0

I don't understand a condition for gettint the error - corrupted double-linked list (not small) -

There is a point in the program where it crashes due to corrupted double-linked list (not small).

At this moment, I don't want to know why it crashed, but I want to know how this conditions work

if (__builtin_expect (P->fd_nextsize->bk_nextsize != P, 0) || __builtin_expect(P->bk_nextsize->fd_nextsize != P, 0))    
     malloc_printerr (check_action,"corrupted double-linked list (not small)", P, AV);

Here we can see that the error double-linked list is observed when the P->fd_nextsize->bk_nextsize != P is not accomplished or P->bk_nextsize->fd_nextsize is not accomplished.

But my main problem is that I can't explain how this part of code - P->fd_nextsize->bk_nextsize - expects to be P. I am expecting that P->fd_nextsize->bk_nextsize is P->bk_nextsize.

Maybe I am confused with the structure of the double linked list in the bins.

At this moment, I understand the double linked list as this: 

+------------------->+----------------+ <---------+
|                    |  fd_nextsize   |           |
|                    |                |           |
|                    |                |           |
|                    +----------------+           |
|                    |                |           |
|                    |fd_nextsize     |           |
|                    |                |           |
|                    +----------------+           |
|                    |                |           |
|                    +bk_nextisize    |--------------------+
|                    |                |           |        |
|                    +----------------+           |        |
|                                                 |        |
|                                                 |        |
|                                                 |        |
|                                                 |        |
|                     +---------------+           |        |
|                     |  P            |           |        |
|                     |               |           |        |
|                     +---------------+           |        |
|                     |               |           |        |
|                     |fd_nextsize    +-----------+        |
|                     |               |                    |
|                     +---------------+                    |
|                     |               |                    |
|         +-----------+bk_nextsize    |                    |
|         |           |               |                    |
|         |           +---------------+                    |
|         |                                                |
|         |                                                |
|         |                                                |
|         +----------->+----------------+<-----------------+
|                      | bk_nextisize   |
|                      |                |
|                      |                |
|                      +----------------+
|                      |                |
+----------------------+ fd_nextsize    |
                       |                |
                       +----------------+
                       |bk_nextsize     |
                       |                |
                       +----------------+

So, if I am incorrect about my understanding of the double linked lists in the bins (Important information, according to the code and also due to the fact that we are using fd_nextsize and bk_nextsize this chunk is not in the smallbin) please correct me. Since at this moment, this condition does not make any sense to me.

Sebastian Chimal
  • 11
  • 3

1 Answers1

0

Example of corrupted double list with correct diagram. 

gef> x/200x victim
0x2c76330:      0x00000000      0x00000000      0x000004d1      0x00000000
0x2c76340:      0x140e8fb8      0x00007f12      0x140e8fb8      0x00007f12
0x2c76350:      0x02c15e48      0x00000000      0x02c76330      0x00000000
0x2c76360:      0x00000318      0x00000000      0x00000000      0x00000000

Here 

0x02c15e48    >>> fd_nextsize
0x02c76330    >>> bk_nextsize 

gef> x/100x 0x02c15e48
0x2c15e48:      0x02c76348      0x00000000      0x00000000      0x00000000
0x2c15e58:      0x00000019      0x00000000      0x09080003      0x0071db5c
0x2c15e68:      0xc0b51d4f      0x00000001      0x000000fa      0x00000000
0x2c15e78:      0x00000003      0x00007706      0x00007706      0x586a0001

0xc0b51d4f >>> victim->fd_nextisize->fd_nextsize
0x000000fa >>> vicitim->fd_nextsize->bk_nextsize  >>>>>>>>>>>>>>>>>>>>>>>>>>>>> This is not valid. 


gef> x/100x 0x02c76330
0x2c76330:      0x00000000      0x00000000      0x000004d1      0x00000000
0x2c76340:      0x140e8fb8      0x00007f12      0x140e8fb8      0x00007f12
0x2c76350:      0x02c15e48      0x00000000      0x02c76330      0x00000000
0x2c76360:      0x00000318      0x00000000      0x00000000      0x00000000

0x02c15e48 >>> victim->bk_nextsize->fd_nextsize
0x02c76330 >>> victim->bk_nextsize->bk_nextsize >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> This condition is valid.




   Double Linked Lists in GLIBC

             +----------------------+<------------------+
             |      ChunkA          |                   |
             +-----------------------+                  |
             |fd_nextsize           |                   |
             +----------------------+                   |
             |                      |                   |
         +---+bk_nextsize           |                   |
         |   +----------------------+                   |
         |                                              |
         |  +------------------------+<---------+       |
         |  |    ChunkB              |          |       |
         |  +------------------------+          |       |
         |  |fd_nextsize             |          |       |
         |  |                        |          |       |
         |  +------------------------+          |       |
+-----------+bk_nextsize             |          |       |
|        |  +------------------------+          |       |
|        |                                      |       |
|        +->+------------------------+<-----------------------------+
|           |      ChunkC            |          |       |           |
|           +------------------------+          |       |           |
|           |fd_nextsize             +------------------+           |
|           |                        |          |                   |
|           +------------------------+          |                   |
|    +------+bk_nextsize             |          |                   |
|    |      +------------------------+          |                   |
|    |                                          |                   |
+---------->+------------------------+          |                   |
     |      |        ChunkD          |          |                   |
     |      +------------------------+          |                   |
     |      |fd_nextsize             +----------+                   |
     |      +------------------------+                              |
     |      |                        |                              |
     |      |bk_nextsize             |                              |
     |      +------------------------+                              |
     |                                                              |
     +----> +------------------------+                              |
            |       ChunkE           |                              |
            +------------------------+                              |
            |fd_nextsize             +------------------------------+
            |                        |
            +------------------------+
            |bk_nextsize             |
            +------------------------+
Sebastian Chimal
  • 11
  • 3