Diet LIBC Freelist Poisoning

In this paper, I introduce the reader to a heap metadata corruption against the latest version of diet libc. This allocator is used in embedded systems. In freelist poisoning, an attacker corrupts the chunk header of a free chunk. This chunk’s next pointer is modified to point to an arbitrary address. The allocator, in a subsequent malloc, will return this arbitrary pointer. In conjunction with program application logic, an arbitrary write may be achievable.

Diet LIBC Freelist Poisoning.PDF

Popular posts from this blog

C++ Memory Corruption (std::vector) - part 2

Pointer Compression in V8

Linux Kernel Stack Smashing