Double Frees in Chrome's Partition Alloc - part 2

Dr Silvio Cesare


PartitionAlloc is the hardened heap allocator used in Google's Chrome web browser. It is susceptible to a number of attacks. This blog post describes the second attack in a series of posts. I will talk about double frees and how to make an allocation request return an arbitrary pointer. This can be used with application-logic to develop an arbitrary write primitive.


In heap allocators, freelists maintain a group of free memory chunks that are available to be recycled by an allocation request. Freelist poisoning corrupts this list and injects a "fake chunk" pointer. A later allocation will return this fake chunk pointer. So it is possible to make an allocation request return an arbitrary pointer.

A double free often creates a cycle in the freelist. When a chunk is returned by an allocation request, the chunk still remains in the freelist. Thus, if an attacker writes to that chunk, it is use-after-free and akin to freelist poisoning.

ParitionAlloc Double Frees

PartitionAlloc, like many other allocators, has a trivial mitigation against double frees. It simply checks the last freed pointer with the pointer currently being freed. Here is an example of a trivial double free.

And let's see the mitigation in effect, which triggers a SIGILL:

A simple method to defeat this trivial mitigation is to interleave the free of another pointer between the double free. This will create a cycle in the underlying freelist and subsequent allocations will reflect this cycle.

And we can see the freelist cycle produces an infinite number of identical allocations reflecting the cycle that was created.

The important thing to note is that when one of those chunks is allocated, it still remains on the freelist. Thus, if we overwrite the data in a chunk, it's effectively the same as a use-after-free. Therefore, we can employ freelist poisoning. Let's do that:

 Let's run our complete exploit:

We can see we made PartitionAlloc return an arbitrary pointer. The application logic let us write to that, and we made the foo variable our desired value.


In this blog post, I demonstrated the classic double free poisoning attack against PartitionAlloc. This allocator has a number of mitigations and hardening strategies. However, attacks still exist. In future blog posts I will talk about other attacks against this allocator.


  1. Managerial Economics is a part of Management Studies which focuses on solving the problems of business by applying theories and principles of Microeconomics and Macroeconomics. It is a specialized profession dealing with internal issues of an organization by using various theories of economics. It is a branch of business studies that draws elements from economics as well as management studies. Managerial economics helps managers to utilize economic principles in order to make management decisions regarding production, human resources, marketing, and finance. Managerial economics helps managers in recognizing how economic factors affect organizations and describing the economic significance on managerial behavior. Managerial Economics can be applied to both, profit and non-profit organizations. It makes use of economic concepts to make logical managerial decisions. It also makes rules for improving managerial functioning. Managerial Economics is used to bridge the gap between problems of policy as well as problems of logic. Managerial economics Accounting help managers to operate efficiently by utilizing scarce humans and capital resources.

    Managerial Economics is an amalgamation of numerous subjects like arts, science, economics, management, mathematics, statistics, psychology, organizational behavior, sociology, etc. The subject is multi-disciplinary in nature and comprises of factors coming from one of these subjects or a few combined.

  2. Thanks for sharing such a fantastic blog. Since the last few weeks, I am not finding your blogs that disappoint me a lot, as I love reading your posts. This article is really attractive, and I’m waiting for your new ideas as well. Hope to see your next blog as soon as possible. Technargle


Post a comment

Popular posts from this blog

Heap Exploitation in Chrome's PartitionAlloc - part 1

Pointer Compression in V8

Linux Kernel Stack Smashing