As noted in undefined behavior 179 of Annex J of the C standard [ISO/IEC 9899:2011], the behavior a program is undefined when
the pointer argument to the
freeorreallocfunction does not match a pointer earlier returned by a memory management function, or the space has been deallocated by a call tofreeorrealloc.
Freeing memory multiple times has similar consequences to accessing memory after it is freed. (See MEM30-C. Do not access freed memory.) First, reading a pointer to deallocated memory is undefined because the pointer value is indeterminate and can have a trap representation. In the latter case, doing so can cause a hardware trap. When reading a freed pointer doesn't cause a trap, the underlying data structures that manage the heap can become corrupted in a way that can introduce security vulnerabilities into a program. These types of issues are called double-free vulnerabilities. In practice, double-free vulnerabilities can be exploited to execute arbitrary code. One example of this is VU#623332, which describes a double-free vulnerability in the MIT Kerberos 5 function krb5_recvauth().
...
Note that this solution checks for numeric overflow. (See INT32-C. Ensure that operations on signed integers do not result in overflow.)
Noncompliant Code Example (realloc())
...
| Code Block | ||||
|---|---|---|---|---|
| ||||
/* p is a pointer to dynamically allocated memory */
if (size) {
p2 = realloc(p, size);
if (p2 == NULL) {
free(p);
return;
}
}
else {
free(p);
return;
}
|
Exception
MEM31-EX1: Some library implementations accept and ignore a deallocation of already-free memory. If all libraries used by a project have been validated as having this behavior, then this rule can be ignored.
Risk Assessment
Freeing memory multiple times can result in an attacker executing arbitrary code with the permissions of the vulnerable process.
...
Tool | Version | Checker | Description | ||||||
|---|---|---|---|---|---|---|---|---|---|
| 484 S | Fully implemented. | |||||||
Fortify SCA | V. 5.0 | Double Free | |||||||
Splint |
| ||||||||
| RESOURCE_LEAK | Finds resource leaks from variables that go out of scope while owning a resource. | |||||||
| USE_AFTER_FREE | Can find the instances where a freed memory is freed again. Coverity Prevent cannot discover all violations of this rule, so further verification is necessary. | |||||||
Compass/ROSE | Can detect some violations of this rule. In particular, false positives may be raised if a variable is freed by a different function than the one that allocated it. Also, it is unable to warn on cases where a call to | ||||||||
| MLK |
...
ISO/IEC TR 17961 (Draft) Freeing memory multiple times [dblfree]
ISO/IEC TR 24772 "XYK Dangling reference to heap" and "XYL Memory leak"
MITRE CWE: CWE-415, "Double free"
Bibliography
[MIT 2005]
[OWASP, Double Free]
[Viega 2005] "Doubly freeing memory"
[VU#623332]
...