CWE-825¶

Expired Pointer Dereference. [Pointer-Issues, Improper-Control-Of-A-Resource-Through-Its-Lifetime]

Required inputs: IR, StaticSemanticAnalysis

The product dereferences a pointer that contains a location for memory that was previously valid, but is no longer valid. When a product releases memory, but it maintains a pointer to that memory, then the memory might be re-allocated at a later time. If the original pointer is accessed to read or write data, then this could cause the product to read or modify data that is in use by a different function or process. Depending on how the newly-allocated memory is used, this could lead to a denial of service, information exposure, or code execution.

Demonstrative Examples

Example 1

The following code shows a simple example of a use after free error:

Example Language:C
    char* ptr = (char*)malloc (SIZE);
    if (err) {
        abrt = 1;
        free(ptr);
    }
    ...
    if (abrt) {
        logError("operation aborted before commit", ptr);
    }

When an error occurs, the pointer is immediately freed. However, this pointer is later incorrectly used in the logError function.

Example 2

The following code shows a simple example of a double free error:

Example Language:C
    char* ptr = (char*)malloc (SIZE);
    ...
    if (abrt) {
        free(ptr);
    }
    ...
    free(ptr);

Double free vulnerabilities have two common (and sometimes overlapping) causes:

Error conditions and other exceptional circumstances
Confusion over which part of the program is responsible for freeing the memory

Although some double free vulnerabilities are not much more complicated than the previous example, most are spread out across hundreds of lines of code or even different files. Programmers seem particularly susceptible to freeing global variables more than once.

Possible Messages

Key	Text	Severity	Disabled
double_free	Dynamic memory released here was already released earlier	None	False
possible_double_free	Dynamic memory released here possibly already released earlier	None	False
possible_use_after_free	Dynamic memory possibly used after it was previously released	None	False
use_after_free	Dynamic memory used after it was previously released	None	False

Options¶

This rule shares the following common options: exclude_in_macros, exclude_messages_in_system_headers, excludes, extend_exclude_to_macro_invocations, includes, justification_checker, languages, post_processing, provider, report_at, severity
The following places define options that affect this rule: Stylechecks, Analysis-GlobalOptions

functions_with_ignored_deallocators¶

functions_with_ignored_deallocators : set[str] = set()

Set of functions (given by their qualified name) where all deallocators are ignored. For these functions, the check will never report a use-after-free. It will also assume that these functions never create freed pointers, neither by return value, out param, nor by modifying global state.

report_freed_this_at_call¶

report_freed_this_at_call : bool = False

This option controls findings when a freed pointer is used in C++ to call a non-static member function. When set to true, the use at the call is directly reported. When false, the analysis waits for an actual dereference (of the this-pointer then) inside the callee, and only reports those.

report_read_pointer_args_in_calls_to_undefined¶

report_read_pointer_args_in_calls_to_undefined : bool = True

Report when freed pointers are passed to undefined (external) functions.

resources¶

resources

Type: set[str]

Default: {'C++ArrayHeapMemory', 'C++HeapMemory', 'CudaAsyncMemory', 'CudaDeviceMemory', 'CudaDriverAsyncMemory', 'CudaHostMemory', 'CudaManagedMemory', 'FileHandle', 'HeapMemory', 'UniquePtrHeapMemory'}

Set of resources to be checked (selection of rules in the Resources group).

witness_paths¶

witness_paths : bool = True

Whether witness paths should be determined and included in the issue.

Axivion Suite 7.12.0

Navigation