CWE-415 – Double Free

Read Time:1 Minute, 41 Second

Description

The product calls free() twice on the same memory address, potentially leading to modification of unexpected memory locations.

When a program calls free() twice with the same argument, the program’s memory management data structures become corrupted. This corruption can cause the program to crash or, in some circumstances, cause two later calls to malloc() to return the same pointer. If malloc() returns the same value twice and the program later gives the attacker control over the data that is written into this doubly-allocated memory, the program becomes vulnerable to a buffer overflow attack.

Modes of Introduction:

– Architecture and Design

 

Likelihood of Exploit: High

 

Related Weaknesses

CWE-825
CWE-1341
CWE-672
CWE-672
CWE-672
CWE-666
CWE-416
CWE-123

 

Consequences

Integrity, Confidentiality, Availability: Modify Memory, Execute Unauthorized Code or Commands

Doubly freeing memory may result in a write-what-where condition, allowing an attacker to execute arbitrary code.

 

Potential Mitigations

Phase: Architecture and Design

Description: 

Choose a language that provides automatic memory management.

Phase: Implementation

Description: 

Ensure that each allocation is freed only once. After freeing a chunk, set the pointer to NULL to ensure the pointer cannot be freed again. In complicated error conditions, be sure that clean-up routines respect the state of allocation properly. If the language is object oriented, ensure that object destructors delete each chunk of memory only once.

Phase: Implementation

Description: 

Use a static analysis tool to find double free instances.

CVE References

  • CVE-2006-5051
    • Chain: Signal handler contains too much functionality (CWE-828), introducing a race condition (CWE-362) that leads to a double free (CWE-415).
  • CVE-2004-0642
    • Double free resultant from certain error conditions.
  • CVE-2004-0772
    • Double free resultant from certain error conditions.
  • CVE-2005-1689
    • Double free resultant from certain error conditions.