Skip to main content

Overview

The GNU C Library (glibc) heap allocator has undergone significant security hardening over the years. This changelog documents the major protection mechanisms and consistency checks added to the heap implementation, explaining how each change impacts exploitation techniques.
Many classic heap exploitation techniques have been patched in recent glibc versions. Understanding when and how protections were added is crucial for adapting techniques or developing bypasses.

Version 2.25 and Earlier

Baseline Protection Level

All attacks in the how2heap repository work at least in glibc 2.25, making it a baseline for studying classic heap exploitation techniques. Available Techniques:
  • Fastbin attacks (fastbin_dup, fastbin_dup_into_stack)
  • House of Force
  • House of Lore
  • House of Orange
  • House of Roman
  • Unsorted bin attacks
  • Unsafe unlink
  • Overlapping chunks
If you’re learning heap exploitation fundamentals, glibc 2.25 or earlier provides the most permissive environment.

Version 2.26

Major Changes

1. tcache (Per-Thread Cache) Introduction

What Changed:
  • Introduced thread-local caching for small allocations
  • Separate free lists per thread (7 bins per size class)
  • Initially had minimal security checks
Impact on Exploitation:
  • New attack surface: tcache poisoning
  • Fastbin attacks became more complex
  • New primitive: tcache_dup (double free in tcache)
tcache was enabled in Ubuntu builds starting from glibc 2.27, even though it was introduced in 2.26.
Resources: What Changed: Added size validation in the unlink(AV, P, BK, FD) macro: 
if (__builtin_expect (chunksize(P) != prev_size (next_chunk(P)), 0))
  malloc_printerr ("corrupted size vs. prev_size");
Impact on Exploitation:
  • Harder to exploit unsafe unlink
  • Requires more careful chunk metadata manipulation
  • Size consistency must be maintained across adjacent chunks
Techniques Affected:
  • unsafe_unlink (still possible but more constrained)
  • overlapping_chunks (requires careful size manipulation)

Version 2.27

Major Changes

1. tcache Enabled by Default in Ubuntu

What Changed:
  • Ubuntu builds enabled tcache by default
  • Significantly changed heap behavior

2. Fastbin Consolidation Size Check

What Changed: Added size validation in malloc_consolidate(mstate av): 
unsigned int idx = fastbin_index (chunksize (p));
if ((&fastbin (av, idx)) != fb)
  malloc_printerr ("malloc_consolidate(): invalid chunk size");
Impact on Exploitation:
  • Prevents fastbin consolidation with corrupted sizes
  • Makes some fastbin attacks more difficult
  • Requires attackers to maintain valid size fields
Techniques Affected:
  • fastbin_dup_consolidate (requires valid sizes)
  • Some House of Force variants

3. tcache Double Free Check

What Changed: Added basic double-free detection in tcache: 
if (__glibc_unlikely (e->key == tcache))
  malloc_printerr ("double free detected in tcache 2");
Impact on Exploitation:
  • tcache_dup technique obsoleted
  • Need to bypass double-free check
  • Led to development of house_of_botcake
Patch:

Version 2.29

Major Changes

1. Enhanced Size Checks

What Changed: Multiple size consistency checks added to unsorted bin processing: 
if (__glibc_unlikely (size <= 2 * SIZE_SZ)
    || __glibc_unlikely (size > av->system_mem))
  malloc_printerr ("malloc(): invalid size (unsorted)");

if (__glibc_unlikely ((prev_size (next_chunk (victim)) & ~(SIZE_BITS)) != size))
  malloc_printerr ("malloc(): mismatching next->prev_size (unsorted)");
Impact on Exploitation:
  • Breaks overlapping_chunks technique
  • Breaks unsorted_bin_into_stack
  • Breaks unsorted_bin_attack
  • Breaks house_of_force
  • Breaks house_of_roman
  • Breaks house_of_storm
Patch: Techniques Patched:
  • overlapping_chunks (< 2.29)
  • overlapping_chunks_2 (< 2.29)
  • house_of_force (< 2.29)
  • unsorted_bin_into_stack (< 2.29)
  • unsorted_bin_attack (< 2.29)
  • house_of_roman (< 2.29)
  • house_of_storm (< 2.29)
glibc 2.29 was a major security milestone, patching numerous classic heap exploitation techniques simultaneously.

Version 2.32

Major Changes

1. Safe-Linking Protection

What Changed: Introduced pointer mangling in tcache and fastbins: 
#define PROTECT_PTR(pos, ptr) \
  ((__typeof (ptr)) ((((size_t) pos) >> 12) ^ ((size_t) ptr)))

#define REVEAL_PTR(ptr) \
  PROTECT_PTR (&ptr, ptr)
Impact on Exploitation:
  • Forward pointers in tcache/fastbins are now obfuscated
  • Requires heap leak to decrypt pointers
  • Makes blind tcache poisoning impossible
  • Led to development of decrypt_safe_linking technique
Patch: Techniques Affected:
  • tcache_poisoning (now requires heap leak)
  • fastbin_dup (requires pointer decryption)
  • All tcache-based attacks
New Techniques:
  • decrypt_safe_linking (demonstrates decryption)
  • safe_link_double_protect (bypass via double protection)

Version 2.33

Major Changes

Minor improvements to existing protections. No major new mitigations introduced.

Version 2.34

Major Changes

Continued refinement of existing security checks.

Version 2.35

Major Changes

Most modern techniques have been updated to work with this version. Many “latest” techniques in how2heap target 2.35.

Version 2.36 and Later

Major Changes

Ongoing security improvements and bug fixes. New techniques continue to be developed:
  • house_of_water (2.36+) - Leakless tcache exploitation
  • safe_link_double_protect (2.36+) - Bypass safe-linking
  • house_of_tangerine (2.39+) - Top chunk exploitation with tcache
  • tcache_relative_write (2.41) - Out-of-bounds tcache metadata writes

Summary of Protection Timeline

  • tcache per-thread caching added
  • Unlink size consistency check
  • New attack surface created
  • tcache enabled in Ubuntu
  • Fastbin consolidation checks
  • tcache double-free detection
  • Comprehensive size consistency checks
  • Patched 7+ classic techniques
  • Unsorted bin attack mitigated
  • House of Force patched
  • Pointer obfuscation in tcache/fastbins
  • Requires heap leaks for exploitation
  • Major impact on all pointer-based attacks

Impact on CTF and Real-World Exploitation

For CTF Players

Always check the glibc version of the target binary. Many CTF challenges use older glibc versions to allow specific techniques.
Version Selection Guide:
  • 2.23-2.27: Classic techniques work, good for learning
  • 2.29-2.31: Transitional period, some techniques patched
  • 2.32+: Modern protections, requires advanced techniques

For Security Researchers

Understanding the protection timeline helps in:
  • Vulnerability impact assessment
  • Exploit development for specific versions
  • Writing portable exploits
  • Developing new bypass techniques

Testing Across Versions

To test how protections affect a technique: 
# Test on vulnerable version (2.27)
H2H_USE_SYSTEM_LIBC=N make v2.27
./glibc_2.27/unsorted_bin_attack

# Test on patched version (2.29)
H2H_USE_SYSTEM_LIBC=N make v2.29
./glibc_2.29/unsorted_bin_attack  # This won't exist - technique patched

Additional Resources

Build docs developers (and LLMs) love

Get started for freeTalk to us