#include <stdio.h>#include <stdlib.h>/* PoC on tcache's internals regar

1. #include <stdio.h>
2. #include <stdlib.h>
3.  
4. /*
5.     PoC on tcache's internals regarding fast chunks (0x20 - 0x80).
6. */
7. int main(void) {
8.  
9.     void* a = malloc(0x20);
10.     void* b = malloc(0x20);
11.     void* c = malloc(0x20);
12.     void* d = malloc(0x20);
13.     void* e = malloc(0x20);
14.     void* f = malloc(0x20);
15.     void* g = malloc(0x20);
16.     void* h = malloc(0x20);
17.     void* i = malloc(0x20);
18.     void* j = malloc(0x20);
19.     void* k = malloc(0x20);
20.  
21.     /* Fill in the tcache for size 0x20. */
22.     free(a);
23.     free(b);
24.     free(c);
25.     free(d);
26.     free(e);
27.     free(f);
28.     free(g);
29.     /* Place the rest in the corresponding fastbin list. */
30.     free(h);
31.     free(i);
32.     free(j);
33.     free(k);
34.  
35.     /* Allocate the chunks out of the tcache->entries[idx]. */
36.     malloc(0x20);
37.     malloc(0x20);
38.     malloc(0x20);
39.     malloc(0x20);
40.     malloc(0x20);
41.     malloc(0x20);
42.     malloc(0x20);
43.     /*
44.         Retrieve chunk from fastbin.
45.         The rest of the chunks (h, i, j, k) will be allocated
46.         out of their fastbin and will be placed back into tcache->entries[idx].
47.     */
48.     malloc(0x20);
49.  
50.     puts("Done!");
51.  
52.     /*
53.         Yes, I know. I should've free'd the latest allocations
54.         but that would require me to write down the rest of the
55.         alphabet. Sue me.
56.     */
57.     return 0;
58. }