Linux Heap glibc TCache Double Free Mitigation Bypass



In this paper, I introduce the reader to a heap metadata corruption against the latest Linux Heap Allocator, ptmalloc. This attack performs a double free in the presence of the tcache double free mitigation. It does this by corrupting the freed chunk before the 2nd free is called. This allows a cycle to be created in the tcache and can give primitives such as making malloc returning the same memory more than once, or making malloc return an arbitrary pointer.

Linux Heap glibc TCache Double Free Mitigation Bypass.PDF

Popular posts from this blog

Empowering Women in Cybersecurity: InfoSect's 2024 Training Initiative

C++ Memory Corruption (std::string) - part 4

C++ Memory Corruption (std::vector) - part 2