CWE-415

Double Free. [Improper-Control-Of-A-Resource-Through-Its-Lifetime]

Required inputs: IR, StaticSemanticAnalysis

The product calls free() twice on the same memory address.

Demonstrative Examples

Example 1

The following code shows a simple example of a double free vulnerability.

Example Language:C
    char* ptr = (char*)malloc (SIZE);
    ...
    if (abrt) {
        free(ptr);
    }
    ...
    free(ptr);

Double free vulnerabilities have two common (and sometimes overlapping) causes:

• Error conditions and other exceptional circumstances
• Confusion over which part of the program is responsible for freeing the memory

Although some double free vulnerabilities are not much more complicated than this example, most are spread out across hundreds of lines of code or even different files. Programmers seem particularly susceptible to freeing global variables more than once.

Example 2

While contrived, this code should be exploitable on Linux distributions that do not ship with heap-chunk check summing turned on.

Example Language:C
    #include <stdio.h>
    #include <unistd.h>
    #define BUFSIZE1 512
    #define BUFSIZE2 ((BUFSIZE1/2) - 8)

    int main(int argc, char **argv) {
        char *buf1R1;
        char *buf2R1;
        char *buf1R2;
        buf1R1 = (char *) malloc(BUFSIZE2);
        buf2R1 = (char *) malloc(BUFSIZE2);
        free(buf1R1);
        free(buf2R1);
        buf1R2 = (char *) malloc(BUFSIZE1);
        strncpy(buf1R2, argv[1], BUFSIZE1-1);
        free(buf2R1);
        free(buf1R2);
    }

Excerpts from CWE [https://cwe.mitre.org], Copyright (C) 2006-2026, the MITRE Corporation. See section 9.4. "3rd-Party Licenses" in the documentation for full details.

Possible Messages

Key	Text	Severity	Disabled
double_free	Dynamic memory released here was already released earlier	None	False
possible_double_free	Dynamic memory released here possibly already released earlier	None	False

Options

• This rule shares the following common options: exclude_in_macros, exclude_messages_in_system_headers, excludes, extend_exclude_to_macro_invocations, includes, justification_checker, languages, post_processing, provider, report_at, severity

• The following places define options that affect this rule: Stylechecks, Analysis-GlobalOptions

resources

resources

Type: set[str]

Default: {'C++ArrayHeapMemory', 'C++HeapMemory', 'CudaAsyncMemory', 'CudaDeviceMemory', 'CudaDriverAsyncMemory', 'CudaHostMemory', 'CudaManagedMemory', 'FileHandle', 'HeapMemory', 'UniquePtrHeapMemory'}

Set of resources to be checked (selection of rules in the Resources group).

 

witness_paths

witness_paths : bool = True

Whether witness paths should be determined and included in the issue.