Heap Allocator Hardening (glibc Safe-Linking and Metadata Protection)
Description
Enable and verify glibc heap allocator safety features that specifically target use-after-free and double-free exploitation. Modern glibc (2.32+) includes safe-linking, which encrypts singly-linked list pointers in malloc metadata using a per-thread random key XORed with the storage location. An attacker who corrupts a freed chunk's forward pointer must know both the random key and the chunk address to forge a valid pointer, defeating the standard tcache-poisoning technique used in most heap exploitation. Tcache key verification detects double-free by storing a per-thread random value in freed tcache entries and checking it on subsequent frees; a second free of the same pointer is detected and the process is aborted. On older glibc (2.28, RHEL 8), setting MALLOC_PERTURB_ to a nonzero value fills freed memory with a byte pattern, causing use-after-free reads to return garbage instead of previously valid data, breaking exploitation chains that depend on reading stale heap content.
CVSS Vector Impacts
| Metric | Transition | Rationale |
|---|---|---|
| Attack Complexity (AC) | L → H | Safe-linking forces the attacker to defeat pointer encryption (requires both the per-thread random key and the chunk address) before they can redirect allocation to a controlled location via tcache poisoning; tcache key verification detects double-free attempts and aborts the process before the attacker achieves heap corruption — exploitation requires discovering a bypass for the allocator's integrity checks |
CWE Relationships
Verification
Verify glibc version includes safe-linking (2.32+) and tcache key verification; on older systems, verify MALLOC_PERTURB_ is set
# Expected: glibc-2.32 or higher for safe-linking and tcache key verification (RHEL 9+)
# Expected: ldd (GNU libc) 2.32 or higher
# Expected: MALLOC_PERTURB_ set to nonzero value (fallback for glibc < 2.32)