In glibc-2.26, TCache (per-thread cache), a new feature, was introduced in malloc. I did not take much notice to the new patch last year until I came across the SimpleGC challenge in 34C3 CTF last year. During the contest, I did not take much time analysing the work flow of TCache and used a brute-force method to get the desired result.
In this post, I am going to give a detailed explanation on how TCache works. Based on the background knowledge, I will introduce two potential exploitation techniques that may appear in future CTF challenges. One is TCache poison , which is very similar to fastbin corruption attack. The other one is CVE-2017-17426, which may bring unexpected effect in heap exploitation. Both techniques are tested with glibc-2.26 on Ubuntu 17.04.