SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 104

changes.mady.by.user Astha Singhal

Saved on

compared with

New Version Current

changes.mady.by.user Jill Britton

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Wiki MarkupDynamic memory management is a common source of programming flaws that can lead to security vulnerabilities. Decisions regarding how dynamic memory is allocated, used, and deallocated are the burden of the programmer. Poor memory management can lead to security issues, such as heap-buffer overflows, dangling pointers, and double-free issues \ [[Seacord 2005a|AA. Bibliography#Seacord 05]\Seacord 2013]. From the programmer's perspective, memory management involves allocating memory, reading and writing to memory, and deallocating memory.

Allocating and freeing memory in different modules and levels of abstraction may make it difficult to determine when and if a block of memory has been freed, leading to programming defects, such as memory leaks, double-free vulnerabilities, accessing freed memory, or writing to freed or unallocated memory.

Wiki MarkupTo avoid these situations, memory should be allocated and freed at the same level of abstraction and, ideally, in the same code module. This includes the use of the following memory allocation and deallocation functions described in C99, Section in subclause 7.2023.3 \[of the C Standard [ISO/IEC 9899:1999|AA. Bibliography#ISO/IEC 9899-1999]\2011]:

Code Block

void *malloc(size_t size);

void *calloc(size_t nmemb, size_t size);

void *realloc(void *ptr, size_t size);

void *aligned_alloc(size_t alignment, size_t size);
 
void free(void *ptr);

...

Failing   to   follow   this   recommendation   has   led   to   real-world   vulnerabilities.   For   example,   freeing   memory   in   different   modules   resulted   in   a   vulnerability   in   MIT   Kerberos   5  \ [[MIT   2004|AA. Bibliography#MIT 04]\].   The   MIT   Kerberos   5   code   in   this   case   contained   error-handling   logic,   which   freed   memory   allocated   by   the   ASN.1   decoders   if   pointers   to   the   allocated   memory   were   non-null.   However,   if   a   detectable   error   occurred,   the   ASN.1   decoders   freed   the   memory   that   they   had   allocated.   When   some   library   functions   received   errors   from   the   ASN.1   decoders,   they   also   attempted   to   free   the   same   memory,   resulting   in   a   double-free   vulnerability.
Noncompliant Code Example
...
 Code Block
bgColor#FFcccc
langc

enum { MIN_SIZE_ALLOWED = 32 };

int verify_size(char *list, size_t size) {
  if (size < MIN_SIZE_ALLOWED) {
    /* Handle Errorerror Conditioncondition */
    free(list);
    return -1;
  }
  return 0;
}

void process_list(size_t number) {
  char *list = (char *)malloc(number);
  if (list == NULL) {
    /* Handle Allocationallocation Errorerror */
  }

  if (verify_size(list, number) == -1) {
      free(list);
      return;
  }

  /* Continue Processingprocessing list */

  free(list);
}

The call to free memory in the verify_size() function takes place in a subroutine of the process_list() function, at a different level of abstraction from the allocation, resulting in a violation of this recommendation. The memory deallocation also occurs in error-handling code, which is frequently not as well tested as "green paths" through the code.
...
To correct this problem, the error-handling code in verify_size() is modified so that it no longer frees list. This change ensures that list is freed only once, at the same level of abstraction, in the process_list() function.
 Code Block
bgColor#ccccff
langc

enum { MIN_SIZE_ALLOWED = 32 };

int verify_size(const char *list, size_t size) {
  if (size < MIN_SIZE_ALLOWED) {
    /* Handle Errorerror Conditioncondition */
    return -1;
  }
  return 0;
}

void process_list(size_t number) {
  char *list = (char *)malloc(number);

  if (list == NULL) {
    /* Handle Allocationallocation Errorerror */
  }

  if (verify_size(list, number) == -1) {
      free(list);
      return;
  }

  /* Continue Processingprocessing list */

  free(list);
}

Risk Assessment
The mismanagement of memory can lead to freeing memory multiple times or writing to already freed memory. Both of these coding errors can result in an attacker executing arbitrary code with the permissions of the vulnerable process. Memory management errors can also lead to resource depletion and denial-of-service attacks.
Recommendation
Severity
Likelihood
Remediation Cost
Priority
Level
MEM00-C
 high 
High
 probable 
Probable
 medium 
Medium
P12
L1
Automated Detection
Tool
Version
Checker
Description
section
CodeSonar
LDRA tool suite
 Include Page
c:LDRA
CodeSonar_V
c:LDRA
CodeSonar_V
 Section
 50 D 
 Section
 Partially Implemented 
 Section
Fortify SCA
 Section
V. 5.0
 
 Section
can detect violations of this rule with CERT C Rule Pack
ALLOC.DF
ALLOC.LEAK
Double free
Leak
section
Compass/ROSE
 
 
 Sectioncould 


Could detect possible violations by reporting any function that has malloc() or free() but not both. This would catch some false positives, as there would be no way to tell if malloc() and free() are 
 '
 at the same level of abstraction 
' 
 if they are in different functions
Coverity6.5RESOURCE_LEAKFully implemented
Klocwork
 Include Page
Klocwork_V
Klocwork_V
FREE.INCONSISTENT
UFM.FFM.MIGHT
UFM.FFM.MUST
UFM.DEREF.MIGHT
UFM.DEREF.MUST
UFM.RETURN.MIGHT
UFM.RETURN.MUST
UFM.USE.MIGHT
UFM.USE.MUST
MLK.MIGHT
MLK.MUST
MLK.RET.MIGHT
MLK.RET.MUST
FNH.MIGHT
FNH.MUST
FUM.GEN.MIGHT
FUM.GEN.MUST
RH.LEAK
LDRA tool suite
 Include Page
LDRA_V
LDRA_V
50 D
Partially implemented
Parasoft C/C++test
 Include Page
Parasoft_V
Parasoft_V
CERT_C-MEM00-a
CERT_C-MEM00-b
CERT_C-MEM00-c
CERT_C-MEM00-d
CERT_C-MEM00-e
Do not allocate memory and expect that someone else will deallocate it later
Do not allocate memory and expect that someone else will deallocate it later
Do not allocate memory and expect that someone else will deallocate it later
Do not use resources that have been freed
Ensure resources are freed
Parasoft Insure++

Runtime analysis
PC-lint Plus
 Include Page
PC-lint Plus_V
PC-lint Plus_V
449, 2434
Partially supported
Polyspace Bug Finder
 Include Page
Polyspace Bug Finder_V
Polyspace Bug Finder_V
CERT C: Rec. MEM00-C

Checks for:
  • Invalid free of pointer
  • Deallocation of previously deallocated pointer
  • Use of previously freed pointer
Rec. partially covered.
 Section
Coverity Prevent
 Include Pagec:Coverity_Vc:Coverity_V
 Section
USE_AFTER_FREE
 Sectioncan detect the specific instances where Memory is deallocated more than once or Read/Write to target of a freed pointer
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Related 
...
Guidelines
SEI CERT C++ 
...
 Coding Standard
...
VOID MEM11-CPP. Allocate and free memory in the same module, at the same level of abstraction
ISO/IEC 
...
TR 24772:2013Memory Leak [XYL]
MITRE CWE
...
CWE-
...
415, Double free
CWE-416, Use after free
Bibliography
[MIT 2004]
[Plakosh 2005]
[Seacord 2013]Chapter 4, "Dynamic Memory Management"

...
Image Added Image Added 
MITRE CWE: CWE-415, "Double Free"
Bibliography
 Wiki Markup
\[[MIT 2004|AA. Bibliography#MIT 04]\]
\[[Plakosh 2005|AA. Bibliography#Plakosh 05]\]
\[[Seacord 2005a|AA. Bibliography#Seacord 05]\] Chapter 4, "Dynamic Memory Management"
08. Memory Management (MEM)      08. Memory Management (MEM)      Image Modified