| | Serial number | Fragmented knowledge | Migration pair |
| | #1 | If callable memory is controlled, it may cause control-flow hijacking | C(<p,4>)∧I(<p,4>)C(PC) |
| | #2 | If size of top chunk is controlled, it may cause arbitrary chunk allocation in the high address direction | C(H.T.Sc)IN(c,.A) ∧C(c.a) ∧GE(c.a, .T.a) ∧ LE(c.a,add(.T.a..T.Sc)) |
| | #3 | The data area of the allocated chunk can be controlled by external input | IN(c,.A) ∧LE(p,add(c.a, c.sc)) ∧GE(p,c.D.a) |
| | #4 | If FastBin list has a controllable chunk, it may cause arbitrary chunk allocation | IN(c,.LF) ∧C(c.a) ∧SZ(c.sc,LF)IN(c′,.A) ∧C(c′.a) ∧EQ(c.a, c′.a) |
| | #5 | Pointer to low address −12 bytes can be controlled by external input | C(<p,4>)∧PT(<p,4>,<p-12,4>)∧W(<p,4>) |
| | #6 | If the heap block pointer is controlled, a chunk with a controllable address can be obtained | CP(<p,4>)C(<p,4>)SZ(<val(val(p)+4),4>,.LF)IN(c,.LF)C(c.a)EQ(c.a,val(p)) |
| | #7 | Backward merge process of heap block | IN(c,.Ls)BCS(c, c1, c2)BCD(c,c1, c2)PT(<p,4>, c1.D)PT(<p,4>,<p-12,4>) |
| | #8 | The writable area pointed by the heap pointer can be controlled by external input | CP(<p, 4>)∧PT(<p, 4>,<p′, 4>)∧W(<p′, 4>)C(<p′, 4>) |
| | #9 | If size of allocated chunk is controllable, it may cause chunk overlap | IN(c,.A) ∧C(c.sc)IN(cH,.A) ∧HT(cH, c) ∧Lap(c, cH, p) |
| | #10 | If chunks are overlapped, it may cause chunk in FastBin list controllable | IN(cH,.A) ∧HT(cH, c) ∧Lap(c, cH, p)IN(cF,.LF) ∧C(cF.a) ∧SZ(cF.sc,.LF) |
|
|
