# Heap Functions Security Checks
{% hint style="success" %}
Learn & practice AWS Hacking:
[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
Learn & practice GCP Hacking: 
[**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
Support HackTricks
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
{% endhint %}
## unlink
For more info check:
{% content-ref url="unlink.md" %}
[unlink.md](unlink.md)
{% endcontent-ref %}
This is a summary of the performed checks:
* Check if the indicated size of the chunk is the same as the `prev_size` indicated in the next chunk
* Error message: `corrupted size vs. prev_size`
* Check also that `P->fd->bk == P` and `P->bk->fw == P`
* Error message: `corrupted double-linked list`
* If the chunk is not small, check that `P->fd_nextsize->bk_nextsize == P` and `P->bk_nextsize->fd_nextsize == P`
* Error message: `corrupted double-linked list (not small)`
## \_int\_malloc
For more info check:
{% content-ref url="malloc-and-sysmalloc.md" %}
[malloc-and-sysmalloc.md](malloc-and-sysmalloc.md)
{% endcontent-ref %}
* **Checks during fast bin search:**
* If the chunk is misaligned:
* Error message: `malloc(): unaligned fastbin chunk detected 2`
* If the forward chunk is misaligned:
* Error message: `malloc(): unaligned fastbin chunk detected`
* If the returned chunk has a size that isn't correct because of it's index in the fast bin:
* Error message: `malloc(): memory corruption (fast)`
* If any chunk used to fill the tcache is misaligned:
* Error message: `malloc(): unaligned fastbin chunk detected 3`
* **Checks during small bin search:**
* If `victim->bk->fd != victim`:
* Error message: `malloc(): smallbin double linked list corrupted`
* **Checks during consolidate** performed for each fast bin chunk:
* If the chunk is unaligned trigger:
* Error message: `malloc_consolidate(): unaligned fastbin chunk detected`
* If the chunk has a different size that the one it should because of the index it's in:
* Error message: `malloc_consolidate(): invalid chunk size`
* If the previous chunk is not in use and the previous chunk has a size different of the one indicated by prev\_chunk:
* Error message: `corrupted size vs. prev_size in fastbins`
* **Checks during unsorted bin search**:
* If the chunk size is weird (too small or too big):
* Error message: `malloc(): invalid size (unsorted)`
* If the next chunk size is weird (too small or too big):
* Error message: `malloc(): invalid next size (unsorted)`
* If the previous size indicated by the next chunk differs from the size of the chunk:
* Error message: `malloc(): mismatching next->prev_size (unsorted)`
* If not `victim->bck->fd == victim` or not `victim->fd == av (arena)`:
* Error message: `malloc(): unsorted double linked list corrupted`
* As we are always checking the las one, it's fd should be pointing always to the arena struct.
* If the next chunk isn't indicating that the previous is in use:
* Error message: `malloc(): invalid next->prev_inuse (unsorted)`
* If `fwd->bk_nextsize->fd_nextsize != fwd`:
* Error message: `malloc(): largebin double linked list corrupted (nextsize)`
* If `fwd->bk->fd != fwd`:
* Error message: `malloc(): largebin double linked list corrupted (bk)`
* **Checks during large bin (by index) search:**
* `bck->fd-> bk != bck`:
* Error message: `malloc(): corrupted unsorted chunks`
* **Checks during large bin (next bigger) search:**
* `bck->fd-> bk != bck`:
* Error message: `malloc(): corrupted unsorted chunks2`
* **Checks during Top chunk use:**
* `chunksize(av->top) > av->system_mem`:
* Error message: `malloc(): corrupted top size`
## `tcache_get_n`
* **Checks in `tcache_get_n`:**
* If chunk is misaligned:
* Error message: `malloc(): unaligned tcache chunk detected`
## `tcache_thread_shutdown`
* **Checks in `tcache_thread_shutdown`:**
* If chunk is misaligned:
* Error message: `tcache_thread_shutdown(): unaligned tcache chunk detected`
## `__libc_realloc`
* **Checks in `__libc_realloc`:**
* If old pointer is misaligned or the size was incorrect:
* Error message: `realloc(): invalid pointer`
## `_int_free`
For more info check:
{% content-ref url="free.md" %}
[free.md](free.md)
{% endcontent-ref %}
* **Checks during the start of `_int_free`:**
* Pointer is aligned:
* Error message: `free(): invalid pointer`
* Size larger than `MINSIZE` and size also aligned:
* Error message: `free(): invalid size`
* **Checks in `_int_free` tcache:**
* If there are more entries than `mp_.tcache_count`:
* Error message: `free(): too many chunks detected in tcache`
* If the entry is not aligned:
* Error message: `free(): unaligned chunk detected in tcache 2`
* If the freed chunk was already freed and is present as chunk in the tcache:
* Error message: `free(): double free detected in tcache 2`
* **Checks in `_int_free` fast bin:**
* If the size of the chunk is invalid (too big or small) trigger:
* Error message: `free(): invalid next size (fast)`
* If the added chunk was already the top of the fast bin:
* Error message: `double free or corruption (fasttop)`
* If the size of the chunk at the top has a different size of the chunk we are adding:
* Error message: `invalid fastbin entry (free)`
## **`_int_free_merge_chunk`**
* **Checks in `_int_free_merge_chunk`:**
* If the chunk is the top chunk:
* Error message: `double free or corruption (top)`
* If the next chunk is outside of the boundaries of the arena:
* Error message: `double free or corruption (out)`
* If the chunk is not marked as used (in the prev\_inuse from the following chunk):
* Error message: `double free or corruption (!prev)`
* If the next chunk has a too little size or too big:
* Error message: `free(): invalid next size (normal)`
* If the previous chunk is not in use, it will try to consolidate. But, if the `prev_size` differs from the size indicated in the previous chunk:
* Error message: `corrupted size vs. prev_size while consolidating`
## **`_int_free_create_chunk`**
* **Checks in `_int_free_create_chunk`:**
* Adding a chunk into the unsorted bin, check if `unsorted_chunks(av)->fd->bk == unsorted_chunks(av)`:
* Error message: `free(): corrupted unsorted chunks`
## `do_check_malloc_state`
* **Checks in `do_check_malloc_state`:**
* If misaligned fast bin chunk:
* Error message: `do_check_malloc_state(): unaligned fastbin chunk detected`
## `malloc_consolidate`
* **Checks in `malloc_consolidate`:**
* If misaligned fast bin chunk:
* Error message: `malloc_consolidate(): unaligned fastbin chunk detected`
* If incorrect fast bin chunk size:
* Error message: `malloc_consolidate(): invalid chunk size`
## `_int_realloc`
* **Checks in `_int_realloc`:**
* Size is too big or too small:
* Error message: `realloc(): invalid old size`
* Size of the next chunk is too big or too small:
* Error message: `realloc(): invalid next size`
{% hint style="success" %}
Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
Support HackTricks
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
{% endhint %}