any bin and top chunk does not have enough size to service the request, malloc relies on sysmalloc • If the requested size is >= mmap_threshold, sysmalloc obtains memory using mmap. • If the requested size is < mmap_threshold, sysmalloc extends top chunk using sbrk. [Code]
inserted in fastbin 2. Keep ‘big’ -> malloc_consolidate forces fast chunk to merge with top chunk, hence, same chunk is returned. Now small and big secrets point to the same chunk. 3. Wipe ‘small’ -> Frees the big chunk 4. Keep ‘small’ -> Again the same chunk is returned. But now, the top chunk starts from somewhere within the ‘big’ chunk. 5. Keep ‘huge’, free ‘huge’, keep ‘huge’ -> This trick forces the huge chunk be carved out of the top chunk.
fd pointing to ‘small_secret - 3’ and bk pointing to ‘small_secret - 2’. • Adjust previous size and zero out PREV_IN_USE bit of ‘huge_secret’. • Free ‘huge_secret’ • ‘small_secret’ now points to a few bytes before ‘big_secret’ -> Arbitrary write