Fast bin dup |
Corrupting a fast bin freelist (e.g., by double free or write-after-free) to return an arbitrary location |
---: |
Unsafe unlink |
Abusing unlinking in a freelist to get arbitrary write |
[1][2][3] |
House of chaos |
|
[5] |
House of mind |
|
[5][9] |
House of prime |
|
[5][9] |
House of spirit |
Freeing a fake chunk of fast bin to return arbitrary location |
[5][9] |
House of force |
Corrupting the top chunk to return an arbitrary location |
[5][9] |
House of lore |
Abusing the small bin freelist to return an arbitrary location |
[5][9] |
House of underground |
|
[9] |
Poison null byte |
Corrupting heap chunk size to consolidate chunks even in the presence of allocated heap |
---: |
Overlapping chunks |
Corrupting a chunk size in the unsorted bin to overlap with an allocated heap |
---: |
Unsorted bin attack |
Corrupting a freed chunk in unsorted bin to write a uncontrollable value to arbitrary location |
---: |
Free chunk enlarge attack |
|
[14] |
Nonadjacent free chunk consolidation attack |
|
[14] |
Free chunk shrink attack |
|
[14] |
House of einherja |
Corrupting PREV_IN_USE to consolidate chunks to return an arbitrary location that requires a heap address |
[15] |
Unsorted bin into stack |
Abusing the unsorted freelist to return an arbitrary location |
[19] |
House of unsorted einherjar |
A variant of house of einherjar that does not require a heap address |
[19] |
Unaligned double free |
Corrupting a small bin freelist to return already allocated heap |
[19] |
Overlapping small chunks |
Corrupting a chunk size in a small bin to overlap chunks |
[19] |
Fast bin into other bin |
Corrupting a fast bin freelist and use malloc_consolidate() to return an arbitrary non-fast-bin chunk |
[19] |