原理:
House of Force是通过修改top chunk的size从而通过分配内存达到任意地址写的目的。先看看glibc的源码:
victim = av->top; //取出top_chunk的地址
size = chunksize (victim); //计算top_chunk的size
if ((unsigned long) (size) >= (unsigned long) (nb + MINSIZE)) //此处nb为想要申请分配的堆的大小
{
remainder_size = size - nb;
remainder = chunk_at_offset (victim, nb); //获取分割后的top_chunk的地址
av->top = remainder;
set_head (victim, nb | PREV_INUSE |
(av != &main_arena ? NON_MAIN_ARENA : 0));
set_head (remainder, remainder_size | PREV_INUSE);
check_malloced_chunk (av, victim, nb);
void *p = chunk2mem (victim);
alloc_perturb (p, bytes);
return p;
}