Heap Exploitation Glossary

This glossary defines key terms and concepts used throughout heap exploitation. Terms are organized alphabetically within categories for easy reference.

Core Heap Concepts

Arena

A memory structure that manages the heap for a thread or group of threads. The main arena is used by the main thread, while additional arenas can be created for other threads.Key Points:

Each arena has its own set of bins and top chunk
Multiple threads may share an arena to reduce memory overhead
Arena corruption can lead to powerful exploitation primitives

Related Techniques:

house_of_gods (arena hijacking)
house_of_mind_fastbin (arena manipulation)

See Also: Top Chunk, Bins

Chunk

The fundamental unit of heap memory. Each allocation from malloc returns a chunk. A chunk consists of metadata (size, flags) followed by user data.Structure (64-bit):

struct malloc_chunk {
  size_t      prev_size;  /* Size of previous chunk (if free) */
  size_t      size;       /* Size in bytes, including overhead */
  
  /* Only used when chunk is free: */
  struct malloc_chunk* fd;  /* Forward pointer */
  struct malloc_chunk* bk;  /* Backward pointer */
};

Size Flags (in size field):

PREV_INUSE (0x1): Previous chunk is in use
IS_MMAPPED (0x2): Chunk was allocated via mmap
NON_MAIN_ARENA (0x4): Chunk belongs to non-main arena

Related Techniques:

unsafe_unlink (chunk unlinking)
overlapping_chunks (chunk size corruption)
poison_null_byte (chunk metadata overflow)

See Also: Bins, Metadata

Consolidation

The process of merging adjacent free chunks into a single larger chunk. This prevents heap fragmentation and improves allocation efficiency.When It Happens:

When a chunk is freed and adjacent chunks are also free
During malloc_consolidate() calls
When accessing the unsorted bin

Exploitation Implications:

Can trigger unlink operations (unsafe_unlink)
Used in fastbin_dup_consolidate
Can cause overlapping chunks if size is corrupted

Related Techniques:

fastbin_dup_consolidate
unsafe_unlink
overlapping_chunks

See Also: Unlink, Fastbin

First-Fit

The allocation strategy used by glibc’s malloc. When searching for a free chunk, malloc uses the first chunk that is large enough to satisfy the request.Behavior:

Searches bins in order
Returns first chunk that fits
Splits chunk if too large

Exploitation Impact:

Predictable allocation behavior
Can control which freed chunk gets reused
Critical for use-after-free exploitation

Demonstrated In: first_fit.cSee Also: Bins, Use-After-Free

Heap

The region of memory used for dynamic memory allocation. Unlike the stack, heap memory must be explicitly allocated (malloc) and freed (free).Characteristics:

Grows upward (toward higher addresses)
Managed by the allocator (ptmalloc2 in glibc)
Shared across all threads (with multiple arenas)
Persists until explicitly freed

Key Regions:

Data chunks (allocated memory)
Free chunks (in bins)
Top chunk (wilderness)
Metadata (chunk headers, tcache/bin structures)

See Also: Arena, Chunk, Top Chunk

Metadata

Information stored by the allocator to manage chunks. Includes size, flags, and free list pointers.Stored In:

Chunk headers (prev_size, size)
Freelist pointers (fd, bk)
Tcache metadata structure
Arena structures

Exploitation Target:

Corrupting metadata enables most heap exploits
Size field corruption → overlapping chunks
Pointer corruption → arbitrary write/allocation

Common Corruptions:

Size overflow (overlapping_chunks)
Freelist poisoning (tcache_poisoning)
Tcache metadata (tcache_metadata_poisoning)

See Also: Chunk, Tcache, Safe-linking

Top Chunk (Wilderness)

The large chunk at the top (highest address) of the heap. All allocation requests that cannot be satisfied from bins are served from the top chunk.Properties:

Always present
Never coalesced with other chunks
Grows via sbrk() or mmap()
Size must be page-aligned

Exploitation:

house_of_force (size corruption)
house_of_orange (premature free)
house_of_tangerine (modern top chunk exploit)
sysmalloc_int_free (arbitrary size top chunk)

Mitigations (>= 2.29):

Size validation checks
Alignment verification

See Also: House of Force, Arena

Unlink

The operation of removing a free chunk from a doubly-linked freelist (in bins). Involves updating the fd and bk pointers of adjacent chunks.Classic Unlink:

FD->bk = BK
BK->fd = FD

Modern Protection:

Corruption detection checks
Safe unlinking validation

Exploitation:

unsafe_unlink (arbitrary write primitive)
Requires bypassing safety checks

See Also: Unsafe Unlink, Consolidation

Bins and Freelists

Bins

Data structures that store freed chunks for reuse. Different bin types optimize for different allocation sizes and patterns.Types:

Fastbins: Small allocations, singly-linked, LIFO
Smallbins: Small-medium allocations, doubly-linked, FIFO
Largebins: Large allocations, doubly-linked, size-sorted
Unsorted bin: Temporary bin for recently freed chunks
Tcache: Thread-local cache (glibc >= 2.26)

Purpose:

Fast reallocation of freed memory
Reduce fragmentation
Optimize for common allocation patterns

See Also: Fastbin, Smallbin, Largebin, Tcache

Fastbin

Single-linked freelist for small chunks (16-128 bytes on 64-bit). Uses LIFO (Last-In-First-Out) ordering for performance.Characteristics:

10 fastbins, each for specific size
Singly-linked (fd pointer only)
No coalescing (PREV_INUSE always set)
LIFO ordering
Fast allocation/deallocation

Structure:

chunk1->fd → chunk2->fd → chunk3->fd → NULL

Exploitation:

fastbin_dup (double-free)
fastbin_dup_into_stack (arbitrary allocation)
fastbin_dup_consolidate (bypass double-free check)
fastbin_reverse_into_tcache (tcache stashing)

Mitigations:

Double-free check (top of freelist)
Safe-linking (>= 2.32)

See Also: Tcache, Safe-linking

Largebin

Doubly-linked freelists for large chunks (>= 1024 bytes on 64-bit). Chunks are sorted by size for best-fit selection.Characteristics:

63 largebins, each covering a size range
Doubly-linked (fd, bk pointers)
Size-sorted within each bin (fd_nextsize, bk_nextsize)
Best-fit allocation strategy

Structure:

struct malloc_chunk {
  size_t prev_size;
  size_t size;
  struct malloc_chunk* fd;
  struct malloc_chunk* bk;
  struct malloc_chunk* fd_nextsize;  /* Largebin only */
  struct malloc_chunk* bk_nextsize;  /* Largebin only */
};

Exploitation:

large_bin_attack (arbitrary write)
house_of_storm (combined with unsorted bin)

Mitigation: Some size validationSee Also: Smallbin, Unsorted Bin

Smallbin

Doubly-linked freelists for small to medium chunks (128-1008 bytes on 64-bit). Uses FIFO ordering.Characteristics:

62 smallbins, each for specific size
Doubly-linked (fd, bk pointers)
Exact size match required
FIFO ordering

Structure:

chunk1 ←→ chunk2 ←→ chunk3 ←→ bin_head

Exploitation:

house_of_lore (freelist corruption)
tcache_stashing_unlink_attack (tcache stashing)

See Also: Fastbin, Largebin

Tcache (Thread Cache)

Thread-local cache for small allocations, introduced in glibc 2.26. Provides fast, per-thread allocation without locks.Characteristics:

64 tcache bins (one per size class)
Singly-linked (next pointer)
LIFO ordering
Maximum 7 chunks per bin (default)
Checked before other bins

Metadata Structure:

typedef struct tcache_perthread_struct {
  uint16_t counts[64];    /* # of chunks in each bin */
  tcache_entry *entries[64]; /* Heads of freelists */
} tcache_perthread_struct;

Evolution:

2.26-2.28: Minimal checks (tcache_dup works)
2.29+: Double-free detection added
2.32+: Safe-linking applied

Exploitation:

tcache_poisoning (freelist corruption)
tcache_dup (double-free, obsolete)
tcache_house_of_spirit (fake chunk)
house_of_botcake (double-free bypass)
tcache_metadata_poisoning (metadata corruption)
tcache_stashing_unlink_attack (smallbin → tcache)

Mitigations:

Double-free check (2.29+)
Safe-linking (2.32+)
Key field (some versions)

See Also: Safe-linking, PROTECT_PTR

Unsorted Bin

A single doubly-linked bin that acts as a cache for recently freed chunks. Chunks are sorted into appropriate bins when the unsorted bin is processed.Characteristics:

Only one unsorted bin
Doubly-linked (fd, bk pointers)
Temporary storage
Processed during allocation

Purpose:

Speed optimization
Delayed sorting
Chunk coalescing

Exploitation (< 2.29):

unsorted_bin_attack (arbitrary write)
unsorted_bin_into_stack (arbitrary allocation)
house_of_roman (combined exploit)

Mitigations (>= 2.29):

Size validation
Pointer validation
These techniques no longer work

See Also: Largebin, Smallbin

Security Mitigations

PROTECT_PTR

A macro used in modern glibc to protect tcache pointers from corruption by XORing them with a secret value.Implementation:

#define PROTECT_PTR(pos, ptr) \
  ((__typeof(ptr)) ((((size_t) pos) >> 12) ^ ((size_t) ptr)))

Purpose:

Prevent direct pointer overwrites
Additional protection beyond safe-linking
Thread-specific obfuscation

Bypass Techniques:

safe_link_double_protect (protect twice)
house_of_water (metadata control)
Requires understanding of position and secret

Introduced: Around glibc 2.32-2.36 (implementation varies)See Also: Safe-linking, Tcache

Safe-linking

A security mitigation introduced in glibc 2.32 that obfuscates forward pointers in tcache and fastbin freelists to prevent poisoning attacks.How It Works:

/* Obfuscation */
protected_fd = (ptr >> 12) ^ fd

/* Deobfuscation */
fd = (ptr >> 12) ^ protected_fd

Impact:

tcache_poisoning requires heap leak (for ptr)
Fastbin attacks need heap leak
Adds entropy to prevent blind overwrites

Bypass Techniques:

decrypt_safe_linking (with heap leak)
safe_link_double_protect (leakless bypass)
house_of_water (leakless tcache control)

Key Concept: The pointer position (ptr) is used as a key, requiring an attacker to know or leak a heap address.Patch Commit: a1a486d70eSee Also: Tcache, Fastbin

Common Vulnerabilities

Double-Free

Freeing the same memory address twice without an intervening allocation. This corrupts the freelist and can lead to arbitrary allocation.Consequences:

Chunk appears twice in freelist
Can allocate same address multiple times
Enables arbitrary pointer writes

Classic Exploitation:

free(chunk);  // First free
free(chunk);  // Double-free → freelist corruption

Mitigations:

Fastbin: Check if freed chunk is at top of freelist
Tcache: Double-free detection (glibc >= 2.29)

Bypass Techniques:

fastbin_dup (free different chunk in between)
tcache_dup (2.26-2.28 only)
house_of_botcake (tcache → unsorted bin → tcache)

Related Techniques: fastbin_dup, tcache_dup, house_of_botcakeSee Also: Use-After-Free, Tcache

Heap Overflow

Writing beyond the allocated size of a heap chunk, potentially corrupting adjacent chunks’ metadata or data.Types:

Linear overflow: Continuous write past boundary
Off-by-one: Single byte overflow (poison_null_byte)
Relative overflow: Controlled offset overflow

Exploitation Targets:

Next chunk’s size field
Next chunk’s fd/bk pointers (if free)
Next chunk’s user data

Example Techniques:

poison_null_byte (off-by-one)
overlapping_chunks (size corruption)
unsafe_unlink (fd/bk corruption)

Mitigations:

Size validation
Unlinking checks
Safe-linking

See Also: Chunk, Metadata

Unsafe Unlink

A specific heap overflow exploitation technique that corrupts a free chunk’s fd/bk pointers to achieve an arbitrary write primitive.Classic Unlink Macro:

FD = chunk->fd;
BK = chunk->bk;
FD->bk = BK;  // Arbitrary write: *(&FD + 12) = BK
BK->fd = FD;  // Arbitrary write: *(&BK + 16) = FD

Requirements:

Overflow into a free chunk
Bypass modern unlink checks
Know address to write to

Modern Checks:

if (FD->bk != chunk || BK->fd != chunk)
  abort();

Bypass: Use controlled memory region where you can fake chunk structure to pass validation.Demonstrated In: unsafe_unlink.cSee Also: Unlink, Heap Overflow

Use-After-Free (UAF)

Accessing memory after it has been freed. The freed chunk may be reallocated, causing the program to access attacker-controlled data.Behavior:

char *ptr = malloc(0x100);
free(ptr);
// ptr is now dangling
char *new = malloc(0x100);  // May reuse same address
// Reading/writing ptr now affects new!

Exploitation:

Read freed chunk → information leak
Write freed chunk → freelist poisoning
Reallocate with attacker data → control structures

Enables:

tcache_poisoning
fastbin_dup
house_of_io
house_of_water

Demonstrated In: first_fit.c (basic concept)See Also: Double-Free, First-Fit

Exploitation Techniques (Alphabetical)

Fastbin Dup

Exploiting double-free in fastbins to make malloc return an already-allocated pointer.Version: All (latest in glibc_2.35+)Type: Double-free attackPrimitive: Allocate same address twiceSee: fastbin_dup.c

Fastbin Dup Consolidate

Using malloc_consolidate to bypass fastbin double-free detection.Version: AllType: Double-free bypassPrimitive: Allocate same pointer twiceSee: fastbin_dup_consolidate.c

Fastbin Dup Into Stack

Corrupting fastbin freelist to allocate a fake chunk on the stack or other arbitrary location.Version: AllType: Freelist poisoningPrimitive: Nearly-arbitrary allocationSee: fastbin_dup_into_stack.c

House of Botcake

Bypass tcache double-free detection by freeing to unsorted bin then back to tcache.Version: >= 2.26Type: Double-free bypassPrimitive: Tcache poisoningSee: house_of_botcake.c

House of Einherjar

Exploiting off-by-one null byte overflow to create overlapping chunks.Version: AllType: Off-by-one overflowPrimitive: Controlled pointer allocationSee: house_of_einherjar.c

House of Force

Corrupting top chunk size to make malloc return nearly-arbitrary pointer.Version: < 2.29 (patched)Type: Top chunk exploitationPrimitive: Nearly-arbitrary allocationPatch: Top chunk size validationSee: house_of_force.c

House of Gods

Hijacking a thread’s arena within limited allocations.Version: 2.24-2.26 (obsolete)Type: Arena manipulationPrimitive: Arena controlSee: house_of_gods.c

Quick Reference Tables

Bin Size Ranges (64-bit)

Bin Type	Size Range	Structure	Ordering
Tcache	16 - 1032 bytes	Singly-linked	LIFO
Fastbin	16 - 128 bytes	Singly-linked	LIFO
Smallbin	128 - 1008 bytes	Doubly-linked	FIFO
Largebin	>= 1024 bytes	Doubly-linked + size	Best-fit

Common Chunk Sizes

Request	Chunk Size	Bin Type (no tcache)
malloc(0x18)	0x20	Fastbin
malloc(0x68)	0x70	Fastbin
malloc(0x88)	0x90	Smallbin
malloc(0x400)	0x410	Largebin

Security Feature Timeline

glibc Version	Feature	Impact
2.26	Tcache introduced	New attack surface
2.28	Tcache double-free check	tcache_dup patched
2.29	Size validation	Many bin attacks patched
2.32	Safe-linking	Requires heap leak

Learning Path

Start with Fundamentals

Read: Heap Basics
Understand: Chunk, Arena, Bins
Practice: first_fit.c, calc_tcache_idx.c

Learn Classic Techniques

Study: Fastbin, Use-After-Free, Double-Free
Practice: fastbin_dup, house_of_spirit
Understand: Freelist manipulation

Modern Exploitation

Study: Tcache, Safe-linking
Practice: tcache_poisoning, house_of_botcake
Understand: Modern mitigations

Advanced Techniques

Study: Metadata manipulation, Leakless techniques
Practice: house_of_water, safe_link_double_protect
Understand: Bypass strategies

Additional Resources

All Techniques

Complete catalog of exploitation techniques

By glibc Version

Version-specific technique availability

Heap Basics

Deep dive into heap internals

Setup Guide

Configure your testing environment

Technique Reference

Documentation Index

​Heap Exploitation Glossary

​Core Heap Concepts

​Bins and Freelists

​Security Mitigations

​Common Vulnerabilities

​Exploitation Techniques (Alphabetical)

​Quick Reference Tables

​Bin Size Ranges (64-bit)

​Common Chunk Sizes

​Security Feature Timeline

​Learning Path

​Additional Resources

All Techniques

By glibc Version

Heap Basics

Setup Guide

Heap Exploitation Glossary

Core Heap Concepts

Bins and Freelists

Security Mitigations

Common Vulnerabilities

Exploitation Techniques (Alphabetical)

Quick Reference Tables

Bin Size Ranges (64-bit)

Common Chunk Sizes

Security Feature Timeline

Learning Path

Additional Resources