Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

As noted in undefined behavior 169 of Annex J of [ISO/IEC 9899-1999], the behavior a program is undefined when

the pointer argument to the free or realloc function does not match a pointer earlier returned by calloc, malloc, or realloc, or the space has been deallocated by a call to free or realloc.

Freeing memory multiple times has similar consequences to accessing memory after it is freed. (See rule MEM30-C. Do not access freed memory.) First, reading a pointer to deallocated memory is undefined because the pointer value is indeterminate and can have a trap representation. In the latter case, doing so can cause a hardware trap. When reading a freed pointer doesn't cause a trap, the underlying data structures that manage the heap can become corrupted in a way that can introduce security vulnerabilities into a program. These types of issues are referred to as double-free vulnerabilities. In practice, double-free vulnerabilities can be exploited to execute arbitrary code. One example of this is VU#623332, which describes a double-free vulnerability in the MIT Kerberos 5 function krb5_recvauth().

To eliminate double-free vulnerabilities, it is necessary to guarantee that dynamic memory is freed exactly one time. Programmers should be wary when freeing memory in a loop or conditional statement; if coded incorrectly, these constructs can lead to double-free vulnerabilities. It is also a common error to misuse the realloc() function in a manner that results in double-free vulnerabilities. (See recommendation MEM04-C. Do not perform zero length allocations.)

Noncompliant Code Example ((malloc())

In this noncompliant code example, the memory referred to by x may be freed twice: once if error_condition is true and again at the end of the code.

Code Block
bgColor#FFCCCC
langc
int f(size_t n) {
  int error_condition = 0;

  int *x = (int*)malloc(n * sizeof(int));
  if (x == NULL)
    return -1;

  /* Use x and set error_condition on error. */

  if (error_condition == 1) {
    /* Handle error condition*/
    free(x);
  }

  /* ... */
  free(x);
  return error_condition;
}

Compliant Solution ((malloc())

In this compliant solution, the free a referenced by x is only freed once. This is accomplished by eliminating the call to free() when error_condition is set.

Code Block
bgColor#ccccff
langc
int f(size_t n) {
  int error_condition = 0;

  if (n > SIZE_MAX / sizeof(int)) {
    errno = EOVERFLOW;
    return -1;
  }

  int *x = (int*)malloc(n * sizeof(int));
  if (x == NULL) {
    /* Report allocation failure to caller. */
    return -1;
  }

  /* Use x and set error_condition on error. */

  if (error_condition != 0) {
    /* Handle error condition and proceed. */
  }

  free(x);

  return error_condition;
}

Note that this solution checks for numeric overflow. (See rule INT32-C. Ensure that operations on signed integers do not result in overflow.)

Noncompliant Code Example (realloc())

The memory referenced by p may be freed twice in this noncompliant code example.

Code Block
bgColor#FFCCCC
langc
/* p is a pointer to dynamically allocated memory */
p2 = realloc(p, size);
if (p2 == NULL) {
  free(p); /* p may be indeterminate when (size == 0) */
  return;
}

According to the C99 standard [ISO/IEC 9899-1999] (7.20.3):

If the size of the space requested is zero, the behavior is implementation defined: either a null pointer is returned, or the behavior is as if the size were some nonzero value, except that the returned pointer shall not be used to access an object.

and (7.20.3.4):

If memory for the new object cannot be allocated, the old object is not deallocated and its value is unchanged.

If realloc() is called with size equal to 0, then if a null pointer is returned, the old value should be unchanged. However, there are some common but non-conforming implementations that free the pointer including:

  1. Glibc (GNU/Linux)
  2. AIX
  3. HP-UX
  4. Solaris
  5. OSF/1

This means that calling free on the original pointer might result in a double-free vulnerability. However, not calling free on the original pointer might result in a memory leak.

Compliant Code Example (realloc())

In this compliant solution, allocations of zero-bytes are prevented, ensuring that p is freed exactly once.

Code Block
bgColor#ccccff
langc
/* p is a pointer to dynamically allocated memory */
if (size) {
  p2 = realloc(p, size);
  if (p2 == NULL) {
    free(p);
    return;
  }
}
else {
  free(p);
  return;
}

Risk Assessment

Freeing memory multiple times can result in an attacker executing arbitrary code with the permissions of the vulnerable process.

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

MEM31-C

high

probable

medium

P12

L1

Automated Detection

Tool

Version

Checker

Description

Section

LDRA tool suite

Include Page
LDRA_V
LDRA_V
Section

484 S

Section

Fully Implemented

Section

Fortify SCA

Section

V. 5.0

Section

Double Free

 

Section

Splint

Include Page
Splint_V
Splint_V

 

 

Section

Coverity Prevent




Include Page
Coverity_V
Coverity_V
Section

RESOURCE_LEAK

Section

finds resource leaks from variables that go out of scope while owning a resource

Section

Coverity Prevent




Include Page
Coverity_V
Coverity_V
Section

USE_AFTER_FREE

Section

can find the instances where a freed memory is freed again. Coverity Prevent cannot discover all violations of this rule so further verification is necessary

Section

Compass/ROSE

 

 

Section

can detect some violations of this rule. In particular, false positives may be raised if a variable is freed by a different function than the one that allocated it. Also, it is unable to warn on cases where a call to free() happens inside of a for-loop

Section

Klocwork




Include Page
Klocwork_V
Klocwork_V
Section

MLK
UFM.FFM

 

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Related Guidelines

CERT C++ Secure Coding Standard: MEM31-CPP. Free dynamically allocated memory exactly once

CERT C Secure Coding Standard: MEM04-C. Do not perform zero length allocations

ISO/IEC TR 24772 "XYK Dangling Reference to Heap" and "XYL Memory Leak"

MITRE CWE: CWE-415, "Double Free"

Bibliography

[MIT 2005]
[OWASP, Double Free]
[Viega 2005] "Doubly freeing memory"
[VU#623332]