Use After FreeID: 416 | Date: (C)2012-05-14 (M)2022-10-10 |
Type: weakness | Status: DRAFT |
Abstraction Type: Base |
Description
Referencing memory after it has been freed can cause a program
to crash, use unexpected values, or execute code.
Extended DescriptionThe use of previously-freed memory can have any number of adverse
consequences, ranging from the corruption of valid data to the execution of
arbitrary code, depending on the instantiation and timing of the flaw. The
simplest way data corruption may occur involves the system's reuse of the
freed memory. Use-after-free errors have two common and sometimes
overlapping causes:Error conditions and other exceptional circumstances.Confusion over which part of the program is responsible for freeing
the memory.In this scenario, the memory in question is allocated to another pointer
validly at some point after it has been freed. The original pointer to the
freed memory is used again and points to somewhere within the new
allocation. As the data is changed, it corrupts the validly used memory;
this induces undefined behavior in the process.If the newly allocated data chances to hold a class, in C++ for example,
various function pointers may be scattered within the heap data. If one of
these function pointers is overwritten with an address to valid shellcode,
execution of arbitrary code can be achieved.
Likelihood of Exploit: High
Applicable PlatformsLanguage: CLanguage: C++
Time Of Introduction
- Architecture and Design
- Implementation
Common Consequences
Scope | Technical Impact | Notes |
---|
Integrity | Modify memory | The use of previously freed memory may corrupt valid data, if the
memory area in question has been allocated and used properly
elsewhere. |
Availability | DoS: crash / exit /
restart | If chunk consolidation occurs after the use of previously freed data,
the process may crash when invalid data is used as chunk
information. |
IntegrityConfidentialityAvailability | Execute unauthorized code or
commands | If malicious data is entered before chunk consolidation can take
place, it may be possible to take advantage of a write-what-where
primitive to execute arbitrary code. |
Detection MethodsNone
Potential Mitigations
Phase | Strategy | Description | Effectiveness | Notes |
---|
Architecture and Design | | Choose a language that provides automatic memory management. | | |
Implementation | | When freeing pointers, be sure to set them to NULL once they are
freed. However, the utilization of multiple or complex data structures
may lower the usefulness of this strategy. | | |
Relationships
Related CWE | Type | View | Chain |
---|
CWE-416 ChildOf CWE-892 | Category | CWE-888 | |
Demonstrative Examples (Details)
- The following code illustrates a use after free error:
Observed Examples
- CVE-2010-4168 : Use-after-free triggered by closing a connection while data is still being transmitted.
- CVE-2010-2941 : Improper allocation for invalid data leads to use-after-free.
- CVE-2010-2547 : certificate with a large number of Subject Alternate Names not properly handled in realloc, leading to use-after-free
- CVE-2010-1772 : Timers are not disabled when a related object is deleted
- CVE-2010-1437 : Access to a "dead" object that is being cleaned up
- CVE-2010-1208 : object is deleted even with a non-zero reference count, and later accessed
- CVE-2010-0629 : use-after-free involving request containing an invalid version number
- CVE-2010-0378 : unload of an object that is currently being accessed by other functionality
- CVE-2010-0302 : incorrectly tracking a reference count leads to use-after-free
- CVE-2010-0249 : use-after-free related to use of uninitialized memory
- CVE-2010-0050 : HTML document with incorrectly-nested tags
- CVE-2009-3658 : Use after free in ActiveX object by providing a malformed argument to a method
- CVE-2009-3616 : use-after-free by disconnecting during data transfer, or a message containing incorrect data types
- CVE-2009-3553 : disconnect during a large data transfer causes incorrect reference count, leading to use-after-free
- CVE-2009-2416 : use-after-free found by fuzzing
- CVE-2009-1837 : Chain: race condition (CWE-362) from improper handling of a page transition in web client while an applet is loading (CWE-368) leads to use after free (CWE-416)
- CVE-2009-0749 : realloc generates new buffer and pointer, but previous pointer is still retained, leading to use after free
- CVE-2010-3328 : Use-after-free in web browser, probably resultant from not initializing memory.
- CVE-2008-5038 : use-after-free when one thread accessed memory that was freed by another thread
- CVE-2008-0077 : assignment of malformed values to certain properties triggers use after free
- CVE-2006-4434 : mail server does not properly handle a long header.
- CVE-2010-2753 : chain: integer overflow leads to use-after-free
- CVE-2006-4997 : freed pointer dereference
For more examples, refer to CVE relations in the bottom box.
White Box DefinitionsA weakness where code path has:1. start statement that relinquishes a dynamically allocated memory
resource2. end statement that accesses the dynamically allocated memory
resource
Black Box Definitions None
Taxynomy Mappings
Taxynomy | Id | Name | Fit |
---|
7 Pernicious Kingdoms | | Use After Free | |
CLASP | | Using freed memory | |
CERT C Secure Coding | MEM00-C | Allocate and free memory in the same module, at the same level
of abstraction | |
CERT C Secure Coding | MEM01-C | Store a new value in pointers immediately after
free() | |
CERT C Secure Coding | MEM30-C | Do not access freed memory | |
CERT C++ Secure Coding | MEM01-CPP | Store a valid value in pointers immediately after
deallocation | |
CERT C++ Secure Coding | MEM30-CPP | Do not access freed memory | |
References:
- Michael Howard David LeBlanc John Viega .24 Deadly Sins of Software Security. McGraw-Hill. Section:'"Sin 8: C++ Catastrophes." Page 143'. Published on 2010.