Double Free

Calling free() twice on the same pointer corrupts allocator metadata, often leading to arbitrary write primitives.

Definition

A double-free is a memory-safety bug in which the program returns the same allocated region to the memory allocator twice. The allocator's free-list is now in a corrupt state: a single chunk appears twice on the list, so subsequent allocations may return the same address to two unrelated callers. The two callers then mutate "their" memory in conflict, and an attacker who controls the order and contents of allocations can engineer almost any heap-corruption primitive from there.

Double-free is closely related to use-after-free — both involve the allocator's invariants — but the exploitation surface is the allocator's metadata rather than the freed object's contents. Modern hardened allocators (glibc since 2.27, jemalloc, scudo) detect simple double-frees and abort the process, raising the cost for the attacker without eliminating the bug class entirely.

How it works

The program has two code paths that both believe they own a piece of memory. A path-specific cleanup runs in each. Glibc's "fasttbin double-free" detection catches the trivial case where the same chunk appears at the head of the free list twice in a row, but a "tcache" double-free with an intervening allocation slips past the check. With control over a few subsequent allocations, the attacker arranges for a chosen address to be returned as the next allocation — a primitive that turns into arbitrary write.

Impact

Heap-corruption code-execution chains, allocator-metadata leaks, and process aborts (DoS) when the allocator detects the corruption.

Mitigation

Set pointers to `nullptr` after free. Use RAII / smart pointers in C++. Enable hardened-allocator features (e.g. `MALLOC_CHECK_=3` on glibc, the `GuardedPoolAllocator` in scudo). AddressSanitizer in test builds. The longer-term answer is the same as for use-after-free: memory-safe languages.

Examples

  • CVE-2015-7547 — glibc DNS resolver double-free / stack buffer overflow combo.

See also

References