Add techniques found by ArcHeap

[insuyun]

Hi, all.

I would like to introduce my recent work, ArcHeap: https://arxiv.org/pdf/1903.00503.pdf
and also found techniques by this one.

I already reported unsorted_bin_into_stack, and this repo contains other techniques (all tested in libc 2.23 from Ubuntu 16.04, but I think it will work until 2.25 before tcache).

We determine the uniqueness of the techniques in two aspects: a root cause and a capability.

New	Old	Root causes	New capability
House of unsorted bin	House of Einherjar	Unsorted vs. Free	Does not require a heap address
Unaligned Double Free	Fast bin dup	Small vs. Fast	Can abuse a small bin
Overlapping chunk with small bin	Overlapping chunk	Small vs. Unsorted	Does not need a controllable size allocation
Fast bin into other bin	Fast bin dup into stack	Consolidation vs. Fast	Can allocate a non-fast chunk

Let me know if you have a technique to add to this repo. Then I will make a pull request. Thank you.

[k4lizen]

I think the house of unsorted einherjar doesn't work conceptually anymore because of this check:
https://elixir.bootlin.com/glibc/glibc-2.40.9000/source/malloc/malloc.c#L4694

  /* Consolidate backward.  */
  if (!prev_inuse(p))
    {
      INTERNAL_SIZE_T prevsize = prev_size (p);
      size += prevsize;
      p = chunk_at_offset(p, -((long) prevsize));
      if (__glibc_unlikely (chunksize(p) != prevsize)) // <- kills it
        malloc_printerr ("corrupted size vs. prev_size while consolidating");
      unlink_chunk (av, p);
    }

regardless of the tcache. From what I can see the check was added in commit d6db68e66dff25d12c3bc5641b60cbd7fb6ab44f so glibc version 2.28 ~ 2.29 .