What is a use after free ?
Systems programming languages can allocate memory statically or dynamically. Statically allocate memory persist for the lifetime of the program. For certain applications such as the kernel these will persist for the entire time the system has been running. Dynamic variables are allocated on demand to provide memory for values which sizes may be unknown at compile time.
It is up to the programmer to account for usage of the dynamically allocated memory. When a section of memory is no longer required the section of memory should be freed for use for another allocation in the future. Programmers (not the compiler) are required to ensure that access to this memory does not happen after it has been freed.
If a process is able to manipulate the previously freed memory while another section of code references it, it may cause unintended side affects.
For example, if executable instructions to exist in this free'd area an attacker may be able to replace it with a GIF image. This GIF image may be invalid as a GIF file, but valid executable code. When the system attempts to execute this new code it will then run the attackers functionality, not the previous code that had existed before.
The use of previously-freed memory can have any number of adverse consequences, ranging from the corruption of valid data to the execution of arbitrary code, depending on the instantiation and timing of the flaw. The simplest way data corruption may occur involves the system's reuse of the freed memory.
Additional references:
Comments