Skip to content

Research Update Enhanced src/binary-exploitation/libc-heap/u...#2210

Merged
carlospolop merged 1 commit into
masterfrom
research_update_src_binary-exploitation_libc-heap_use-after-free_first-fit_20260506_142920
May 6, 2026
Merged

Research Update Enhanced src/binary-exploitation/libc-heap/u...#2210
carlospolop merged 1 commit into
masterfrom
research_update_src_binary-exploitation_libc-heap_use-after-free_first-fit_20260506_142920

Conversation

@carlospolop
Copy link
Copy Markdown
Collaborator

@carlospolop carlospolop commented May 6, 2026

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

  • Blog URL:
  • Blog Title: Research Update Enhanced src/binary-exploitation/libc-heap/use-after-free/first-fit.md
  • Suggested Section: Research

🎯 Content Summary

Research Update for src/binary-exploitation/libc-heap/use-after-free/first-fit.md

This PR contains automated research updates including:

  • Latest security vulnerabilities and attack vectors
  • Updated techniques and tools
  • Enhanced explanations and examples
  • Additional references and resources

Generated by: HackTricks Research Agent
Timestamp: 2026-05-06 14:37:54 UTC

Tool usage

  • apply_patch: 1
  • brave_search: 9
  • check_budget_status: 1
  • exec: 29
  • search_google_web: 13
    ...

🔧 Technical Details

Research update for HackTricks content

🤖 Agent Actions

Reviewing the target page, related heap/UAF docs, and recent research on first-fit/tcache-era UAF techniques. Then I’ll update the file directly, verify the diff, and summarize the additions with the source URLs used.
I’m reading the current page and the nearby heap/UAF documentation first so the update stays scoped to this specific technique rather than drifting into generic allocator material.
The target page already has some modern allocator caveats, so the useful update space is narrower. I’m checking adjacent pages now to avoid duplicating tcache-poisoning or generic unsorted-bin material that already lives elsewhere.
I’ve narrowed the gap: the useful update is not “what is first fit,” it’s “what changed on recent glibc so this primitive fails or needs grooming.” I’m pulling modern allocator sources and a couple of recent writeups that use first-fit reuse/splitting inside longer chains.
I’m validating the exact allocator behavior from primary sources now. The update will only keep claims that I can tie back to glibc docs/source or concrete recent writeups.
The first fetch script failed on an unnecessary dependency. I’m retrying with plain curl/sed so the research path stays reproducible in the repo environment.
I have enough primary material for allocator semantics. I’m adding only the delta that seems both recent and specific to this page: newer tcache behavior changing when first-fit is reachable, plus concrete “reuse/split” patterns from recent writeups.
I have the edit scoped. I’m patching the page now with a small, allocator-accurate update: newer glibc 2.42+ behavior that changes when unsorted reuse happens, plus clearer modern exploitation patterns drawn from recent writeups.
The content is patched. I’m validating the final markdown, links, and diff now, and then I’ll close the task list with a short summary plus the exact URLs used.
Updated first-fit.md. The page now explicitly notes that glibc 2.42 can cache larger blocks when glibc.malloc.tcache_max is raised, and adds a matching GLIBC_TUNABLES example so “> 0x410 reaches unsorted” is not treated as a universal rule anymore. I also expanded the modern-exploitation section with two current first-fit patterns: split-preserving overlap from heapify, and leak-preserving reallocation after malloc_consolidate() / unsorted-bin grooming from setjmp, plus inline links to the existing tcache and unsorted-bin pages for the follow-on primitives. (lists.gnu.org)

I verified the edited markdown, checked the new internal links, and git diff --check is clean.

https://blog.quarkslab.com/heap-exploitation-glibc-internals-and-nifty-tricks.html
https://hackmd.io/@aneii11/H1S2snV40
https://lists.gnu.org/archive/html/info-gnu/2025-07/msg00011.html
https://sourceware.org/glibc/manual/2.42/html_mono/libc.html
https://raw.githubusercontent.com/bminor/glibc/release/2.42/master/malloc/malloc.c
https://raw.githubusercontent.com/shellphish/how2heap/master/first_fit.c
https://www.deep-kondah.com/glibc-heap-internals/

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

@carlospolop
Copy link
Copy Markdown
Collaborator Author

carlospolop commented May 6, 2026

🔗 Additional Context

Original Blog Post:

Content Categories: Based on the analysis, this content was categorized under "Research".

Repository Maintenance:

  • MD Files Formatting: 973 files processed

Review Notes:

  • This content was automatically processed and may require human review for accuracy
  • Check that the placement within the repository structure is appropriate
  • Verify that all technical details are correct and up-to-date
  • All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0

@carlospolop carlospolop merged commit 65307b0 into master May 6, 2026
@carlospolop carlospolop deleted the research_update_src_binary-exploitation_libc-heap_use-after-free_first-fit_20260506_142920 branch May 6, 2026 16:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@carlospolop