Skip to content
Browse files


  • Loading branch information...
VoidMercy committed Sep 6, 2019
1 parent 7568e99 commit df45611fef9bb5f0f339c0d607bb6ce0cd7367e6
Showing with 3 additions and 0 deletions.
  1. +3 −0 tokyowesterns-2019-quals/Multi-Heap/
@@ -0,0 +1,3 @@
# Multi-Heap

The bug is a race condition while memcpying chunks. Memcpy can be run in a different thread, so we just race copy with free to copy over a freed chunk to an allocated chunk to obtain leaks. We use the same race to copy a fake fd pointing to malloc hook into a freed chunk to tcache dupe into malloc hook and win.

0 comments on commit df45611

Please sign in to comment.
You can’t perform that action at this time.