Pwngdb icon indicating copy to clipboard operation
Pwngdb copied to clipboard

Published 20 hours ago verified publisher icon scwuaptx

angelheap failed to trace free() while using tracemalloc

Open bruce30262 opened this issue 5 years ago • 1 comments

Environment

  • Ubuntu Linux 18.04.1 64 bit
  • glibc version : Ubuntu GLIBC 2.27-3ubuntu1

Detail

testing program:

/* gcc -o test test.c*/

#include <stdio.h>
#include <string.h>
#include <math.h>
#include <stdlib.h>
#include <unistd.h>

int main(int argc, char *argv[])
{
    char *p1 = malloc(20);
    char *p2 = malloc(30);
    char *p3 = malloc(40);
    char *p4 = malloc(50);
    char *p5 = malloc(60);
    char *p6 = malloc(3000);

    free(p1);
    free(p2);
    free(p3);
    free(p5);
    free(p4);
    free(p6);
    return 0;
}

While using tracemalloc on/off, angelheap successfully trace the malloc() function call, but not the free() call. This cause some error in parseheap and overlapped chunk detecting.

For some unknown reason, glibc did not run into _int_free() in glibc 2.27.
Any idea how to fix it ?

bruce30262 avatar Mar 28 '19 09:03 bruce30262

@scwuaptx I think I've found the root cause.

Somehow in libc-2.27 _int_free() became inline in __libc_free() so it won't call _int_free, it just jump to a certain address in _libc_free() to free the memory.

To resolve the issuse, is it OK for us to trace the malloc/free call by setting the breakpoint in __libc_free() instead of _int_free() ?

bruce30262 avatar May 02 '19 07:05 bruce30262