One of the most common memory corruption error usually found in an application is “Double Free” error. Double free error is caused by freeing same memory location twice by calling free() on the same allocated memory. Below is a sample “Double Free” error code,

char* Y = (char*)malloc(20);

…….

If (X)

{

free(Y);

}

……..

free(Y)

It becomes too complex to find such errors in a bunch of files in an application.

 

How memory is allocated ….???

Consider an application which makes a request to the OS (Operating System) for some amount of memory to be allocated. Usually OS projects to the application as if the requested block of memory is one chunk of memory block, but actually the memory will be segregated in different places. OS usually maintains 2 pointers for each memory locations, 1st pointer will be having location details of the previous free memory and the 2nd pointer will be having location details to the next free memory location. When you “free()” memory locations,

free(X)

free(Y)

Consider “A” and “B” points to the two pointers of “X” memory location and “C” and “D” points to the two pointers of “Y” memory location.

A —-> 1st pointer of freed “X” memory block holds the previous random memory location

B —-> 2nd pointer of freed “X” memory block holds “y” freed memory location (“Y” memory location is next to “X” memory location)

C —-> 1st pointer of freed “Y” will hold “X” freed memory location (“X” memory location is previous to “Y” memory location)

D —-> 2nd pointer of freed “Y” will holds the next random memory location

It’s similar to Doubly-linked list.

Here “A” will be holding previous free random memory location, “B” will be holding “Y” memory location and “C” will be holding “X” memory location and “D” will be holding next free random memory location.

 

What causes a Double Free Vulnerability ….???

To trigger a double Free Vulnerability, same memory location should be freed (“free()”) twice. Have a look at the first sample code, variable “Y” is freed twice

free(Y)     # freed first time

free(Y)     # freed again second time

When same memory allocated variable is freed twice, then multiple memory location pointers will be pointing to the same freed memory location.

Later, if new memory is allocated to “Z”, there will be an undesirable condition which may lead to memory corruption.

char* Z = (char*)malloc(20);

 

How to avoid Double Free error while coding …?

One of the ways to avoid Double Free error in the code is by assigning the pointer to null after it’s been freed once.

char* Y = (char*)malloc(20);

…….

If (X)

{

free(Y);

Y = NULL;

}

……..

free(Y) # It’s nothing but free(NULL)

free(NULL) will be a dead code which particularly does nothing.

To detect this kind of memory corruption errors Open-Source tools like Valgrind or GNU Project debugger are very much handy which helps to analyze code in a better way.

 
– Shashi Kiran

Loading Facebook Comments ...

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes:

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>