Test case 10

Double-free. Once a malloc family buffer is freed, one is not allowed to use that pointer at all. Attempting to free the same pointer again (without again allocating it memory via one of the malloc family APIs) is a bug: double free. It results in heap corruption; bugs like this are often exploited by attackers to cause denial-of-service (DoS) attacks or worse (privilege escalation).

Here is a simple test case:

/* test case 10 : double-free test case */
static void doublefree(int cond)
{
    char *ptr;
    char name[]="Hands-on Linux Sys Prg";
    int n=512;

    printf("%s(): cond %d
", __FUNCTION__, cond);
    ptr = malloc(n);
    if (!ptr)
        FATAL("malloc failed
");
    strncpy(ptr, name, strlen(name));
    free(ptr);

    if (cond) {
        bogus = malloc(-1UL); /* will fail! */
        if (!bogus) {
            fprintf(stderr, "%s:%s:%d: malloc failed
",
                       __FILE__, __FUNCTION__, __LINE__);
            free(ptr); /* Bug: double-free */
            exit(EXIT_FAILURE);
        }
    }
}

In the preceding test case, we simulate an interesting and quite realistic scenario: a runtime condition (simulated via the cond parameter) causes the program to perform a call that, let's say, fails—malloc(-1UL) pretty much guarantees that.

Why? Because, on a 64-bit OS, -1UL = 0xffffffffffffffff = 18446744073709551615 bytes = 16 EB. That's the entire extent of the virtual address space on 64-bit.

Back to the point: within our malloc error-handling code, an erroneous double-free—of the previously freed ptr pointeroccurs, resulting in a double free bug.

The real problem is that often, as developers, we do not write (negative) test cases for error-handling code paths; a defect then escapes undetected into the field:

$ ./membugs 10
doublefree(): cond 0
doublefree(): cond 1
membugs.c:doublefree:56: malloc failed
$

Interestingly, the compiler does warn us regarding the faulty (read buggy) second malloc (but not regarding the double free!); see the following:

$ make
[...]
membugs.c: In function ‘doublefree’:
membugs.c:125:9: warning: argument 1 value ‘18446744073709551615’ exceeds maximum object size 9223372036854775807 [-Walloc-size-larger-than=]
   bogus = malloc(-1UL); /* will fail! */
   ~~~~~~^~~~~~~~~~~~~~
In file included from membugs.c:18:0:
/usr/include/stdlib.h:539:14: note: in a call to allocation function ‘malloc’ declared here
 extern void *malloc (size_t __size) __THROW __attribute_malloc__ __wur;
              ^~~~~~
[...]
To help emphasize the importance of detecting and fixing such bugsand remember, this is just one example— we show as follows some information from the National Vulnerability Database (NVD) on double free bugs within the last 3 years (at the time of this writing): https://nvd.nist.gov/vuln/search/results?adv_search=false&form_type=basic&results_type=overview&search_type=last3years&query=double+free

A partial screenshot of the search result performed on the National Vulnerability Database (NVD) on double free bugs within the last 3 years (at the time of this writing) follows:

The complete screenshot has not been shown here.
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset