fix incorrect address being printed in fastbin_dup_into_stack

dmur1 · dmur1 · commit 049c20582724 · 2025-04-10T19:07:47.000+01:00
note that the assert at the end of the file is correct so this is really just an issue with the address that is printed i've also increased the size of stack_var to match what is logically being used note that a patch was made in 0a3ba05 fixing this issue however the patch only fixed the issue for glibc_2.35 when it should have been applied to versions 2.33 -> 2.39
diff --git a/glibc_2.33/fastbin_dup_into_stack.c b/glibc_2.33/fastbin_dup_into_stack.c
@@ -20,9 +20,9 @@ int main()
 	}
 
 
-	unsigned long stack_var[2] __attribute__ ((aligned (0x10)));
+	unsigned long stack_var[4] __attribute__ ((aligned (0x10)));
 
-	fprintf(stderr, "The address we want calloc() to return is %p.\n", stack_var);
+	fprintf(stderr, "The address we want calloc() to return is %p.\n", stack_var + 2);
 
 	fprintf(stderr, "Allocating 3 buffers.\n");
 	int *a = calloc(1,8);
diff --git a/glibc_2.34/fastbin_dup_into_stack.c b/glibc_2.34/fastbin_dup_into_stack.c
@@ -20,9 +20,9 @@ int main()
 	}
 
 
-	unsigned long stack_var[2] __attribute__ ((aligned (0x10)));
+	unsigned long stack_var[4] __attribute__ ((aligned (0x10)));
 
-	fprintf(stderr, "The address we want calloc() to return is %p.\n", stack_var);
+	fprintf(stderr, "The address we want calloc() to return is %p.\n", stack_var + 2);
 
 	fprintf(stderr, "Allocating 3 buffers.\n");
 	int *a = calloc(1,8);
diff --git a/glibc_2.36/fastbin_dup_into_stack.c b/glibc_2.36/fastbin_dup_into_stack.c
@@ -20,9 +20,9 @@ int main()
 	}
 
 
-	unsigned long stack_var[2] __attribute__ ((aligned (0x10)));
+	unsigned long stack_var[4] __attribute__ ((aligned (0x10)));
 
-	fprintf(stderr, "The address we want calloc() to return is %p.\n", stack_var);
+	fprintf(stderr, "The address we want calloc() to return is %p.\n", stack_var + 2);
 
 	fprintf(stderr, "Allocating 3 buffers.\n");
 	int *a = calloc(1,8);
diff --git a/glibc_2.37/fastbin_dup_into_stack.c b/glibc_2.37/fastbin_dup_into_stack.c
@@ -20,9 +20,9 @@ int main()
 	}
 
 
-	unsigned long stack_var[2] __attribute__ ((aligned (0x10)));
+	unsigned long stack_var[4] __attribute__ ((aligned (0x10)));
 
-	fprintf(stderr, "The address we want calloc() to return is %p.\n", stack_var);
+	fprintf(stderr, "The address we want calloc() to return is %p.\n", stack_var + 2);
 
 	fprintf(stderr, "Allocating 3 buffers.\n");
 	int *a = calloc(1,8);
diff --git a/glibc_2.38/fastbin_dup_into_stack.c b/glibc_2.38/fastbin_dup_into_stack.c
@@ -20,9 +20,9 @@ int main()
 	}
 
 
-	unsigned long stack_var[2] __attribute__ ((aligned (0x10)));
+	unsigned long stack_var[4] __attribute__ ((aligned (0x10)));
 
-	fprintf(stderr, "The address we want calloc() to return is %p.\n", stack_var);
+	fprintf(stderr, "The address we want calloc() to return is %p.\n", stack_var + 2);
 
 	fprintf(stderr, "Allocating 3 buffers.\n");
 	int *a = calloc(1,8);
diff --git a/glibc_2.39/fastbin_dup_into_stack.c b/glibc_2.39/fastbin_dup_into_stack.c
@@ -20,9 +20,9 @@ int main()
 	}
 
 
-	unsigned long stack_var[2] __attribute__ ((aligned (0x10)));
+	unsigned long stack_var[4] __attribute__ ((aligned (0x10)));
 
-	fprintf(stderr, "The address we want calloc() to return is %p.\n", stack_var);
+	fprintf(stderr, "The address we want calloc() to return is %p.\n", stack_var + 2);
 
 	fprintf(stderr, "Allocating 3 buffers.\n");
 	int *a = calloc(1,8);

Original file line number	Diff line number	Diff line change
`@@ -20,9 +20,9 @@ int main()`
`20`	`20`	`}`
`21`	`21`
`22`	`22`
`23`		`- unsigned long stack_var[2] __attribute__ ((aligned (0x10)));`
	`23`	`+ unsigned long stack_var[4] __attribute__ ((aligned (0x10)));`
`24`	`24`
`25`		`- fprintf(stderr, "The address we want calloc() to return is %p.\n", stack_var);`
	`25`	`+ fprintf(stderr, "The address we want calloc() to return is %p.\n", stack_var + 2);`
`26`	`26`
`27`	`27`	`fprintf(stderr, "Allocating 3 buffers.\n");`
`28`	`28`	`int *a = calloc(1,8);`