logo

Multiple Releases of Same Resource or Handle

Incomplete Base
Structure: Simple
Description

The product attempts to close or release a resource or handle more than once, without any successful open between the close operations.

Extended Description

Code typically requires "opening" handles or references to resources such as memory, files, devices, socket connections, services, etc. When the code is finished with using the resource, it is typically expected to "close" or "release" the resource, which indicates to the environment (such as the OS) that the resource can be re-assigned or reused by unrelated processes or actors - or in some cases, within the same process. API functions or other abstractions are often used to perform this release, such as free() or delete() within C/C++, or file-handle close() operations that are used in many languages. Unfortunately, the implementation or design of such APIs might expect the developer to be responsible for ensuring that such APIs are only called once per release of the resource. If the developer attempts to release the same resource/handle more than once, then the API's expectations are not met, resulting in undefined and/or insecure behavior. This could lead to consequences such as memory corruption, data corruption, execution path corruption, or other consequences. Note that while the implementation for most (if not all) resource reservation allocations involve a unique identifier/pointer/symbolic reference, then if this identifier is reused, checking the identifier for resource closure may result in a false state of openness and closing of the wrong resource. For this reason, reuse of identifiers is discouraged.

Common Consequences 1
Scope: AvailabilityIntegrity

Impact: DoS: Crash, Exit, or Restart
Detection Methods 2
Automated Static Analysis
For commonly-used APIs and resource types, automated tools often have signatures that can spot this issue.
Automated Dynamic Analysis
Some compiler instrumentation tools such as AddressSanitizer (ASan) can indirectly detect some instances of this weakness.
Potential Mitigations 3
Phase: Implementation
Change the code's logic so that the resource is only closed once. This might require simplifying or refactoring. This fix can be simple to do in small code blocks, but more difficult when multiple closes are buried within complex conditionals.
Phase: Implementation

Strategy: Refactoring

It can be effective to implement a flag that is (1) set when the resource is opened, (2) cleared when it is closed, and (3) checked before closing. This approach can be useful when there are disparate cases in which closes must be performed. However, flag-tracking can increase code complexity and requires diligent compliance by the programmer.
Phase: Implementation

Strategy: Refactoring

When closing a resource, set the resource's associated variable to NULL or equivalent value for the given language. Some APIs will ignore this null value without causing errors. For other APIs, this can lead to application crashes or exceptions, which may still be preferable to corrupting an unintended resource such as memory or data.

Effectiveness: Defense in Depth
Demonstrative Examples 2
This example attempts to close a file twice. In some cases, the C library fclose() function will catch the error and return an error code. In other implementations, a double-free (Double Free) occurs, causing the program to fault. Note that the examples presented here are simplistic, and double fclose() calls will frequently be spread around a program, making them more difficult to find during code reviews.

Code Example:

Bad
C

char b[2000]; FILE *f = fopen("dbl_cls.c", "r"); if (f) {

c
There are multiple possible fixes. This fix only has one call to fclose(), which is typically the preferred handling of this problem - but this simplistic method is not always possible.

Code Example:

Good
C

char b[2000]; FILE *f = fopen("dbl_cls.c", "r"); if (f) {

c
This fix uses a flag to call fclose() only once. Note that this flag is explicit. The variable "f" could also have been used as it will be either NULL if the file is not able to be opened or a valid pointer if the file was successfully opened. If "f" is replacing "f_flg" then "f" would need to be set to NULL after the first fclose() call so the second fclose call would never be executed.

Code Example:

Good
C

char b[2000]; int f_flg = 0; FILE *f = fopen("dbl_cls.c", "r"); if (f) {

c

ID : DX-149

The following code shows a simple example of a double free vulnerability.

Code Example:

Bad
C
c
Double free vulnerabilities have two common (and sometimes overlapping) causes:
- Error conditions and other exceptional circumstances - Confusion over which part of the program is responsible for freeing the memory
Although some double free vulnerabilities are not much more complicated than this example, most are spread out across hundreds of lines of code or even different files. Programmers seem particularly susceptible to freeing global variables more than once.
Observed Examples 3
CVE-2019-13351file descriptor double close can cause the wrong file to be associated with a file descriptor.
CVE-2006-5051Chain: Signal handler contains too much functionality (Signal Handler with Functionality that is not Asynchronous-Safe), introducing a race condition that leads to a double free (Double Free).
CVE-2004-0772Double free resultant from certain error conditions.
References 4
close - Perldoc Browser
https://perldoc.perl.org/functions/close
ID: REF-1198
io - Core tools for working with streams — Python 3.9.7 documentation
02-09-2021
https://docs.python.org/3.9/library/io.html#io.IOBase.close
ID: REF-1199
FileOutputStream (Java Platform SE 7 )
2020
https://docs.oracle.com/javase/7/docs/api/java/io/FileOutputStream.html
ID: REF-1200
FileOutputStream (Java SE 11 & JDK 11 )
2021
https://docs.oracle.com/en/java/javase/11/docs/api/java.base/java/io/FileOutputStream.html
ID: REF-1201
Applicable Platforms
Languages:
Java : UndeterminedRust : UndeterminedNot Language-Specific : UndeterminedC : UndeterminedC++ : Undetermined
Technologies:
Not Technology-Specific : Undetermined
Modes of Introduction
Implementation
Related Weaknesses
ChildOf: Multiple Operations on Resource in Single-Operation Context (CWE-675)
CanPrecede: Operation on a Resource after Expiration or Release (CWE-672)
Notes
TerminologyThe terms related to "release" may vary depending on the type of resource, programming language, specification, or framework. "Close" has been used synonymously for the release of resources like file descriptors and file handles. "Return" is sometimes used instead of Release. "Free" is typically used when releasing memory or buffers back into the system for reuse.