CertC++-MEM30¶
Do not access freed memory
Required inputs: IR, StaticSemanticAnalysis
Evaluating a pointer-including dereferencing the pointer, using it as an operand of an arithmetic operation, type casting it, and using it as the right-hand side of an assignment-into memory that has been deallocated by a memory management function is undefined behavior. Pointers to memory that has been deallocated are called dangling pointers. Accessing a dangling pointer can result in exploitable vulnerabilities.
According to the C Standard, using the value of a pointer that refers to space
deallocated by a call to the
free() or
realloc() function is undefined behavior. (See
undefined
behavior 177.)
Reading a pointer to deallocated memory is undefined behavior because the pointer value is indeterminate and might be a trap representation. Fetching a trap representation might perform a hardware trap (but is not required to).
It is at the memory manager's discretion when to reallocate or recycle the freed memory. When memory is freed, all pointers into it become invalid, and its contents might either be returned to the operating system, making the freed space inaccessible, or remain intact and accessible. As a result, the data at the freed location can appear to be valid but change unexpectedly. Consequently, memory must not be written to or read from once it is freed.
Noncompliant Code Example
This example from Brian Kernighan and Dennis Ritchie [
Kernighan
1988] shows both the incorrect and correct techniques for freeing the
memory associated with a linked list. In their (intentionally) incorrect
example,
p is freed before
p->next is executed, so that
p->next reads memory that has already been freed.
#include <stdlib.h>
struct node {
int value;
struct node *next;
};
void free_list(struct node *head) {
for (struct node *p = head; p != NULL; p = p->next) {
free(p);
}
}
Compliant Solution
Kernighan and Ritchie correct this error by storing a reference to
p->next in
q before freeing
p:
#include <stdlib.h>
struct node {
int value;
struct node *next;
};
void free_list(struct node *head) {
struct node *q;
for (struct node *p = head; p != NULL; p = q) {
q = p->next;
free(p);
}
}
Noncompliant Code Example
In this noncompliant code example,
buf is written to after it has been freed. Write-after-free
vulnerabilities can be
exploited
to run arbitrary code with the permissions of the vulnerable process.
Typically, allocations and frees are far removed, making it difficult to
recognize and diagnose these problems.
#include <stdlib.h>
#include <string.h>
int main(int argc, char *argv[]) {
char *return_val = 0;
const size_t bufsize = strlen(argv[0]) + 1;
char *buf = (char *)malloc(bufsize);
if (!buf) {
return EXIT_FAILURE;
}
/* ... */
free(buf);
/* ... */
strcpy(buf, argv[0]);
/* ... */
return EXIT_SUCCESS;
}
Compliant Solution
In this compliant solution, the memory is freed after its final use:
#include <stdlib.h>
#include <string.h>
int main(int argc, char *argv[]) {
char *return_val = 0;
const size_t bufsize = strlen(argv[0]) + 1;
char *buf = (char *)malloc(bufsize);
if (!buf) {
return EXIT_FAILURE;
}
/* ... */
strcpy(buf, argv[0]);
/* ... */
free(buf);
return EXIT_SUCCESS;
}
Noncompliant Code Example
In this noncompliant example,
realloc() may free
c_str1 when it returns a null pointer, resulting in
c_str1 being freed twice. The C Standards Committee's
proposed response to
Defect Report #400 makes it implementation-defined whether
or not the old object is deallocated when
size is zero and memory for the new object is not allocated. The
current implementation of
realloc() in the GNU C Library and Microsoft Visual Studio's
Runtime Library will free
c_str1 and return a null pointer for zero byte allocations.
Freeing a pointer twice can result in a potentially exploitable vulnerability
commonly referred to as a double-free vulnerability [
Seacord
2013b].
#include <stdlib.h>
void f(char *c_str1, size_t size) {
char *c_str2 = (char *)realloc(c_str1, size);
if (c_str2 == NULL) {
free(c_str1);
}
}
Compliant Solution
This compliant solution does not pass a size argument of zero to the
realloc() function, eliminating the possibility of
c_str1 being freed twice:
#include <stdlib.h>
void f(char *c_str1, size_t size) {
if (size != 0) {
char *c_str2 = (char *)realloc(c_str1, size);
if (c_str2 == NULL) {
free(c_str1);
}
}
else {
free(c_str1);
}
}
If the intent of calling
f() is to reduce the size of the object, then doing nothing when
the size is zero would be unexpected; instead, this compliant solution frees
the object.
Noncompliant Code Example
In this noncompliant example (
CVE-2009-1364) from
libwmf version 0.2.8.4, the return value of
gdRealloc (a simple wrapper around
realloc() that reallocates space pointed to by
im->clip->list) is set to
more. However, the value of
im->clip->list is used directly afterwards in the code, and
the C Standard specifies that if
realloc() moves the area pointed to, then the original block is
freed. An attacker can then execute arbitrary code by forcing a reallocation
(with a sufficient
im->clip->count) and accessing freed memory [
xorl 2009].
void gdClipSetAdd(gdImagePtr im, gdClipRectanglePtr rect) {
gdClipRectanglePtr more;
if (im->clip == 0) {
/* ... */
}
if (im->clip->count == im->clip->max) {
more = gdRealloc (im->clip->list,(im->clip->max + 8) *
sizeof (gdClipRectangle));
/*
* If the realloc fails, then we have not lost the
* im->clip->list value.
*/
if (more == 0) return;
im->clip->max += 8;
}
im->clip->list[im->clip->count] = *rect;
im->clip->count++;
}
Compliant Solution
This compliant solution simply reassigns
im->clip->list to the value of
more after the call to
realloc():
void gdClipSetAdd(gdImagePtr im, gdClipRectanglePtr rect) {
gdClipRectanglePtr more;
if (im->clip == 0) {
/* ... */
}
if (im->clip->count == im->clip->max) {
more = gdRealloc (im->clip->list,(im->clip->max + 8) *
sizeof (gdClipRectangle));
if (more == 0) return;
im->clip->max += 8;
im->clip->list = more;
}
im->clip->list[im->clip->count] = *rect;
im->clip->count++;
}
Risk Assessment
Reading memory that has already been freed can lead to abnormal program termination and denial-of-service attacks. Writing memory that has already been freed can additionally lead to the execution of arbitrary code with the permissions of the vulnerable process.
Freeing memory multiple times has similar consequences to accessing memory after it is freed. Reading a pointer to deallocated memory is undefined behavior because the pointer value is indeterminate and might be a trap representation. When reading from or writing to freed memory does not cause a trap, it may corrupt the underlying data structures that manage the heap in a manner that can be exploited to execute arbitrary code. Alternatively, writing to memory after it has been freed might modify memory that has been reallocated.
Programmers should be wary when freeing memory in a loop or conditional
statement; if coded incorrectly, these constructs can lead to double-free
vulnerabilities. It is also a common error to misuse the
realloc() function in a manner that results in double-free
vulnerabilities. (See
MEM04-C.
Beware of zero-length allocations.)
| Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
| MEM30-C | High | Likely | Medium | P18 | L1 |
Related Guidelines
| Taxonomy | Taxonomy item | Relationship |
|---|---|---|
| CERT C Secure Coding Standard | MEM01-C. Store a new value in pointers immediately after free() | Prior to 2018-01-12: CERT: Unspecified Relationship |
| CERT C | MEM50-CPP. Do not access freed memory | Prior to 2018-01-12: CERT: Unspecified Relationship |
| ISO/IEC TR 24772:2013 | Dangling References to Stack Frames [DCM] | Prior to 2018-01-12: CERT: Unspecified Relationship |
| ISO/IEC TR 24772:2013 | Dangling Reference to Heap [XYK] | Prior to 2018-01-12: CERT: Unspecified Relationship |
| ISO/IEC TS 17961 | Accessing freed memory [accfree] | Prior to 2018-01-12: CERT: Unspecified Relationship |
| ISO/IEC TS 17961 | Freeing memory multiple times [dblfree] | Prior to 2018-01-12: CERT: Unspecified Relationship |
| MISRA C:2012 | Rule 18.6 (required) | Prior to 2018-01-12: CERT: Unspecified Relationship |
| CWE 2.11 | CWE-416, Use After Free | 2017-07-07: CERT: Exact |
| CWE 2.11 | CWE-672 | 2017-07-07: CERT: Rule subset of CWE |
Bibliography
| [ ISO/IEC 9899:2011] | 7.22.3, "Memory Management Functions" |
| [ Kernighan 1988] | Section 7.8.5, "Storage Management" |
| [ OWASP Freed Memory] | |
| [ MIT 2005] | |
| [ Seacord 2013b] | Chapter 4, "Dynamic Memory Management" |
| [ Viega 2005] | Section 5.2.19, "Using Freed Memory" |
| [ VU#623332] | |
| [ xorl 2009] | CVE-2009-1364: LibWMF Pointer Use after free() |
Possible Messages
Key |
Text |
Severity |
Disabled |
|---|---|---|---|
double_free |
Dynamic memory released here was already released earlier |
None |
False |
possible_double_free |
Dynamic memory released here possibly already released earlier |
None |
False |
possible_use_after_free |
Dynamic memory possibly used after it was previously released |
None |
False |
use_after_free |
Dynamic memory used after it was previously released |
None |
False |
Options¶
This rule shares the following common options: exclude_in_macros, exclude_messages_in_system_headers, excludes, extend_exclude_to_macro_invocations, includes, justification_checker, languages, post_processing, provider, report_at, severity
The following places define options that affect this rule: Stylechecks, Analysis-GlobalOptions
functions_with_ignored_deallocators¶
functions_with_ignored_deallocators : set[str] = set()
report_freed_this_at_call¶
report_freed_this_at_call : bool = False
report_read_pointer_args_in_calls_to_undefined¶
report_read_pointer_args_in_calls_to_undefined : bool = True
resources¶
resources
Set of resources to be checked (selection of rules in the Resources group).Type: set[str]
Default:
{'C++ArrayHeapMemory', 'C++HeapMemory', 'CudaAsyncMemory', 'CudaDeviceMemory', 'CudaDriverAsyncMemory', 'CudaHostMemory', 'CudaManagedMemory', 'FileHandle', 'HeapMemory', 'UniquePtrHeapMemory'}
witness_paths¶
witness_paths : bool = True