House of Force

原理：

House of Force是通过修改top chunk的size从而通过分配内存达到任意地址写的目的。先看看glibc的源码：

      victim = av->top;   //取出top_chunk的地址
      size = chunksize (victim); //计算top_chunk的size

      if ((unsigned long) (size) >= (unsigned long) (nb + MINSIZE)) //此处nb为想要申请分配的堆的大小
        {
          remainder_size = size - nb;
          remainder = chunk_at_offset (victim, nb);  //获取分割后的top_chunk的地址
          av->top = remainder;
          set_head (victim, nb | PREV_INUSE |
                    (av != &main_arena ? NON_MAIN_ARENA : 0));
          set_head (remainder, remainder_size | PREV_INUSE);

          check_malloced_chunk (av, victim, nb);
          void *p = chunk2mem (victim);
          alloc_perturb (p, bytes);
          return p;
        }