Security Memo

Search (Ctrl+K)

SearchSearch

Recent Notes

See 1423 more sorted by tag →

chunk

created May 27, 2024updated May 29, 20242 min read

In glibc’s heap, a chunk represents a single memory allocation and is the smallest unit of organization in the heap. malloc_chunk is the internal data structure that represents a chunk. Note that not all members are used/present in both free & allocated chunks; see diagrams for details. If you’re interested in a detailed explanation, check out the comments in malloc.c.

malloc.c
struct malloc_chunk {
  INTERNAL_SIZE_T      mchunk_prev_size;  /* Size of previous chunk, if it is free. */
  INTERNAL_SIZE_T      mchunk_size;       /* Size in bytes, including overhead. */
  struct malloc_chunk* fd;                /* double links -- used only if this chunk is free. */
  struct malloc_chunk* bk;
  /* Only used for large blocks: pointer to next larger size.  */
  struct malloc_chunk* fd_nextsize; /* double links -- used only if this chunk is free. */
  struct malloc_chunk* bk_nextsize;
};
 
typedef struct malloc_chunk* mchunkptr;

Each chunk has three flags stored in the 3 least significant bits (which would otherwise be unused because chunks are at least double-word/8-byte aligned) of mchunk_size in the order below.

  • A: NON_MAIN_ARENA bit, which is clear for chunks in the main arena and set for chunks allocated by other threads, which use their own arenas. When the bit is set, heap_for_ptr can determine the non-main arena that contains this chunk.
  • M: IS_MMAPPED bit, which is used to tell if a chunk was large enough (size >= MMAP_THRESHOLD) to have been allocated through mmap. If the bit is set, the other two bits are ignored, because mmapped chunks are allocated independent of the heap region and are freed via munmap internally.
  • P: PREV_INUSE bit tracks if the previous chunk is in use. We only get access to the previous chunk size if it is unused. Trying to determine the size of the previous chunk when P is set might even cause a segmentation fault because the first chunk also has this bit set (i.e., there’s no heap memory before this chunk). This is used during consolidation, e.g., during forward consolidation for a newly freed chunk, the heap manager wants to see if the next chunk is also free (so that it could merge the two), so it looks the PREV_INUSE bit at the third chunk down the linked list.

Graph View

Sources

Backlinks