abelrguezr/glibc-free-analysis
skills/binary-exploitation/libc-heap/heap-memory-functions/free/SKILL.md
Analyze and explain glibc's free() function behavior for heap exploitation. Use this skill whenever the user asks about free(), heap chunk freeing, tcache/fastbin/unsorted bin behavior, double-free detection, safe-linking, tcache poisoning, or any glibc malloc/free internals. This skill explains the complete free() flow from __libc_free through _int_free to bin placement, including all security checks and error messages. Make sure to use this skill when debugging heap issues, analyzing heap exploitation primitives, or understanding why free() triggers specific error messages.
$ install --global
skillsauthnpx skillsauth add abelrguezr/hacktricks-skills glibc-free-analysisInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 16, 2026, 2:10 AM24.9s2 files scanned
SKILL.md
- name:
- glibc-free-analysis
- description:
- Analyze and explain glibc's free() function behavior for heap exploitation. Use this skill whenever the user asks about free(), heap chunk freeing, tcache/fastbin/unsorted bin behavior, double-free detection, safe-linking, tcache poisoning, or any glibc malloc/free internals. This skill explains the complete free() flow from __libc_free through _int_free to bin placement, including all security checks and error messages. Make sure to use this skill when debugging heap issues, analyzing heap exploitation primitives, or understanding why free() triggers specific error messages.
glibc free() Analysis
This skill explains the complete flow of free() in glibc's heap allocator, including security checks, bin placement logic, and exploitation considerations.
Quick Reference: free() Flow
free(ptr)
└─> __libc_free
├─> NULL check → return
├─> mmaped chunk → munmap → return
└─> _int_free
├─> tcache (if eligible)
├─> fastbin (if eligible)
└─> _int_free_merge_chunk → unsorted bin
Step-by-Step Analysis
1. __libc_free Entry Point
When free(ptr) is called:
| Check | Action |
|-------|--------|
| ptr == NULL | Return immediately (no-op) |
| Pointer tag mismatch | Double-free detection (if mtag_enabled) |
| chunk_is_mmapped(p) | Call munmap_chunk(p) and return |
| Otherwise | Add color, call _int_free(arena, p, 0) |
Key insight: free(NULL) is safe and does nothing.
2. _int_free Validation
Before any bin placement, _int_free performs critical checks:
| Check | Error Message |
|-------|---------------|
| Pointer not aligned | free(): invalid pointer |
| Size < MINSIZE or not aligned | free(): invalid size |
| Pointer wraps around address space | free(): invalid pointer |
These checks prevent many common heap corruption bugs from silently succeeding.
3. Tcache Placement (if eligible)
Eligibility: Chunk size fits in tcache bins AND tcache is enabled.
Checks before insertion:
| Check | Error Message |
|-------|---------------|
| tcache->counts[tc_idx] >= mp_.tcache_count | free(): too many chunks detected in tcache |
| Entry not aligned | free(): unaligned chunk detected in tcache 2 |
| Entry already in tcache (double-free) | free(): double free detected in tcache 2 |
Double-free detection: The code checks if e->key == tcache_key and walks the bin looking for the same pointer. This is probabilistic but effective.
glibc 2.42+ change: Tcache now accepts much larger chunks via glibc.malloc.tcache_max_bytes tunable. This means more frees go to tcache instead of unsorted bins.
4. Fastbin Placement (if eligible)
Eligibility: size <= get_max_fast() AND (if TRIM_FASTBINS) chunk doesn't border top.
Checks before insertion:
| Check | Error Message |
|-------|---------------|
| Next chunk size invalid | free(): invalid next size (fast) |
| Chunk already at fastbin top | double free or corruption (fasttop) |
| Fastbin top has different size | invalid fastbin entry (free) |
Safe-linking: Fastbin fd pointers are protected: PROTECT_PTR(pos, ptr) = ((size_t)pos >> 12) ^ (size_t)ptr
5. Unsorted Bin (via _int_free_merge_chunk)
If chunk doesn't fit tcache or fastbin, it goes through consolidation:
Checks during consolidation:
| Check | Error Message |
|-------|---------------|
| Chunk is top chunk | double free or corruption (top) |
| Next chunk outside arena | double free or corruption (out) |
| Next chunk not marked in-use | double free or corruption (!prev) |
| Next chunk size invalid | free(): invalid next size (normal) |
| Prev size mismatch during consolidation | corrupted size vs. prev_size while consolidating |
Process:
- Check if previous chunk is free → consolidate backward
- Check if next chunk is free → consolidate forward
- Place resulting chunk in unsorted bin
Exploitation Notes
Safe-Linking Bypass
Tcache and fastbin use safe-linking to protect fd pointers:
# To craft a safe-linked fd pointing to TARGET:
# You need a leaked heap address at position POS
protected_fd = TARGET ^ (POS >> 12)
Implication: You need a heap leak to perform tcache poisoning. The XOR key is derived from the position of the fd pointer itself.
Tcache Double-Free Detection
The detection works by:
- Checking if
e->key == tcache_key(probabilistic match) - Walking the entire bin up to
mp_.tcache_countentries - Aborting if the same pointer is found
Bypass consideration: The key check is probabilistic (1 in 2^size_t chance of false positive), but the pointer walk is deterministic.
Forcing Specific Bin Behavior
For research/testing, use GLIBC_TUNABLES to control tcache:
# Disable tcache completely (see classic unsorted bin behavior)
GLIBC_TUNABLES=glibc.malloc.tcache_count=0 ./program
# glibc 2.42+: Disable large tcache
GLIBC_TUNABLES=glibc.malloc.tcache_max_bytes=0 ./program
Modern Hook Limitations
__malloc_hook and __free_hook overwrites are not viable on glibc ≥ 2.34. Use alternative targets:
- IO_FILE structures
- Exit handlers
- Virtual tables
- Other GOT/PLT entries
Common Error Messages Reference
| Error | Cause |
|-------|-------|
| free(): invalid pointer | Misaligned or wrapped pointer |
| free(): invalid size | Size < MINSIZE or not aligned |
| free(): too many chunks detected in tcache | Tcache bin overflow |
| free(): unaligned chunk detected in tcache 2 | Tcache entry misalignment |
| free(): double free detected in tcache 2 | Same chunk freed twice (tcache) |
| free(): invalid next size (fast) | Next chunk size invalid (fastbin) |
| double free or corruption (fasttop) | Chunk already at fastbin top |
| invalid fastbin entry (free) | Fastbin size mismatch |
| double free or corruption (top) | Freeing top chunk |
| double free or corruption (out) | Next chunk outside arena |
| double free or corruption (!prev) | Next chunk not marked in-use |
| free(): invalid next size (normal) | Next chunk size invalid (normal) |
| corrupted size vs. prev_size while consolidating | Prev size field mismatch |
Practical Analysis Workflow
When analyzing a heap bug involving free():
- Identify the chunk size - Determines which bin it targets
- Check tcache eligibility - Is tcache enabled? Does size fit?
- Review security checks - Which checks might fail?
- Consider safe-linking - Do you need a heap leak?
- Plan the primitive - Tcache poisoning, fastbin attack, unsorted bin manipulation?
Related Concepts
- Tcache poisoning: Overwrite tcache
fdpointers to control allocation - Fastbin attack: Similar to tcache but with different constraints
- Unsorted bin attacks: First-fit behavior, chunk consolidation
- Double-free primitives: Modern detection makes this harder
- Use-after-free: Often combined with free() manipulation
References
- GNU C Library NEWS 2.42: https://www.gnu.org/software/libc/NEWS.html#2.42
- Safe-Linking internals: https://developers.redhat.com/articles/2020/05/13/new-security-hardening-gnu-c-library
- glibc malloc source: https://github.com/bminor/glibc/blob/master/malloc/malloc.c
Related Skills
abelrguezr/house-of-lore-exploit
testing
VerifiedTrustedCommunity
How to perform a House of Lore (small bin attack) heap exploitation. Use this skill whenever the user mentions heap exploitation, small bin attacks, fake chunks, glibc heap vulnerabilities, or needs to insert fake chunks into small bins for arbitrary read/write. Trigger for CTF challenges involving heap corruption, glibc 2.31+ exploitation, or when the user needs to bypass malloc sanity checks using fake chunk linking.
5SKILL.mdUpdated Apr 16, 2026
abelrguezr/house-of-force-exploit
testing
VerifiedTrustedCommunity
How to perform House of Force heap exploitation attacks. Use this skill whenever the user mentions heap exploitation, House of Force, top chunk manipulation, arbitrary memory allocation, malloc manipulation, or wants to allocate chunks at specific addresses. Also trigger for CTF challenges involving heap overflows, top chunk size overwrites, or when the user needs to calculate evil_size for heap attacks. Make sure to use this skill for any binary exploitation task involving glibc heap manipulation, even if they don't explicitly say "House of Force".
5SKILL.mdUpdated Apr 16, 2026
abelrguezr/house-of-einherjar
tools
VerifiedTrustedCommunity
How to perform House of Einherjar heap exploitation to allocate memory at arbitrary addresses. Use this skill whenever the user mentions heap exploitation, glibc heap attacks, arbitrary memory allocation, off-by-one overflow exploitation, tcache poisoning, fast bin attacks, or any CTF challenge involving heap manipulation. This is essential for binary exploitation tasks where you need to control malloc() return addresses.
5SKILL.mdUpdated Apr 16, 2026
abelrguezr/heap-overflow-exploitation
testing
VerifiedTrustedCommunity
How to identify, analyze, and exploit heap overflow vulnerabilities in binary exploitation challenges and real-world scenarios. Use this skill whenever the user mentions heap overflows, memory corruption, heap grooming, tcache poisoning, fast-bin attacks, or any heap-related vulnerability in CTF challenges, binary analysis, or security research. This skill covers heap overflow fundamentals, exploitation techniques, heap grooming strategies, and real-world CVE analysis.
5SKILL.mdUpdated Apr 16, 2026