[Forgot Password]
Login  Register Subscribe

23631

 
 

115084

 
 

97147

 
 

909

 
 

78730

 
 

109

Paid content will be excluded from the download.


Download | Alert*
CWE
view XML

Use After Free

ID: 416Date: (C)2012-05-14   (M)2017-11-15
Type: weaknessStatus: DRAFT
Abstraction Type: Base





Description

Referencing memory after it has been freed can cause a program to crash, use unexpected values, or execute code.

Extended Description

The use of previously-freed memory can have any number of adverse consequences, ranging from the corruption of valid data to the execution of arbitrary code, depending on the instantiation and timing of the flaw. The simplest way data corruption may occur involves the system's reuse of the freed memory. Use-after-free errors have two common and sometimes overlapping causes:

Error conditions and other exceptional circumstances.

Confusion over which part of the program is responsible for freeing the memory.

In this scenario, the memory in question is allocated to another pointer validly at some point after it has been freed. The original pointer to the freed memory is used again and points to somewhere within the new allocation. As the data is changed, it corrupts the validly used memory; this induces undefined behavior in the process.

If the newly allocated data chances to hold a class, in C++ for example, various function pointers may be scattered within the heap data. If one of these function pointers is overwritten with an address to valid shellcode, execution of arbitrary code can be achieved.

Likelihood of Exploit: High

Applicable Platforms
Language: C
Language: C++

Time Of Introduction

  • Architecture and Design
  • Implementation

Common Consequences

ScopeTechnical ImpactNotes
Integrity
 
Modify memory
 
The use of previously freed memory may corrupt valid data, if the memory area in question has been allocated and used properly elsewhere.
 
Availability
 
DoS: crash / exit / restart
 
If chunk consolidation occurs after the use of previously freed data, the process may crash when invalid data is used as chunk information.
 
Integrity
Confidentiality
Availability
 
Execute unauthorized code or commands
 
If malicious data is entered before chunk consolidation can take place, it may be possible to take advantage of a write-what-where primitive to execute arbitrary code.
 

Detection Methods
None

Potential Mitigations

PhaseStrategyDescriptionEffectivenessNotes
Architecture and Design
 
 Choose a language that provides automatic memory management.
 
  
Implementation
 
 When freeing pointers, be sure to set them to NULL once they are freed. However, the utilization of multiple or complex data structures may lower the usefulness of this strategy.
 
  

Relationships

Related CWETypeViewChain
CWE-416 ChildOf CWE-892 Category CWE-888  

Demonstrative Examples   (Details)

  1. The following code illustrates a use after free error:

Observed Examples

  1. CVE-2010-4168 : Use-after-free triggered by closing a connection while data is still being transmitted.
  2. CVE-2010-2941 : Improper allocation for invalid data leads to use-after-free.
  3. CVE-2010-2547 : certificate with a large number of Subject Alternate Names not properly handled in realloc, leading to use-after-free
  4. CVE-2010-1772 : Timers are not disabled when a related object is deleted
  5. CVE-2010-1437 : Access to a "dead" object that is being cleaned up
  6. CVE-2010-1208 : object is deleted even with a non-zero reference count, and later accessed
  7. CVE-2010-0629 : use-after-free involving request containing an invalid version number
  8. CVE-2010-0378 : unload of an object that is currently being accessed by other functionality
  9. CVE-2010-0302 : incorrectly tracking a reference count leads to use-after-free
  10. CVE-2010-0249 : use-after-free related to use of uninitialized memory
  11. CVE-2010-0050 : HTML document with incorrectly-nested tags
  12. CVE-2009-3658 : Use after free in ActiveX object by providing a malformed argument to a method
  13. CVE-2009-3616 : use-after-free by disconnecting during data transfer, or a message containing incorrect data types
  14. CVE-2009-3553 : disconnect during a large data transfer causes incorrect reference count, leading to use-after-free
  15. CVE-2009-2416 : use-after-free found by fuzzing
  16. CVE-2009-1837 : Chain: race condition (CWE-362) from improper handling of a page transition in web client while an applet is loading (CWE-368) leads to use after free (CWE-416)
  17. CVE-2009-0749 : realloc generates new buffer and pointer, but previous pointer is still retained, leading to use after free
  18. CVE-2010-3328 : Use-after-free in web browser, probably resultant from not initializing memory.
  19. CVE-2008-5038 : use-after-free when one thread accessed memory that was freed by another thread
  20. CVE-2008-0077 : assignment of malformed values to certain properties triggers use after free
  21. CVE-2006-4434 : mail server does not properly handle a long header.
  22. CVE-2010-2753 : chain: integer overflow leads to use-after-free
  23. CVE-2006-4997 : freed pointer dereference

For more examples, refer to CVE relations in the bottom box.

White Box Definitions
A weakness where code path has:
1. start statement that relinquishes a dynamically allocated memory resource
2. end statement that accesses the dynamically allocated memory resource

Black Box Definitions
None

Taxynomy Mappings

TaxynomyIdNameFit
7 Pernicious Kingdoms  Use After Free
 
 
CLASP  Using freed memory
 
 
CERT C Secure Coding MEM00-C
 
Allocate and free memory in the same module, at the same level of abstraction
 
 
CERT C Secure Coding MEM01-C
 
Store a new value in pointers immediately after free()
 
 
CERT C Secure Coding MEM30-C
 
Do not access freed memory
 
 
CERT C++ Secure Coding MEM01-CPP
 
Store a valid value in pointers immediately after deallocation
 
 
CERT C++ Secure Coding MEM30-CPP
 
Do not access freed memory
 
 

References:

  1. Michael Howard David LeBlanc John Viega .24 Deadly Sins of Software Security. McGraw-Hill. Section:'"Sin 8: C++ Catastrophes." Page 143'. Published on 2010.

© 2013 SecPod Technologies