This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Double Free"
(→References) |
m |
||
Line 10: | Line 10: | ||
Double free errors occur when free() is called more than once with the same memory address as an argument. | Double free errors occur when free() is called more than once with the same memory address as an argument. | ||
− | Calling free() twice on the same value can lead to | + | Calling free() twice on the same value can lead to memory leak. When a program calls free() twice with the same argument, the program's memory management data structures become corrupted and could allow a malicious user to write values in arbitrary memory spaces. This corruption can cause the program to crash or, in some circumstances, alter the execution flow. By overwriting particular registers or memory spaces, an attacker can trick the program into executing code of his/her own choosing. |
Revision as of 12:47, 2 June 2014
This is a Vulnerability. To view all vulnerabilities, please see the Vulnerability Category page.
Last revision (mm/dd/yy): 06/2/2014
Vulnerabilities Table of Contents
Description
Double free errors occur when free() is called more than once with the same memory address as an argument.
Calling free() twice on the same value can lead to memory leak. When a program calls free() twice with the same argument, the program's memory management data structures become corrupted and could allow a malicious user to write values in arbitrary memory spaces. This corruption can cause the program to crash or, in some circumstances, alter the execution flow. By overwriting particular registers or memory spaces, an attacker can trick the program into executing code of his/her own choosing.
Risk Factors
- Talk about the factors that make this vulnerability likely or unlikely to actually happen
- Discuss the technical impact of a successful exploit of this vulnerability
- Consider the likely [business impacts] of a successful attack
Examples
The following code shows a simple example of a double free vulnerability.
char* ptr = (char*)malloc (SIZE); ... if (abrt) { free(ptr); } ... free(ptr);
Double free vulnerabilities have two common (and sometimes overlapping) causes:
- Error conditions and other exceptional circumstances
- Confusion over which part of the program is responsible for freeing the memory
Although some double free vulnerabilities are not much more complicated than the previous example, most are spread out across hundreds of lines of code or even different files. Programmers seem particularly susceptible to freeing global variables more than once.
Related Attacks
Related Vulnerabilities
Related Controls
Related Technical Impacts
References
TBD