heap chunks doesn't list chunks in a non-main arena

[irontigran]

• Did you use the latest version of GEF from dev branch?
• Is your bug specific to GEF (not GDB)? - Try to reproduce it running gdb -nx
• Did you read the documentation first?
• Did you check issues (including
  the closed ones) - and the PR?

Step 1: Describe your environment

• Operating System / Distribution: Fedora 31
• Architecture: x86-64
• GEF version (including the Python library version) run version in GEF.

GEF: rev:169e6e6dad57fe1325b1cabafbaf405cd5705cb7 (Git - clean)
SHA1(~/gef/gef.py): cd2793e58829c5b047204f8b73cb53d2c8835015
GDB: Fedora 8.3.50.20190824-30.fc31
GDB-Python: 3.7

Step 2: Describe your problem

The heap chunks command does not list chunks in non-main arenas, even after switching arenas with the heap set-arena command. This looks like the same issue as #422, but it looks to still be a problem, and I thought it could use a more careful description.

Steps to reproduce

From the project root directory:

1. make testbins
2. gdb -ex 'run' /tmp/heap-non-main.out
3. List the available arenas with heap arenas
4. Set the current arena to the non-main arena with heap set-arena
5. Print the address of p2 with p p2
6. Run heap chunks and note that it only prints chunks from the main arena - p2 is not among them. (See the screenshot below)

Minimalist test case

heap-non-main.c, from the standard test cases, is a good minimal test case.

// compile using make, or gcc -Wall -DDEBUG=1 -ggdb -O0 -pthread -o /tmp/heap-non-main.out heap-non-main.c
#include <stdlib.h>
#include <string.h>
#include <pthread.h>

void *thread()
{
        void* p1 = malloc(0x18);
        void* p2 = malloc(0x18);
        free(p1);
        __builtin_trap();
        (void)p2;

        return NULL;
}

int main(int argc, char** argv, char** envp)
{
        void* p1 = malloc(0x10);

        pthread_t thread1;
        pthread_create(&thread1, NULL, thread, NULL);
        pthread_join(thread1, NULL);

        (void)p1;
        return EXIT_SUCCESS;
}

Observed Results

gef's heap chunks command only prints the chunks in the main arena.

Expected results

heap chunks should print the chunks in a non-main arena if that arena has been set to be the current arena using heap set-arena.

Traces

[theguy147]

yes, you're right!

the heap chunks internally always uses main_arena and starts looking at chunks from the start of the heap_section:

gef/gef.py

Line 6706 in 169e6e6

arena = get_main_arena()

gef/gef.py

Line 6712 in 169e6e6

current_chunk = GlibcChunk(heap_section, from_base=True, allow_unaligned=args.allow_unaligned)

Here options should be added to allow usage with non-main-arenas.

Furthermore MallocStateStruct currently only allows to be used with symbols because it unconditionally prepends a "&" sign to the address passed:

gef/gef.py

Line 638 in 169e6e6

self.__addr = to_unsigned_long(gdb.parse_and_eval("&{}".format(addr)))

I will create a PR later today or tomorrow after some more testing.

[theguy147]

@irontigran I have opened a PR (#709) for this issue but it is still missing some tests that should/will be added later. If you want you can test it in the meantime and report back if it solves this issue for you.