ALIGN + CHUNK_SIZE_1); // target is malloc chunk aligned 0x10 for x86_64 target = ((size_t) win + (MALLOC_ALIGN - 1)) & MALLOC_MASK; diff --git a/glibc_2.27/sysmalloc_int_free.c b/glibc_2.27/sysmalloc_int_free.c index 43e508d..ea0dc9a 100644 --- a/glibc_2.27/sysmalloc_int_free.c +++ b/glibc_2.27/sysmalloc_int_free.c @@ -58,7 +58,7 @@ int main() { printf("fencepost size \t\t= 0x%lx\n", FENCEPOST); printf("freed size \t\t= 0x%lx\n", FREED_SIZE); - printf("target top chunk size \t= 0x%lx\n", CHUNK_FREED_SIZE + FENCEPOST); + printf("target top chunk size \t= 0x%lx\n", CHUNK_HDR_SZ + MALLOC_ALIGN + CHUNK_FREED_SIZE); // probe the current size of the top_chunk, // can be skipped if it is already known or predictable diff --git a/glibc_2.31/house_of_tangerine.c b/glibc_2.31/house_of_tangerine.c index 645dec8..6fcf24f 100644 --- a/glibc_2.31/house_of_tangerine.c +++ b/glibc_2.31/house_of_tangerine.c @@ -66,7 +66,7 @@ int main() { printf("fencepost size = 0x%lx\n", FENCEPOST); printf("size_1 = 0x%lx\n", SIZE_1); - printf("target tcache top size = 0x%lx\n", CHUNK_SIZE_1 + FENCEPOST); + printf("target tcache top size = 0x%lx\n", CHUNK_HDR_SZ + MALLOC_ALIGN + CHUNK_SIZE_1); // target is malloc chunk aligned 0x10 for x86_64 target = ((size_t) win + (MALLOC_ALIGN - 1)) & MALLOC_MASK; diff --git a/glibc_2.31/sysmalloc_int_free.c b/glibc_2.31/sysmalloc_int_free.c index 43e508d..ea0dc9a 100644 --- a/glibc_2.31/sysmalloc_int_free.c +++ b/glibc_2.31/sysmalloc_int_free.c @@ -58,7 +58,7 @@ int main() { printf("fencepost size \t\t= 0x%lx\n", FENCEPOST); printf("freed size \t\t= 0x%lx\n", FREED_SIZE); - printf("target top chunk size \t= 0x%lx\n", CHUNK_FREED_SIZE + FENCEPOST); + printf("target top chunk size \t= 0x%lx\n", CHUNK_HDR_SZ + MALLOC_ALIGN + CHUNK_FREED_SIZE); // probe the current size of the top_chunk, // can be skipped if it is already known or predictable diff --git a/glibc_2.34/house_of_tangerine.c b/glibc_2.34/house_of_tangerine.c index 21d90fe..72247e6 100644 --- a/glibc_2.34/house_of_tangerine.c +++ b/glibc_2.34/house_of_tangerine.c @@ -66,7 +66,7 @@ int main() { printf("fencepost size = 0x%lx\n", FENCEPOST); printf("size_1 = 0x%lx\n", SIZE_1); - printf("target tcache top size = 0x%lx\n", CHUNK_SIZE_1 + FENCEPOST); + printf("target tcache top size = 0x%lx\n", CHUNK_HDR_SZ + MALLOC_ALIGN + CHUNK_SIZE_1); // target is malloc chunk aligned 0x10 for x86_64 target = ((size_t) win + (MALLOC_ALIGN - 1)) & MALLOC_MASK; diff --git a/glibc_2.34/sysmalloc_int_free.c b/glibc_2.34/sysmalloc_int_free.c index 43e508d..ea0dc9a 100644 --- a/glibc_2.34/sysmalloc_int_free.c +++ b/glibc_2.34/sysmalloc_int_free.c @@ -58,7 +58,7 @@ int main() { printf("fencepost size \t\t= 0x%lx\n", FENCEPOST); printf("freed size \t\t= 0x%lx\n", FREED_SIZE); - printf("target top chunk size \t= 0x%lx\n", CHUNK_FREED_SIZE + FENCEPOST); + printf("target top chunk size \t= 0x%lx\n", CHUNK_HDR_SZ + MALLOC_ALIGN + CHUNK_FREED_SIZE); // probe the current size of the top_chunk, // can be skipped if it is already known or predictable diff --git a/glibc_2.39/house_of_tangerine.c b/glibc_2.39/house_of_tangerine.c index 21d90fe..72247e6 100644 --- a/glibc_2.39/house_of_tangerine.c +++ b/glibc_2.39/house_of_tangerine.c @@ -66,7 +66,7 @@ int main() { printf("fencepost size = 0x%lx\n", FENCEPOST); printf("size_1 = 0x%lx\n", SIZE_1); - printf("target tcache top size = 0x%lx\n", CHUNK_SIZE_1 + FENCEPOST); + printf("target tcache top size = 0x%lx\n", CHUNK_HDR_SZ + MALLOC_ALIGN + CHUNK_SIZE_1); // target is malloc chunk aligned 0x10 for x86_64 target = ((size_t) win + (MALLOC_ALIGN - 1)) & MALLOC_MASK; diff --git a/glibc_2.39/sysmalloc_int_free.c b/glibc_2.39/sysmalloc_int_free.c index 43e508d..ea0dc9a 100644 --- a/glibc_2.39/sysmalloc_int_free.c +++ b/glibc_2.39/sysmalloc_int_free.c @@ -58,7 +58,7 @@ int main() { printf("fencepost size \t\t= 0x%lx\n", FENCEPOST); printf("freed size \t\t= 0x%lx\n", FREED_SIZE); - printf("target top chunk size \t= 0x%lx\n", CHUNK_FREED_SIZE + FENCEPOST); + printf("target top chunk size \t= 0x%lx\n", CHUNK_HDR_SZ + MALLOC_ALIGN + CHUNK_FREED_SIZE); // probe the current size of the top_chunk, // can be skipped if it is already known or predictable