🛠️Double free

Arbitrary write

As explained here, free chunk contain the location of the next free chunk, the forward pointer. This mean that if chunk a points to chunk b, once chunk ais allocated, the next chunk of this size to be allocated will be the chunk b.

A double free attack attempt to control the forward pointer.

By overwriting the forward pointer with an arbitrary memory address, the next malloc() will allocate this arbitrary location.

The address must point to a valid chunk structure.

It must have a size attribute equal to the size of the bin used.

How it works ?

When a chunk is freed, it's pushed onto the bin

There is what happen when the same chunk was freed twice.

char *a = malloc(0x20);
free(a);
free(a);

In fact now there is a security that prevent double free as see here.

$ ./test
free(): double free detected in tcache 2
Aborted

What happens if a malloc() with the same size is called again ?

The chunk a is now both allocated and free at the same time.

It's mean that user data written into the chunk will be placed at the same place that the forward and backward pointers

A user can so write an arbitrary address that will be used as forward pointer and then the next malloc will allocate an arbitray chunk position and so give an arbitrary write !

PreviousChallenge example NextUnlink exploit

Last updated 1 year ago