[Forgot Password]
Login  Register Subscribe

23631

 
 

115084

 
 

97147

 
 

909

 
 

78730

 
 

109

Paid content will be excluded from the download.


Download | Alert*
CWE
view XML

Double Free

ID: 415Date: (C)2012-05-14   (M)2017-11-15
Type: weaknessStatus: DRAFT
Abstraction Type: Variant





Description

The product calls free() twice on the same memory address, potentially leading to modification of unexpected memory locations.

Extended Description

When a program calls free() twice with the same argument, the program's memory management data structures become corrupted. This corruption can cause the program to crash or, in some circumstances, cause two later calls to malloc() to return the same pointer. If malloc() returns the same value twice and the program later gives the attacker control over the data that is written into this doubly-allocated memory, the program becomes vulnerable to a buffer overflow attack.

Likelihood of Exploit: Low to Medium

Applicable Platforms
Language: C
Language: C++

Time Of Introduction

  • Architecture and Design
  • Implementation

Common Consequences

ScopeTechnical ImpactNotes
Integrity
Confidentiality
Availability
 
Execute unauthorized code or commands
 
Doubly freeing memory may result in a write-what-where condition, allowing an attacker to execute arbitrary code.
 

Detection Methods
None

Potential Mitigations

PhaseStrategyDescriptionEffectivenessNotes
Architecture and Design
 
 Choose a language that provides automatic memory management.
 
  
Implementation
 
 Ensure that each allocation is freed only once. After freeing a chunk, set the pointer to NULL to ensure the pointer cannot be freed again. In complicated error conditions, be sure that clean-up routines respect the state of allocation properly. If the language is object oriented, ensure that object destructors delete each chunk of memory only once.
 
  
Implementation
 
 Use a static analysis tool to find double free instances.
 
  

Relationships
This is usually resultant from another weakness, such as an unhandled error or race condition between threads. It could also be primary to weaknesses such as buffer overflows.

Related CWETypeViewChain
CWE-415 ChildOf CWE-891 Category CWE-888  

Demonstrative Examples   (Details)

  1. The following code shows a simple example of a double free vulnerability.
  2. While contrived, this code should be exploitable on Linux distributions which do not ship with heap-chunk check summing turned on.

Observed Examples

  1. CVE-2006-5051 : Chain: Signal handler contains too much functionality (CWE-828), introducing a race condition that leads to a double free (CWE-415).
  2. CVE-2004-0642 : Double free resultant from certain error conditions.
  3. CVE-2004-0772 : Double free resultant from certain error conditions.
  4. CVE-2005-1689 : Double free resultant from certain error conditions.
  5. CVE-2003-0545 : Double free from invalid ASN.1 encoding.
  6. CVE-2003-1048 : Double free from malformed GIF.
  7. CVE-2005-0891 : Double free from malformed GIF.
  8. CVE-2002-0059 : Double free from malformed compressed data.

For more examples, refer to CVE relations in the bottom box.

White Box Definitions
A weakness where code path has:
1. start statement that relinquishes a dynamically allocated memory resource
2. end statement that relinquishes the dynamically allocated memory resource

Black Box Definitions
None

Taxynomy Mappings

TaxynomyIdNameFit
PLOVER  DFREE - Double-Free Vulnerability
 
 
7 Pernicious Kingdoms  Double Free
 
 
CLASP  Doubly freeing memory
 
 
CERT C Secure Coding MEM00-C
 
Allocate and free memory in the same module, at the same level of abstraction
 
 
CERT C Secure Coding MEM01-C
 
Store a new value in pointers immediately after free()
 
 
CERT C Secure Coding MEM31-C
 
Free dynamically allocated memory exactly once
 
 
CERT C++ Secure Coding MEM01-CPP
 
Store a valid value in pointers immediately after deallocation
 
 
CERT C++ Secure Coding MEM31-CPP
 
Free dynamically allocated memory exactly once
 
 

References:

  1. Michael Howard David LeBlanc John Viega .24 Deadly Sins of Software Security. McGraw-Hill. Section:'"Sin 8: C++ Catastrophes." Page 143'. Published on 2010.
  2. Mark Dowd John McDonald Justin Schuh .The Art of Software Security Assessment 1st Edition. Addison Wesley. Section:'Chapter 7, "Double Frees", Page 379.'. Published on 2006.

© 2013 SecPod Technologies