Use after free
Use-After-Free (UAF) is a vulnerability related to incorrect use of dynamic memory. If after freeing a memory location, the program does not clear the pointer to that memory, an attacker can still use this pointer with possibly arbitrary values.
How it works ?
As explained here, when a chunk is freed, it's stored into a bins ( fastbins for shorter chunks, unsorted bins for the others. ) and when the program need a new chunck, it will take if from that bins first depending on the required size.
Then, if the size is compliant, the allocated bin is the same than the previously freed chunk.
So, the new pointer has the exact same value as the old pointer and then, if the old pointer isn't clear, it will point with this new value.
This behavior can easily be highlight by the followed code :
Note : pointer_2
was assigned as the same chunk as pointer_1
because the pointer_1
chunk was freed before the pointer_2
chunk allocation
Unless pointer_1
was freed, its value still accessible but it point to the new data declared by pointer_2
Resources
Last updated