if you think about it all exploitable memory corruption is a special class of type confusion. UaF -> type confusion with free chunk, overflow -> lets you write data of one kind into data of another, and double free -> uaf -> type confusion
-
-
I think it helps to distinguish between bug classes and exploit classes here. "type confusion" is both a bug class and an exploit class; so you can take a bug that has bug class UAF, but exploit it as a type confusion
-
(I also think that many "UAF" bugs aren't really "UAF", because many of them can technically be triggered without ever reaching the free() - so the bug class is something like "improper concurrency" or "pointer-use-after-invalidation", even though the exploit class is often UAF)
- 4 more replies
New conversation -
-
-
i mean, my argument was more "philosophical": even if you UaF and replace with the same kind of object, at some point the allocation *has* been free'd, essentially changing type into "free'd chunk", and it's the behavior of free chunks you abuse in order to reallocate :)
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.