You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@nuttx.apache.org by Ilya Grishchenko <gr...@ucsb.edu> on 2022/02/18 19:24:25 UTC

Double-free + Overlapping Chunks for mm_malloc

Good day,

I guess I found an interesting behavior when a chunk is double-freed (DF): afterwards mm_malloc goes in a loop(?):

Allocated 6 chunks: 0x562d7ef9a690 0x562d7ef9a6b0 0x562d7ef9a6d0 0x562d7ef9a6f0 0x562d7ef9a710 0x562d7ef9a730 
Free 2
Free 4
Free 2
Allocated 6 chunks: 0x562d7ef9a6d0 0x562d7ef9a710 0x562d7ef9a6d0 0x562d7ef9a710 0x562d7ef9a6d0 0x562d7ef9a710

Also, an overflow can be used to modify the size of an allocated chunk, then overlapping chunks (OC) are possible.

The sources and elf binaries are attached (nuttx_df_*, nuttx_oc_*).
One can also reproduce the attacks simply by executing the provided main method together with the current verision of the heap library (xmalloc -> mm_malloc, xfree -> mm_free).

I guess currently fake-frees are taken care of, what I’d suggest as additional protections:
- heap cookies (to treat OC)
- checking for DF (inside free).

I would be happy to answer any questions / provide the details.
Thank you!

Bests,
Ilya