Double Free
Double Free¶
Fastbin Duplication Example¶
By using a double free you can return the same pointer twice. This allows modification of the data to one object that will effect the other.
Example:
a = malloc(10); // 0xa04010
b = malloc(10); // 0xa04030
c = malloc(10); // 0xa04050
free(a);
// head -> a -> tail
free(b); // There is a check to make sure that a freed pointer is not freed immediately again. This is mitigated by freeing a different chunk.
// head -> b -> a -> tail
free(a); // Double Free !!
// head -> a -> b -> a -> tail
d = malloc(10); // 0xa04010
// head -> b -> a -> tail [ 'a' is returned ]
e = malloc(10); // 0xa04030
// head -> a -> tail [ 'b' is returned ]
f = malloc(10); // 0xa04010 - Same as 'd' !
// head -> tail [ 'a' is returned ]
FastBin Duplication Consolidation¶
By freeing a small fastbin block and then mallocing a huge chunk the fastbin chunk is moved to the unsorted bin.
This allows the same chunk to be freed again since the chunk is in two places on the stack