> For the complete documentation index, see [llms.txt](https://heap-exploitation.dhavalkapil.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://heap-exploitation.dhavalkapil.com/attacks/first_fit.md). # First Fit This technique describes the 'first-fit' behavior of glibc's allocator. Whenever any chunk (not a fast chunk) is freed, it ends up in the `unsorted` bin. Insertion happens at the `HEAD` of the list. On requesting new chunks (again, non fast chunks), initially unsorted bins will be looked up as small bins will be empty. This lookup is from the `TAIL` end of the list. If a single chunk is present in the unsorted bin, an exact check is not made and if the chunk's size >= the one requested, it is split into two and returned. This ensures first in first out behavior. Consider the sample code: ```c char *a = malloc(300); // 0x***010 char *b = malloc(250); // 0x***150 free(a); a = malloc(250); // 0x***010 ``` The state of unsorted bin progresses as: 1. 'a' freed. > head -> a -> tail 2. 'malloc' request. > head -> a2 -> tail \[ 'a1' is returned ] 'a' chunk is split into two chunks 'a1' and 'a2' as the requested size (250 bytes) is smaller than the size of the chunk 'a' (300 bytes). This corresponds to \[6. iii.] in `_int_malloc`. This is also true in the case of fast chunks. Instead of 'freeing' into `unsorted` bin, fast chunks end up in `fastbins`. As mentioned earlier, `fastbins` maintain a singly linked list and chunks are inserted and deleted from the `HEAD` end. This 'reverses' the order of chunks obtained. Consider the sample code: ```c char *a = malloc(20); // 0xe4b010 char *b = malloc(20); // 0xe4b030 char *c = malloc(20); // 0xe4b050 char *d = malloc(20); // 0xe4b070 free(a); free(b); free(c); free(d); a = malloc(20); // 0xe4b070 b = malloc(20); // 0xe4b050 c = malloc(20); // 0xe4b030 d = malloc(20); // 0xe4b010 ``` The state of the particular fastbin progresses as: 1. 'a' freed. > head -> a -> tail 2. 'b' freed. > head -> b -> a -> tail 3. 'c' freed. > head -> c -> b -> a -> tail 4. 'd' freed. > head -> d -> c -> b -> a -> tail 5. 'malloc' request. > head -> c -> b -> a -> tail \[ 'd' is returned ] 6. 'malloc' request. > head -> b -> a -> tail \[ 'c' is returned ] 7. 'malloc' request. > head -> a -> tail \[ 'b' is returned ] 8. 'malloc' request. > head -> tail \[ 'a' is returned ] The smaller size here (20 bytes) ensured that on freeing, chunks went into `fastbins` instead of the `unsorted` bin. ## Use after Free Vulnerability In the above examples, we see that, malloc *might* return chunks that were earlier used and freed. This makes using freed memory chunks vulnerable. Once a chunk has been freed, it **should** be assumed that the attacker can now control the data inside the chunk. That particular chunk should never be used again. Instead, always allocate a new chunk. See sample piece of vulnerable code: ```c char *ch = malloc(20); // Some operations // .. // .. free(ch); // Some operations // .. // .. // Attacker can control 'ch' // This is vulnerable code // Freed variables should not be used again if (*ch=='a') { // do this } ``` --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://heap-exploitation.dhavalkapil.com/attacks/first_fit.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.