Linux Heap TCache Free Chunk Information Disclosure


In this paper, I introduce the reader what is in a free tcache chunk. There are two pointers maintained in these free chunks that leak information about the address layout and internal allocator structures. This paper will discuss those leaks.

Linux Heap TCache Free Chunk Information Disclosure.PDF 

Comments

Post a comment

Popular posts from this blog

Heap Exploitation in Chrome's PartitionAlloc - part 1

Image
Dr Silvio Cesare
@silviocesare
Summary PartitionAlloc is the hardened heap allocator used in Google's Chrome web browser. It is susceptible to a number of attacks. This blog post describes the first attack in a series of posts. I will talk about freelist poisoning and how to make an allocation request return an arbitrary pointer. This can be used with application-logic to develop an arbitrary write primitive.
Introduction In heap allocators, freelists maintain a group of free memory chunks that are available to be recycled by an allocation request. Freelist poisoning corrupts this list and injects a "fake chunk" pointer. A later allocation will return this fake chunk pointer. So it is possible to make an allocation request return an arbitrary pointer.

I have blogged about freelist poisoning extensively. It is a common attack that many allocators are vulnerable to.

https://blog.infosectcbr.com.au/2020/03/weaknesses-in-linux-kernel-heap.html
https://blog.infosectcbr.com.au/2…
Read more