Please sign in to comment.
- Loading branch information...
Showing with 3 additions and 0 deletions.
|@@ -0,0 +1,3 @@|
|The bug is a race condition while memcpying chunks. Memcpy can be run in a different thread, so we just race copy with free to copy over a freed chunk to an allocated chunk to obtain leaks. We use the same race to copy a fake fd pointing to malloc hook into a freed chunk to tcache dupe into malloc hook and win.|