2018-05-12 10:20:25 +07:00
|
|
|
|
# 1.5.11 jemalloc
|
2018-05-24 15:33:36 +07:00
|
|
|
|
|
2018-06-11 13:56:56 +07:00
|
|
|
|
- [简介](#简介)
|
2018-05-24 20:24:18 +07:00
|
|
|
|
- [编译安装](#编译安装)
|
2018-06-11 13:56:56 +07:00
|
|
|
|
- [jemalloc 详解](#jemalloc-详解)
|
|
|
|
|
- [数据结构](#数据结构)
|
|
|
|
|
- [利用技术](#利用技术)
|
2018-05-24 15:33:36 +07:00
|
|
|
|
- [CTF 实例](#ctf-实例)
|
|
|
|
|
- [参考资料](#参考资料)
|
|
|
|
|
|
|
|
|
|
|
2018-06-11 13:56:56 +07:00
|
|
|
|
## 简介
|
2018-05-24 15:33:36 +07:00
|
|
|
|
jemalloc 是 Facebook 推出的一种通用 malloc 实现,在 FreeBSD、firefox 中被广泛使用。比起 ptmalloc2 具有更高的性能。
|
|
|
|
|
|
|
|
|
|
|
2018-05-24 20:24:18 +07:00
|
|
|
|
## 编译安装
|
2018-05-24 15:33:36 +07:00
|
|
|
|
我们来编译一个带调试信息的 jemalloc(注:4.x和5.x之间似乎差别比较大):
|
|
|
|
|
```
|
|
|
|
|
$ wget https://github.com/jemalloc/jemalloc/releases/download/5.0.1/jemalloc-5.0.1.tar.bz2
|
|
|
|
|
$ tar -xjvf jemalloc-5.0.1.tar.bz2
|
|
|
|
|
$ cd jemalloc-5.0.1
|
|
|
|
|
$ ./configure --prefix=/usr/local/jemalloc --enable-debug
|
|
|
|
|
$ make -j4 && sudo make install
|
|
|
|
|
```
|
|
|
|
|
接下来修改链接信息:
|
|
|
|
|
```
|
|
|
|
|
# echo /usr/local/jemalloc/ >> /etc/ld.so.conf.d/jemalloc.conf
|
|
|
|
|
# ldconfig
|
|
|
|
|
```
|
|
|
|
|
当我们想要在编译程序时指定 jemalloc 时可以像下面这样:
|
|
|
|
|
```
|
2018-06-11 13:56:56 +07:00
|
|
|
|
$ gcc -L/usr/local/jemalloc/lib -Wl,--rpath=/usr/local/jemalloc/lib -ljemalloc test.c
|
2018-05-24 15:33:36 +07:00
|
|
|
|
$ ldd a.out
|
|
|
|
|
linux-vdso.so.1 (0x00007fff69b62000)
|
|
|
|
|
libjemalloc.so.2 => /usr/local/jemalloc/lib/libjemalloc.so.2 (0x00007f744483b000)
|
|
|
|
|
libc.so.6 => /usr/lib/libc.so.6 (0x00007f744447f000)
|
|
|
|
|
libm.so.6 => /usr/lib/libm.so.6 (0x00007f74440ea000)
|
|
|
|
|
libstdc++.so.6 => /usr/lib/libstdc++.so.6 (0x00007f7443d61000)
|
|
|
|
|
libpthread.so.0 => /usr/lib/libpthread.so.0 (0x00007f7443b43000)
|
|
|
|
|
libdl.so.2 => /usr/lib/libdl.so.2 (0x00007f744393f000)
|
|
|
|
|
libgcc_s.so.1 => /usr/lib/libgcc_s.so.1 (0x00007f7443727000)
|
|
|
|
|
/lib64/ld-linux-x86-64.so.2 => /usr/lib64/ld-linux-x86-64.so.2 (0x00007f7444f02000)
|
|
|
|
|
```
|
|
|
|
|
可以看到 `libjemalloc.so.2` 已经被链接到程序里了。
|
|
|
|
|
|
|
|
|
|
|
2018-06-11 13:56:56 +07:00
|
|
|
|
## jemalloc 详解
|
|
|
|
|
我们以 jemalloc-4.5.0 版本来讲解。
|
|
|
|
|
|
|
|
|
|
#### 数据结构
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
## 利用技术
|
|
|
|
|
|
2018-05-24 15:33:36 +07:00
|
|
|
|
## CTF 实例
|
2018-06-11 13:56:56 +07:00
|
|
|
|
查看章节 6.1.29、6.1.34。
|
2018-05-24 15:33:36 +07:00
|
|
|
|
|
|
|
|
|
|
|
|
|
|
## 参考资料
|
|
|
|
|
- http://jemalloc.net/
|
2018-06-11 13:56:56 +07:00
|
|
|
|
- [Pseudomonarchia jemallocum](http://phrack.org/issues/68/10.html)
|
|
|
|
|
- [The Shadow over Android](https://census-labs.com/media/shadow-infiltrate-2017.pdf)
|
|
|
|
|
- https://github.com/CENSUS/shadow/
|
|
|
|
|
- [Exploiting VLC - A case study on jemalloc heap overflows](http://phrack.org/issues/68/13.html)
|
|
|
|
|
- [Exploiting the jemalloc Memory Allocator: Owning Firefox's Heap](https://media.blackhat.com/bh-us-12/Briefings/Argyoudis/BH_US_12_Argyroudis_Exploiting_the_%20jemalloc_Memory_%20Allocator_WP.pdf)
|