CWE-415 双重释放
Double Free
结构: Simple
Abstraction: Variant
状态: Draft
被利用可能性: High
基本描述
The product calls free() twice on the same memory address, potentially leading to modification of unexpected memory locations.
扩展描述
When a program calls free() twice with the same argument, the program's memory management data structures become corrupted. This corruption can cause the program to crash or, in some circumstances, cause two later calls to malloc() to return the same pointer. If malloc() returns the same value twice and the program later gives the attacker control over the data that is written into this doubly-allocated memory, the program becomes vulnerable to a buffer overflow attack.
相关缺陷
-
cwe_Nature: ChildOf cwe_CWE_ID: 825 cwe_View_ID: 1000 cwe_Ordinal: Primary
-
cwe_Nature: ChildOf cwe_CWE_ID: 672 cwe_View_ID: 1003 cwe_Ordinal: Primary
-
cwe_Nature: ChildOf cwe_CWE_ID: 666 cwe_View_ID: 1000
-
cwe_Nature: ChildOf cwe_CWE_ID: 675 cwe_View_ID: 1000
-
cwe_Nature: PeerOf cwe_CWE_ID: 416 cwe_View_ID: 1000
-
cwe_Nature: PeerOf cwe_CWE_ID: 416 cwe_View_ID: 699
-
cwe_Nature: PeerOf cwe_CWE_ID: 123 cwe_View_ID: 1000
适用平台
Language: [{'cwe_Name': 'C', 'cwe_Prevalence': 'Undetermined'}, {'cwe_Name': 'C++', 'cwe_Prevalence': 'Undetermined'}]
常见的影响
| 范围 | 影响 | 注释 |
|---|---|---|
| ['Integrity', 'Confidentiality', 'Availability'] | Execute Unauthorized Code or Commands | Doubly freeing memory may result in a write-what-where condition, allowing an attacker to execute arbitrary code. |
可能的缓解方案
Architecture and Design
策略:
Choose a language that provides automatic memory management.
Implementation
策略:
Ensure that each allocation is freed only once. After freeing a chunk, set the pointer to NULL to ensure the pointer cannot be freed again. In complicated error conditions, be sure that clean-up routines respect the state of allocation properly. If the language is object oriented, ensure that object destructors delete each chunk of memory only once.
Implementation
策略:
Use a static analysis tool to find double free instances.
示例代码
例
The following code shows a simple example of a double free vulnerability.
bad C
...
if (abrt) {
}
...
free(ptr);
Double free vulnerabilities have two common (and sometimes overlapping) causes:
None
Although some double free vulnerabilities are not much more complicated than the previous example, most are spread out across hundreds of lines of code or even different files. Programmers seem particularly susceptible to freeing global variables more than once.
例
While contrived, this code should be exploitable on Linux distributions which do not ship with heap-chunk check summing turned on.
bad C
#include
#define BUFSIZE1 512
#define BUFSIZE2 ((BUFSIZE1/2) - 8)
int main(int argc, char argv) {
char buf2R1;
char buf1R2;
buf1R1 = (char ) malloc(BUFSIZE2);
buf2R1 = (char ) malloc(BUFSIZE2);
free(buf1R1);
free(buf2R1);
buf1R2 = (char ) malloc(BUFSIZE1);
strncpy(buf1R2, argv[1], BUFSIZE1-1);
free(buf2R1);
free(buf1R2);
}
分析过的案例
| 标识 | 说明 | 链接 |
|---|---|---|
| CVE-2006-5051 | Chain: Signal handler contains too much functionality (CWE-828), introducing a race condition that leads to a double free (CWE-415). | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5051 |
| CVE-2004-0642 | Double free resultant from certain error conditions. | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0642 |
| CVE-2004-0772 | Double free resultant from certain error conditions. | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0772 |
| CVE-2005-1689 | Double free resultant from certain error conditions. | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1689 |
| CVE-2003-0545 | Double free from invalid ASN.1 encoding. | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0545 |
| CVE-2003-1048 | Double free from malformed GIF. | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1048 |
| CVE-2005-0891 | Double free from malformed GIF. | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0891 |
| CVE-2002-0059 | Double free from malformed compressed data. | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0059 |
Notes
Relationship
This is usually resultant from another weakness, such as an unhandled error or race condition between threads. It could also be primary to weaknesses such as buffer overflows.
Maintenance
It could be argued that Double Free would be most appropriately located as a child of "Use after Free", but "Use" and "Release" are considered to be distinct operations within vulnerability theory, therefore this is more accurately "Release of a Resource after Expiration or Release", which doesn't exist yet.
分类映射
| 映射的分类名 | ImNode ID | Fit | Mapped Node Name |
|---|---|---|---|
| PLOVER | DFREE - Double-Free Vulnerability | ||
| 7 Pernicious Kingdoms | Double Free | ||
| CLASP | Doubly freeing memory | ||
| CERT C Secure Coding | MEM00-C | Allocate and free memory in the same module, at the same level of abstraction | |
| CERT C Secure Coding | MEM01-C | Store a new value in pointers immediately after free() | |
| CERT C Secure Coding | MEM30-C | CWE More Specific | Do not access freed memory |
| CERT C Secure Coding | MEM31-C | Free dynamically allocated memory exactly once | |
| Software Fault Patterns | SFP12 | Faulty Memory Release |
引用
文章来源于互联网:scap中文网
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论