[scarybeast]

Yeah, good question.

The lower bits of ->size are actually masked off when considering a chunk's size, because they are flags:

#define SIZE_BITS (PREV_INUSE | IS_MMAPPED | NON_MAIN_ARENA)

/* Get size, ignoring use bits */ #define chunksize(p) ((p)->size & ~(SIZE_BITS))

So you really can't increase the size by less than 8. However, I know what you're now thinking: an attacker with a 1-byte overflow can mess with the flags! That would be a topic for another blog post, but I'm not aware of any techniques where messing with the flags would permit a clean ASLR bypass.

[alexfoo]

Ah, good point.

From: https://sploitfun.wordpress.com/2015/02/10/understanding-gli...

    Last 3 bits of this field contains flag information.

        PREV_INUSE (P) – This bit is set when previous chunk is allocated.
        IS_MMAPPED (M) – This bit is set when chunk is mmap’d.
        NON_MAIN_ARENA (N) – This bit is set when this chunk belongs to a thread arena.

It certainly doesn't look like those could be used against ASLR.