Attacks on the TCMalloc Heap Allocator

Introduction

TCMalloc is a well known heap allocator. It is written by Google. A number of attacks against tcmalloc are possible. A good presentation on tcmalloc was given in 2011, https://downloads.immunityinc.com/infiltrate-archives/webkit_heap.pdf

In this blog post, I'll give examples of 3 attacks, some of which are not well known.

Freelist Poisoning

In the following code, we make tc_malloc return an arbitrary pointer. This is another variant of freelist poisoning, which I have talked about at great length. For freelist poisoning details on other allocators, see:

https://blog.infosectcbr.com.au/2019/07/linux-heap-tcache-poisoning.html
https://blog.infosectcbr.com.au/2019/09/linux-heap-fast-bin-poisoning-part-1.html
https://blog.infosectcbr.com.au/2019/09/linux-heap-fast-bin-poisoning-part-2.html
https://blog.infosectcbr.com.au/2019/11/avr-libc-freelist-poisoning.html 


Double Free

In the following attack that exploits a double free in tcmalloc, we convert the double free into freelist poisoning and thus are able to obtain an arbitrary write primitive. I've talked about this attack before on other allocators. For example:

https://blog.infosectcbr.com.au/2019/07/linux-heap-glibc-227-double-free.html 
https://blog.infosectcbr.com.au/2019/08/linux-heap-fast-bin-double-free.html 
https://blog.infosectcbr.com.au/2019/09/linux-heap-glibc-tcache-double-free.html 


The code above takes advantage that a cycle has formed in the freelist. Thus, a malloc returns a buffer, but that buffer is start of the freelist. Thus, freelist poisoning can happen on the allocated buffer.

Overlapping Chunks

The final attack we'll look at in tcmalloc is creating overlapping chunks via a free of an arbitrary pointer. This attack is different to the house of spirit. Since tcmalloc is a bucket-style allocator, when a pointer is freed, it has to belong to a bucket. TCMalloc doesn't check for pointer alignment to that bucket's object before putting the pointer on the freelist. Thus, a non-aligned object pointer is in the freelist and is returned for that bucket of the appropriate object size. The pointer is unaligned but still services the object size, and thus overlaps the adjacent chunk.




Conclusion

In this blog post, I gave examples of 3 attacks against tcmalloc. These attacks can lead to a variety of exploitation primitives such as arbitrary writes to memory and overlapping chunks. They serve as useful tools in the exploit developers toolkit.

If you are interested in exploitation, consider InfoSect's 2, 3, and 5-day training on Heap Exploitation https://www.eventbrite.com.au/e/linux-heap-exploitation-tickets-48997946176

 

 

Comments

  1. Thanks for sharing this informative information grenotechhub.in if you want to learn about technology then visit grenotechhub.in

    ReplyDelete
  2. It is somewhat great, by and by look at the information with this handle grenojobs.in if you want to learn more about jobs then visit grenojobs.in

    ReplyDelete
  3. Autospin88 dan ElangGame - Situs game slot online terbesar, tercepat, terlengkap dan terfavorit.

    Ada banyak promosi yang sangat menarik dan merchandise keren yang hanya ada di Autospin88 dan ElangGame.

    Autospin88 pasti Autowin..
    ElangGame Slot Gacor

    Klik langsung di sini ya guys DAFTAR AUTOSPIN88

    Atau Klik DAFTAR ELANGGAME

    ReplyDelete

Post a Comment

Popular posts from this blog

C++ Memory Corruption (std::vector) - part 2

Linux Kernel Stack Smashing

Sudoedit heap overflow