Read Time:1 Minute, 41 Second
Description
The product calls free() twice on the same memory address, potentially leading to modification of unexpected memory locations.
When a program calls free() twice with the same argument, the program’s memory management data structures become corrupted. This corruption can cause the program to crash or, in some circumstances, cause two later calls to malloc() to return the same pointer. If malloc() returns the same value twice and the program later gives the attacker control over the data that is written into this doubly-allocated memory, the program becomes vulnerable to a buffer overflow attack.
Modes of Introduction:
– Architecture and Design
Likelihood of Exploit: High
Related Weaknesses
CWE-825
CWE-1341
CWE-672
CWE-672
CWE-672
CWE-666
CWE-416
CWE-123
Consequences
Integrity, Confidentiality, Availability: Modify Memory, Execute Unauthorized Code or Commands
Doubly freeing memory may result in a write-what-where condition, allowing an attacker to execute arbitrary code.
Potential Mitigations
Phase: Architecture and Design
Description:
Choose a language that provides automatic memory management.
Phase: Implementation
Description:
Ensure that each allocation is freed only once. After freeing a chunk, set the pointer to NULL to ensure the pointer cannot be freed again. In complicated error conditions, be sure that clean-up routines respect the state of allocation properly. If the language is object oriented, ensure that object destructors delete each chunk of memory only once.
Phase: Implementation
Description:
Use a static analysis tool to find double free instances.
CVE References
- CVE-2006-5051
- Chain: Signal handler contains too much functionality (CWE-828), introducing a race condition (CWE-362) that leads to a double free (CWE-415).
- CVE-2004-0642
- Double free resultant from certain error conditions.
- CVE-2004-0772
- Double free resultant from certain error conditions.
- CVE-2005-1689
- Double free resultant from certain error conditions.
