Smart pointers like std::unique_ptr
and std::shared_ptr
encode pointer ownership semantics as part of the type system. They wrap a pointer value, provide pointer-like semantics through operator *()
and operator->()
member functions, and control the lifetime of the pointer they manage. When a smart pointer is constructed from a pointer value, that value is said to be owned by the smart pointer.
Calling std::unique_ptr::release()
will relinquish ownership of the managed pointer value. Destruction of, move assignment of, or calling std::unique_ptr::reset()
on a std::unique_ptr
object will also relinquish ownership of the managed pointer value, but results in destruction of the managed pointer value. If a call to std::shared_ptr::unique()
returns true, then destruction of, or calling std::shared_ptr::reset()
on that std::shared_ptr
object will relinquish ownership of the managed pointer value, but results in destruction of the managed pointer value.
Do not create a smart pointer object with a pointer value is that owned by another smart pointer object. This includes resetting a smart pointer's managed pointer to an already-owned pointer value, such as by calling reset()
.
Storing the same pointer value in more than one smart pointer object simultaneously will eventually result in undefined behavior when the smart pointer attempts to destroy the managed pointer value.
Noncompliant Code Example
In this noncompliant code example, the B *
pointer value owned by a std::shared_ptr
object is cast to the D *
pointer type with dynamic_cast
in an attempt to obtain a std::shared_ptr
of the polymorphic derived type. However, this eventually results in undefined behavior as the same pointer is stored in two different std::shared_ptr
objects. When g()
exits, the pointer stored in Derived
is freed by the default deleter. Any further use of Poly
results in accessing freed memory. When f()
exits, the same pointer stored in Poly
is destroyed, resulting in a double-free vulnerability.
#include <memory> struct B { virtual ~B() = default; // Polymorphic object // ... }; struct D : B {}; void g(std::shared_ptr<D> Derived); void f() { std::shared_ptr<B> Poly(new D); // ... g(std::shared_ptr<D>(dynamic_cast<D *>(Poly.get()))); // Any use of Poly will now result in accessing freed memory. }
Compliant Solution
In this compliant solution, the dynamic_cast
is replaced with a call to std::dynamic_pointer_cast()
, which returns a std::shared_ptr
of the polymorphic type with the valid shared pointer value. When g()
exits, the reference count to the underlying pointer is decremented by the destruction of Derived
, but because of the reference held by Poly
(within f()
) the stored pointer value is still valid after g()
returns.
#include <memory> struct B { virtual ~B() = default; // Polymorphic object // ... }; struct D : B {}; void g(std::shared_ptr<D> Derived); void f() { std::shared_ptr<B> Poly(new D); // ... g(std::dynamic_pointer_cast<D, B>(Poly)); // Poly is still referring to a valid pointer value. }
Risk Assessment
Passing a pointer value to a deallocation function that was not previously obtained by the matching allocation function results in undefined behavior, which can lead to exploitable vulnerabilities.
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
---|---|---|---|---|---|
MEM56-CPP | High | Likely | Medium | P18 | L1 |
Automated Detection
Tool | Version | Checker | Description |
---|---|---|---|
|
|
|
Related Vulnerabilities
Search for other vulnerabilities resulting from the violation of this rule on the CERT website.
Related Guidelines
SEI CERT C++ Coding Standard | MEM50-CPP. Do not access freed memory MEM51-CPP. Properly deallocate dynamically allocated resources |
MITRE CWE | CWE-415, Double Free |
Bibliography
[ISO/IEC 14882-2014] | Subclause 20.8, "Smart Pointers" |