Evaluating a pointer—including dereferencing the pointer, using it as an operand of an arithmetic operation, type casting it, and using it as the right-hand side of an assignment—into memory that has been deallocated by a memory management function is undefined behavior 183. Pointers to memory that has been deallocated are called dangling pointers. Accessing a dangling pointer can result in exploitable vulnerabilities.
According to the C Standard, using the value of a pointer that refers to space deallocated by a call to the free() or realloc() function is undefined behavior. (See undefined behavior 177183.)
Reading a pointer to deallocated memory is undefined behavior 183 because the pointer value is indeterminate and might be a trap representation. Fetching a trap representation might perform a hardware trap (but is not required to).
...
Freeing memory multiple times has similar consequences to accessing memory after it is freed. Reading a pointer to deallocated memory is undefined behavior because 183 because the pointer value is indeterminate and might be a trap representation. When reading from or writing to freed memory does not cause a trap, it may corrupt the underlying data structures that manage the heap in a manner that can be exploited to execute arbitrary code. Alternatively, writing to memory after it has been freed might modify memory that has been reallocated.
Programmers should be wary when freeing memory in a loop or conditional statement; if coded incorrectly, these constructs can lead to double-free vulnerabilities. It is also a common error to misuse the realloc() function in a manner that results in double-free vulnerabilities. (See MEM04-C. Beware of zero-length allocations.)
Rule | Severity | Likelihood | Detectable | RepairableRemediation Cost | Priority | Level |
|---|---|---|---|---|---|---|
MEM30-C | High | Likely | No | NoMedium | P18P9 | L1L2 |
Automated Detection
Tool | Version | Checker | Description | ||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Astrée |
| dangling_pointer_use | Supported Astrée reports all accesses to freed allocated memory. | ||||||||||||||||||
| Axivion Bauhaus Suite |
| CertC-MEM30 | Detects memory accesses after its deallocation and double memory deallocations | ||||||||||||||||||
| CodeSonar |
| ALLOC.UAF | Use after free | ||||||||||||||||||
| Compass/ROSE | |||||||||||||||||||||
| USE_AFTER_FREE | Can detect the specific instances where memory is deallocated more than once or read/written to the target of a freed pointer | |||||||||||||||||||
| Cppcheck |
| doubleFree deallocret deallocuse | |||||||||||||||||||
| Cppcheck Premium |
| doubleFree deallocret deallocuse | |||||||||||||||||||
| Helix QAC |
| C4866DF4866, | C4867DF4867, | C4868DF4868, | C4871DF4871, | C4872DF4872, | C4873DF4873 C++3339, C++4303, C++4304 | , C++4866, C++4867, C++4868, C++4871, C++4872, C++4873||||||||||||||
| Klocwork |
| UFM.DEREF.MIGHT UFM.DEREF.MUST UFM.FFM.MIGHT UFM.FFM.MUST UFM.RETURN.MIGHT UFM.RETURN.MUST UFM.USE.MIGHT UFM.USE.MUST | |||||||||||||||||||
| LDRA tool suite |
| 51 D, 484 S, 112 D | Partially implemented | ||||||||||||||||||
| Parasoft C/C++test |
| CERT_C-MEM30-a | Do not use resources that have been freed | ||||||||||||||||||
| Parasoft Insure++ | Runtime analysis | ||||||||||||||||||||
| PC-lint Plus |
| 449, 2434 | Fully supported | ||||||||||||||||||
| Polyspace Bug Finder |
| Checks for | use of :
| (rule Rule partially covered | )PRQA QA-C | ||||||||||||||||
| Include Page | PRQA QA-C_v | PRQA QA-C_v | 2731, 2732, 2733 | PRQA QA-C++ | |||||||||||||||||
| Include Page | cplusplus:PRQA QA-C++_V | cplusplus:PRQA QA-C++_V | . | ||||||||||||||||||
| PVS-Studio |
| V586, V774 | |||||||||||||||||||
| Security Reviewer - Static Reviewer |
| CPP_12 | Fully implemented | 3339, 4303, 4304 | PVS-Studio | | Include Page | | PVS-Studio_V | PVS-Studio_V | V586, V774||||||||||||
| Splint |
| ||||||||||||||||||||
| TrustInSoft Analyzer |
| dangling_pointer | Exhaustively verified (see one compliant and one non-compliant example). |
Related Vulnerabilities
VU#623332 describes a double-free vulnerability in the MIT Kerberos 5 function krb5_recvauth().
...
Bibliography
| [ISO/IEC 9899:20112024] | 7.2224.3, "Memory Management Functions" |
| [Kernighan 1988] | Section 7.8.5, "Storage Management" |
| [OWASP Freed Memory] | |
| [MIT 2005] | |
| [Seacord 2013b] | Chapter 4, "Dynamic Memory Management" |
| [Viega 2005] | Section 5.2.19, "Using Freed Memory" |
| [VU#623332] | |
| [xorl 2009] | CVE-2009-1364: LibWMF Pointer Use after free() |
...