logo

Double Free

Draft Variant
Structure: Simple
Description

The product calls free() twice on the same memory address.

The product calls free() twice on the same memory address.
Common Consequences 1
Scope: IntegrityConfidentialityAvailability

Impact: Modify MemoryExecute Unauthorized Code or Commands

When a program calls free() twice with the same argument, the program's memory management data structures may become corrupted, potentially leading to the reading or modification of unexpected memory addresses. This corruption can cause the program to crash or, in some circumstances, cause two later calls to malloc() to return the same pointer. If malloc() returns the same value twice and the program later gives the attacker control over the data that is written into this doubly-allocated memory, the program becomes vulnerable to a buffer overflow attack. Doubly freeing memory may result in a write-what-where condition, allowing an attacker to execute arbitrary code.

Detection Methods 2
FuzzingHigh
Fuzz testing (fuzzing) is a powerful technique for generating large numbers of diverse inputs - either randomly or algorithmically - and dynamically invoking the code with those inputs. Even with random inputs, it is often capable of generating unexpected results such as crashes, memory corruption, or resource consumption. Fuzzing effectively produces repeatable test cases that clearly indicate bugs, which helps developers to diagnose the issues.
Automated Static AnalysisHigh
Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
Potential Mitigations 3
Phase: Architecture and Design
Choose a language that provides automatic memory management.
Phase: Implementation
Ensure that each allocation is freed only once. After freeing a chunk, set the pointer to NULL to ensure the pointer cannot be freed again. In complicated error conditions, be sure that clean-up routines respect the state of allocation properly. If the language is object oriented, ensure that object destructors delete each chunk of memory only once.
Phase: Implementation
Use a static analysis tool to find double free instances.
Demonstrative Examples 2

ID : DX-149

The following code shows a simple example of a double free vulnerability.

Code Example:

Bad
C
c
Double free vulnerabilities have two common (and sometimes overlapping) causes:
- Error conditions and other exceptional circumstances - Confusion over which part of the program is responsible for freeing the memory
Although some double free vulnerabilities are not much more complicated than this example, most are spread out across hundreds of lines of code or even different files. Programmers seem particularly susceptible to freeing global variables more than once.
While contrived, this code should be exploitable on Linux distributions that do not ship with heap-chunk check summing turned on.

Code Example:

Bad
C
c
Observed Examples 8
CVE-2006-5051Chain: Signal handler contains too much functionality (Signal Handler with Functionality that is not Asynchronous-Safe), introducing a race condition (Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')) that leads to a double free (Double Free).
CVE-2004-0642Double free resultant from certain error conditions.
CVE-2004-0772Double free resultant from certain error conditions.
CVE-2005-1689Double free resultant from certain error conditions.
CVE-2003-0545Double free from invalid ASN.1 encoding.
CVE-2003-1048Double free from malformed GIF.
CVE-2005-0891Double free from malformed GIF.
CVE-2002-0059Double free from malformed compressed data.
References 3
24 Deadly Sins of Software Security
Michael Howard, David LeBlanc, and John Viega
McGraw-Hill
2010
ID: REF-44
The Art of Software Security Assessment
Mark Dowd, John McDonald, and Justin Schuh
Addison Wesley
2006
ID: REF-62
The CLASP Application Security Process
Secure Software, Inc.
2005
https://cwe.mitre.org/documents/sources/TheCLASPApplicationSecurityProcess.pdf(2024-11-17)
ID: REF-18
Likelihood of Exploit

High

Applicable Platforms
Languages:
C : UndeterminedC++ : Undetermined
Modes of Introduction
Implementation
Alternate Terms

Double-free
Functional Areas
  1. Memory Management
Affected Resources
  1. Memory
Related Weaknesses
ChildOf: Expired Pointer Dereference (CWE-825)
ChildOf: Multiple Releases of Same Resource or Handle (CWE-1341)
ChildOf: Operation on a Resource after Expiration or Release (CWE-672)
ChildOf: Operation on a Resource after Expiration or Release (CWE-672)
ChildOf: Operation on a Resource after Expiration or Release (CWE-672)
ChildOf: Operation on Resource in Wrong Phase of Lifetime (CWE-666)
PeerOf: Use After Free (CWE-416)
PeerOf: Write-what-where Condition (CWE-123)
Taxonomy Mapping
  • PLOVER
  • 7 Pernicious Kingdoms
  • CLASP
  • CERT C Secure Coding
  • CERT C Secure Coding
  • CERT C Secure Coding
  • CERT C Secure Coding
  • Software Fault Patterns
Notes
RelationshipThis is usually resultant from another weakness, such as an unhandled error or race condition between threads. It could also be primary to weaknesses such as buffer overflows.
TheoreticalIt could be argued that Double Free would be most appropriately located as a child of "Use after Free", but "Use" and "Release" are considered to be distinct operations within vulnerability theory, therefore this is more accurately "Release of a Resource after Expiration or Release", which doesn't exist yet.