I'm trying to understand how in glibc 2.3.5 arena_get function (called by public_mALLOc) will return the arena_key in house of prime exploit, where the arena_key is first overridden to the value of chunk's address.
read it here: The Malloc Maleficarum
Since the arena_key has been overwritten with a non-zero quantity it can be safely assumed that arena_get() will not try to create a new arena. In the public_mALLOc() wrapper this has the effect of setting ar_ptr to the new value of arena_key, the address of the designer's second chunk.
#define arena_get(ptr, size) do { \ Void_t *vptr = NULL; \ ptr = (mstate)tsd_getspecific(arena_key, vptr); \ if(ptr && !mutex_trylock(&ptr->mutex)) { \ THREAD_STAT(++(ptr->stat_lock_direct)); \ } else \ ptr = arena_get2(ptr, (size)); \ } while(0) According to the macro implementation I thought it must be tsd_getspecific that implements this behaviour but I got lost there.
