Types of heap bugs and vulnerabilities (source):
- use-after-free (UAF) vulnerabilities are caused by using a pointer after calling
free()
on it, e.g., a freed chunk is reallocated and contains user-controlled data which could misdirect the function that uses the freed pointer. - Information leaks can result from using uninitialized heap data (e.g., reading data from a prior user of the chunk). Sometimes accidental omission of null terminators (or overwriting thereof) could also leak heap data when the string is printed.
- double free vulnerabilities occur when the same pointer is freed twice, which is only mitigated to an extent since glibc only detects recent
free()
’s using tcache, which is a thread-local cache that tracks recently free’d chunks (source). - heap overflow can result from reading/writing after allocation boundaries.
- heap underflow can result from reading/writing before allocation boundaries.
- invalid free occurs when
free
ing a pointer not allocated bymalloc
. Note thatfree(NULL)
is a no-op and does not cause invalid free. - Arbitrary write vulnerabilities can sometimes result from using a
malloc
’ed pointer before checking if it’sNULL
.