This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Doubly freeing memory"

From OWASP
Jump to: navigation, search
m
Line 130: Line 130:
 
[[Category:OWASP_CLASP_Project]]
 
[[Category:OWASP_CLASP_Project]]
 
[[Category:Code Snippet]]
 
[[Category:Code Snippet]]
[[Category:C]]
+
[[Category:OWASP C/C++ Project]]
 
[[Category:Implementation]]
 
[[Category:Implementation]]

Revision as of 12:42, 2 December 2015

This is a Vulnerability. To view all vulnerabilities, please see the Vulnerability Category page.


Last revision (mm/dd/yy): 12/2/2015

Vulnerabilities Table of Contents

Description

Freeing or deleting the same memory chunk twice may - when combined with other flaws - result in a write-what-where condition.

Consequences

  • Access control: Doubly freeing memory may result in a write-what-where condition, allowing an attacker to execute arbitrary code.

Exposure period

  • Requirements specification: A language which handles memory allocation and garbage collection automatically might be chosen.
  • Implementation: Double frees are caused most often by lower-level logical errors.

Platform

  • Language: C, C++, Assembly
  • Operating system: All

Required resources

Any

Severity

High

Likelihood of exploit

Low to Medium

Doubly freeing memory can result in roughly the same write-what-where condition that the use of previously freed memory will.


Risk Factors

TBD

Examples

While contrived, this code should be exploitable on Linux distributions which do not ship with heap-chunk check summing turned on. 

#include <stdio.h>
#include <unistd.h>

#define BUFSIZE1    512
#define BUFSIZE2    ((BUFSIZE1/2) - 8)

int main(int argc, char **argv) { 
  char *buf1R1;    
  char *buf2R1;    
  char *buf1R2;    

  buf1R1 = (char *) malloc(BUFSIZE2);    
  buf2R1 = (char *) malloc(BUFSIZE2);    
  
  free(buf1R1);    
  free(buf2R1);    

  buf1R2 = (char *) malloc(BUFSIZE1);    
  strncpy(buf1R2, argv[1], BUFSIZE1-1);    
  
  free(buf2R1);    
  free(buf1R2);
}


Related Attacks


Related Vulnerabilities


Related Controls

  • Implementation: Ensure that each allocation is freed only once. After freeing a chunk, set the pointer to NULL to ensure the pointer cannot be freed again. In complicated error conditions, be sure that clean-up routines respect the state of allocation properly. If the language is object oriented, ensure that object destructors delete each chunk of memory only once.


Related Technical Impacts


References

TBD

Retrieved from "https://wiki.owasp.org/index.php?title=Doubly_freeing_memory&oldid=204279"