Double Free| ID: 415 | Date: (C)2012-05-14 (M)2022-10-10 |
| Type: weakness | Status: DRAFT |
| Abstraction Type: Variant |
Description
The product calls free() twice on the same memory address,
potentially leading to modification of unexpected memory
locations.
Extended DescriptionWhen a program calls free() twice with the same argument, the program's
memory management data structures become corrupted. This corruption can
cause the program to crash or, in some circumstances, cause two later calls
to malloc() to return the same pointer. If malloc() returns the same value
twice and the program later gives the attacker control over the data that is
written into this doubly-allocated memory, the program becomes vulnerable to
a buffer overflow attack.
Likelihood of Exploit: Low to Medium
Applicable PlatformsLanguage: CLanguage: C++
Time Of Introduction
- Architecture and Design
- Implementation
Common Consequences
| Scope | Technical Impact | Notes |
|---|
| IntegrityConfidentialityAvailability | Execute unauthorized code or
commands | Doubly freeing memory may result in a write-what-where condition,
allowing an attacker to execute arbitrary code. |
Detection MethodsNone
Potential Mitigations
| Phase | Strategy | Description | Effectiveness | Notes |
|---|
| Architecture and Design | | Choose a language that provides automatic memory management. | | |
| Implementation | | Ensure that each allocation is freed only once. After freeing a chunk,
set the pointer to NULL to ensure the pointer cannot be freed again. In
complicated error conditions, be sure that clean-up routines respect the
state of allocation properly. If the language is object oriented, ensure
that object destructors delete each chunk of memory only once. | | |
| Implementation | | Use a static analysis tool to find double free instances. | | |
RelationshipsThis is usually resultant from another weakness, such as an unhandled
error or race condition between threads. It could also be primary to
weaknesses such as buffer overflows.
| Related CWE | Type | View | Chain |
|---|
| CWE-415 ChildOf CWE-891 | Category | CWE-888 | |
Demonstrative Examples (Details)
- The following code shows a simple example of a double free
vulnerability.
- While contrived, this code should be exploitable on Linux
distributions which do not ship with heap-chunk check summing turned
on.
Observed Examples
- CVE-2006-5051 : Chain: Signal handler contains too much functionality (CWE-828), introducing a race condition that leads to a double free (CWE-415).
- CVE-2004-0642 : Double free resultant from certain error conditions.
- CVE-2004-0772 : Double free resultant from certain error conditions.
- CVE-2005-1689 : Double free resultant from certain error conditions.
- CVE-2003-0545 : Double free from invalid ASN.1 encoding.
- CVE-2003-1048 : Double free from malformed GIF.
- CVE-2005-0891 : Double free from malformed GIF.
- CVE-2002-0059 : Double free from malformed compressed data.
For more examples, refer to CVE relations in the bottom box.
White Box DefinitionsA weakness where code path has:1. start statement that relinquishes a dynamically allocated memory
resource2. end statement that relinquishes the dynamically allocated memory
resource
Black Box Definitions None
Taxynomy Mappings
| Taxynomy | Id | Name | Fit |
|---|
| PLOVER | | DFREE - Double-Free Vulnerability | |
| 7 Pernicious Kingdoms | | Double Free | |
| CLASP | | Doubly freeing memory | |
| CERT C Secure Coding | MEM00-C | Allocate and free memory in the same module, at the same level
of abstraction | |
| CERT C Secure Coding | MEM01-C | Store a new value in pointers immediately after
free() | |
| CERT C Secure Coding | MEM31-C | Free dynamically allocated memory exactly
once | |
| CERT C++ Secure Coding | MEM01-CPP | Store a valid value in pointers immediately after
deallocation | |
| CERT C++ Secure Coding | MEM31-CPP | Free dynamically allocated memory exactly
once | |
References:
- Michael Howard David LeBlanc John Viega .24 Deadly Sins of Software Security. McGraw-Hill. Section:'"Sin 8: C++ Catastrophes." Page 143'. Published on 2010.
- Mark Dowd John McDonald Justin Schuh .The Art of Software Security Assessment 1st Edition. Addison Wesley. Section:'Chapter 7, "Double Frees", Page 379.'. Published on 2006.
