CWE-415: Double Free

Export to Word

Description

The product calls free() twice on the same memory address.

Extended Description

N/A

ThreatScore

Threat Mapped score: 0.0

Industry: Finiancial

Threat priority: Unclassified

Observed Examples (CVEs)

CVE: CVE-2006-5051

Chain: Signal handler contains too much functionality (CWE-828), introducing a race condition (CWE-362) that leads to a double free (CWE-415).
CVE: CVE-2004-0642

Double free resultant from certain error conditions.
CVE: CVE-2004-0772

Double free resultant from certain error conditions.
CVE: CVE-2005-1689

Double free resultant from certain error conditions.
CVE: CVE-2003-0545

Double free from invalid ASN.1 encoding.
CVE: CVE-2003-1048

Double free from malformed GIF.
CVE: CVE-2005-0891

Double free from malformed GIF.
CVE: CVE-2002-0059

Double free from malformed compressed data.

Related Attack Patterns (CAPEC)

N/A

Attack TTPs

N/A

Modes of Introduction

Phase	Note
Implementation	N/A

Common Consequences

Impact: Modify Memory, Execute Unauthorized Code or Commands — Notes:

Potential Mitigations

Architecture and Design: Choose a language that provides automatic memory management. (N/A)
Implementation: Ensure that each allocation is freed only once. After freeing a chunk, set the pointer to NULL to ensure the pointer cannot be freed again. In complicated error conditions, be sure that clean-up routines respect the state of allocation properly. If the language is object oriented, ensure that object destructors delete each chunk of memory only once. (N/A)
Implementation: Use a static analysis tool to find double free instances. (N/A)

Applicable Platforms

C (N/A, Undetermined)
C++ (N/A, Undetermined)

Demonstrative Examples

Intro: The following code shows a simple example of a double free vulnerability.

Body: Double free vulnerabilities have two common (and sometimes overlapping) causes:

char* ptr = (char*)malloc (SIZE); ... if (abrt) { free(ptr); } ... free(ptr);

Intro: While contrived, this code should be exploitable on Linux distributions that do not ship with heap-chunk check summing turned on.

#include <stdio.h> #include <unistd.h> #define BUFSIZE1 512 #define BUFSIZE2 ((BUFSIZE1/2) - 8) int main(int argc, char **argv) { char *buf1R1; char *buf2R1; char *buf1R2; buf1R1 = (char *) malloc(BUFSIZE2); buf2R1 = (char *) malloc(BUFSIZE2); free(buf1R1); free(buf2R1); buf1R2 = (char *) malloc(BUFSIZE1); strncpy(buf1R2, argv[1], BUFSIZE1-1); free(buf2R1); free(buf1R2); }

Notes

Relationship: This is usually resultant from another weakness, such as an unhandled error or race condition between threads. It could also be primary to weaknesses such as buffer overflows.
Theoretical: It could be argued that Double Free would be most appropriately located as a child of "Use after Free", but "Use" and "Release" are considered to be distinct operations within vulnerability theory, therefore this is more accurately "Release of a Resource after Expiration or Release", which doesn't exist yet.

← Back to CWE list