Linux Heap Calloc Exploitation

In this paper, I introduce the reader to a heap metadata corruption against a recent version of the Linux Heap allocator before the introduction of the tcache. Normally, calloc will allocate data and zero out the memory before returning a pointer to it. An attacker that can overflow from one chunk into a free chunk can force calloc to return uninitialised data. This information leak could be utilised to defeat ASLR or expose sensitive information.


Linux Heap Calloc Exploitation.PDF 

Popular posts from this blog

Pointer Compression in V8

C++ Memory Corruption (std::string) - part 4

C++ Memory Corruption (std::vector) - part 2