Double Free Vulnerability Basics Explained

  • Post author:
  • Reading time:8 mins read

One of the most common memory corruption errors usually found in an application is the “Double Free” error. Double-free vulnerability is caused by freeing the same memory location twice by calling free() on the same allocated memory. However, this vulnerability detection can be simple using a vulnerability management tool.

Also, once a vulnerability is detected, it must be patched too. Which can be done using a patch management software.

 Below is a sample “Double Free” error code,

char* Y = (char*)malloc(20);

…….

If (X)

{

free(Y);

}

……..

free(Y)

Finding such errors in many files in an application becomes too complex.

How memory is allocated without double-free vulnerability:

Consider an application that requests the OS (Operating System) to allocate some amount of memory. Usually, OS projects to the application as if the requested block of memory is one chunk of memory block, but the memory will be segregated in different places. OS usually maintains 2 pointers for each memory location, 1st pointer will have location details of the previous free memory, and the 2nd pointer will have location details of the next free memory location. When you “free()” memory locations,

free(X)

free(Y)

Consider “A” and “B” points to the two pointers of “X” memory location and “C” and “D” points to the two pointers of “Y” memory location.

A —-> 1st pointer of freed “X” memory block holds the previous random memory location

B —-> 2nd pointer of freed “X” memory block holds “y” freed memory location (“Y” memory location is next to “X” memory location)

C —-> 1st pointer of freed “Y” will hold “X” freed memory location (“X” memory location is previous to “Y” memory location)

D —-> 2nd pointer of freed “Y” will hold the next random memory location

It’s similar to a Doubly-linked list.

Here “A” will be holding the previous free random memory location, “B” will be holding the “Y” memory location, and “C” will be holding the “X” memory location; therefore, “D” will be holding the next free random memory location.

What causes a Double Free error Vulnerability ….???

To trigger a double Free Vulnerability, the same memory location should be freed (“free()”) twice. Have a look at the first sample code, variable “Y” is freed twice

free(Y)     # freed first time

free(Y)     # freed again second time

When the same memory-allocated variable is freed twice, multiple memory location pointers will be pointing to the same freed memory location.

Later, an undesirable condition may lead to memory corruption if new memory is allocated to “Z”.

char* Z = (char*)malloc(20);

How to avoid Double Free Vulnerabilit while coding …?

One of the ways to avoid Double Free errors in the code is by assigning the pointer to null after it’s been freed once.

char* Y = (char*)malloc(20);

…….

If (X)

{

free(Y);

Y = NULL;

}

……..

free(Y) # It’s nothing but free(NULL)

free(NULL) will be a dead code that particularly does nothing.

To detect this kind of memory corruption error, Open-Source tools like Valgrind or GNU Project debugger are very much handy, which additionally helps to analyze code in a better way.

– Shashi Kiran

Share this article