CWE-459

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

CWE-459

Steve Grubb
Hello,

I was curious if CWE-459 is specific to file descriptors as all the examples
show, or would this also include something like calling delete on an array of
classes when delete[] shave been called?

If this is intended to be limited to file descriptors, should a new CWE be
allocated for this? By calling delete on an array of classes, the destructors
are not called. (In the case of glibc, the program gets aborted due to memory
corruption.) Using the delete[] will cause things to work as intended.

Thanks,
-Steve
Reply | Threaded
Open this post in threaded view
|

Re: CWE-459

Martin Sebor
On 12/18/2012 12:30 PM, Steve Grubb wrote:
> Hello,
>
> I was curious if CWE-459 is specific to file descriptors as all the examples
> show, or would this also include something like calling delete on an array of
> classes when delete[] shave been called?

I believe CWE-762: Mismatched Memory Management Routines
is the weakness you're looking for, though it could use
another example describing the mismatched forms of
operators new and delete.

CWE-459: Incomplete Cleanup is about leaking resources,
which may include file descriptors (though I don't see
any relevant examples).

Martin

>
> If this is intended to be limited to file descriptors, should a new CWE be
> allocated for this? By calling delete on an array of classes, the destructors
> are not called. (In the case of glibc, the program gets aborted due to memory
> corruption.) Using the delete[] will cause things to work as intended.
>
> Thanks,
> -Steve
Reply | Threaded
Open this post in threaded view
|

Re: CWE-459

Steven M. Christey-3
On Tue, 18 Dec 2012, Martin Sebor wrote:

> On 12/18/2012 12:30 PM, Steve Grubb wrote:
>> Hello,
>>
>> I was curious if CWE-459 is specific to file descriptors as all the
>> examples
>> show, or would this also include something like calling delete on an array
>> of
>> classes when delete[] shave been called?
>
> I believe CWE-762: Mismatched Memory Management Routines
> is the weakness you're looking for, though it could use
> another example describing the mismatched forms of
> operators new and delete.

Agreed that CWE-762 could use additional examples.

In this particular case, it seems appropriate to use CWE-762.  However, if
I understand Steve's example correctly, there could be scenarios where the
destructors are not called but the code continues to run.  In this case,
there might be resources that are not released, which would be a chain
where CWE-762 is primary and CWE-459 is resultant.

In Steve's example, he says that glibc aborts the program due to memory
corruption - so when glibc is running, there might be a chain with a
different CWE than CWE-459.

> CWE-459: Incomplete Cleanup is about leaking resources,
> which may include file descriptors (though I don't see
> any relevant examples).

CWE-459 effectively covers file descriptors and any other type of
resource, but note that CWE-775 (Missing Release of File Descriptor or
Handle after Effective Lifetime) is a child of CWE-772 (Missing Release of
Resource after Effective Lifetime), which is similar to CWE-459.  But,
CWE-459 emphasizes temporary resources and its description mentions
"improper" cleanup (which, by CWE's definition, means cleanup that is
missing *or* incorrect).  So there may be some overlap between CWE-459 and
CWE-772 that cannot be fully resolved because they focus on different
aspects of a problem.


Steve Christey
CWE Technical Lead
Reply | Threaded
Open this post in threaded view
|

Re: CWE-459

Steve Grubb
On Thursday, December 20, 2012 12:41:05 AM Steven M. Christey wrote:

> On Tue, 18 Dec 2012, Martin Sebor wrote:
> > On 12/18/2012 12:30 PM, Steve Grubb wrote:
> >> Hello,
> >>
> >> I was curious if CWE-459 is specific to file descriptors as all the
> >> examples
> >> show, or would this also include something like calling delete on an
> >> array
> >> of
> >> classes when delete[] shave been called?
> >
> > I believe CWE-762: Mismatched Memory Management Routines
> > is the weakness you're looking for, though it could use
> > another example describing the mismatched forms of
> > operators new and delete.
>
> Agreed that CWE-762 could use additional examples.
>
> In this particular case, it seems appropriate to use CWE-762.  However, if
> I understand Steve's example correctly, there could be scenarios where the
> destructors are not called but the code continues to run.  In this case,
> there might be resources that are not released, which would be a chain
> where CWE-762 is primary and CWE-459 is resultant.
>
> In Steve's example, he says that glibc aborts the program due to memory
> corruption - so when glibc is running, there might be a chain with a
> different CWE than CWE-459.

This demonstrates the problem (although contrived):

// operator delete[] example
#include <iostream>
#include <new>
using namespace std;

struct myclass {
  myclass() {cout <<"myclass constructed\n";}
  ~myclass() {cout <<"myclass destroyed\n";}
};

int main (void) {
  myclass * pt;

  pt = new myclass[3];
  delete pt;

  return 0;
}

Trying it out:
$ ./test
myclass constructed
myclass constructed
myclass constructed
myclass destroyed
*** glibc detected *** ./test: munmap_chunk(): invalid pointer:
0x0000000001afa018 ***
======= Backtrace: =========
/lib64/libc.so.6[0x3e4107b646]
./test[0x4009ca]
/lib64/libc.so.6(__libc_start_main+0xf5)[0x3e41021a05]
./test[0x400899]


So, for a current gcc/glibc combo, you'd likely get a DoS. For older
versions/other implementations on other OS, it may keep running and leak
memory or exhaust descriptors, etc.

-Steve


> > CWE-459: Incomplete Cleanup is about leaking resources,
> > which may include file descriptors (though I don't see
> > any relevant examples).
>
> CWE-459 effectively covers file descriptors and any other type of
> resource, but note that CWE-775 (Missing Release of File Descriptor or
> Handle after Effective Lifetime) is a child of CWE-772 (Missing Release of
> Resource after Effective Lifetime), which is similar to CWE-459.  But,
> CWE-459 emphasizes temporary resources and its description mentions
> "improper" cleanup (which, by CWE's definition, means cleanup that is
> missing *or* incorrect).  So there may be some overlap between CWE-459 and
> CWE-772 that cannot be fully resolved because they focus on different
> aspects of a problem.
>
>
> Steve Christey
> CWE Technical Lead
Reply | Threaded
Open this post in threaded view
|

Re: CWE-459

granthyde
I have no idea what this is and I want you to remove me from this list. Thanks a bunch!


From: "Steve Grubb" <[hidden email]>
To: "Steven M. Christey" <[hidden email]>
Cc: "Martin Sebor" <[hidden email]>, [hidden email], [hidden email]
Sent: Friday, December 21, 2012 11:41:04 AM
Subject: Re: CWE-459

On Thursday, December 20, 2012 12:41:05 AM Steven M. Christey wrote:

> On Tue, 18 Dec 2012, Martin Sebor wrote:
> > On 12/18/2012 12:30 PM, Steve Grubb wrote:
> >> Hello,
> >>
> >> I was curious if CWE-459 is specific to file descriptors as all the
> >> examples
> >> show, or would this also include something like calling delete on an
> >> array
> >> of
> >> classes when delete[] shave been called?
> >
> > I believe CWE-762: Mismatched Memory Management Routines
> > is the weakness you're looking for, though it could use
> > another example describing the mismatched forms of
> > operators new and delete.
>
> Agreed that CWE-762 could use additional examples.
>
> In this particular case, it seems appropriate to use CWE-762.  However, if
> I understand Steve's example correctly, there could be scenarios where the
> destructors are not called but the code continues to run.  In this case,
> there might be resources that are not released, which would be a chain
> where CWE-762 is primary and CWE-459 is resultant.
>
> In Steve's example, he says that glibc aborts the program due to memory
> corruption - so when glibc is running, there might be a chain with a
> different CWE than CWE-459.

This demonstrates the problem (although contrived):

// operator delete[] example
#include <iostream>
#include <new>
using namespace std;

struct myclass {
  myclass() {cout <<"myclass constructed\n";}
  ~myclass() {cout <<"myclass destroyed\n";}
};

int main (void) {
  myclass * pt;

  pt = new myclass[3];
  delete pt;

  return 0;
}

Trying it out:
$ ./test
myclass constructed
myclass constructed
myclass constructed
myclass destroyed
*** glibc detected *** ./test: munmap_chunk(): invalid pointer:
0x0000000001afa018 ***
======= Backtrace: =========
/lib64/libc.so.6[0x3e4107b646]
./test[0x4009ca]
/lib64/libc.so.6(__libc_start_main+0xf5)[0x3e41021a05]
./test[0x400899]


So, for a current gcc/glibc combo, you'd likely get a DoS. For older
versions/other implementations on other OS, it may keep running and leak
memory or exhaust descriptors, etc.

-Steve


> > CWE-459: Incomplete Cleanup is about leaking resources,
> > which may include file descriptors (though I don't see
> > any relevant examples).
>
> CWE-459 effectively covers file descriptors and any other type of
> resource, but note that CWE-775 (Missing Release of File Descriptor or
> Handle after Effective Lifetime) is a child of CWE-772 (Missing Release of
> Resource after Effective Lifetime), which is similar to CWE-459.  But,
> CWE-459 emphasizes temporary resources and its description mentions
> "improper" cleanup (which, by CWE's definition, means cleanup that is
> missing *or* incorrect).  So there may be some overlap between CWE-459 and
> CWE-772 that cannot be fully resolved because they focus on different
> aspects of a problem.
>
>
> Steve Christey
> CWE Technical Lead
Reply | Threaded
Open this post in threaded view
|

Re: CWE-459

Office of Residential Life
In reply to this post by Steve Grubb
Kindly remove me from your list.


Thank you.

On Fri, Dec 21, 2012 at 9:41 PM, Steve Grubb <[hidden email]> wrote:
On Thursday, December 20, 2012 12:41:05 AM Steven M. Christey wrote:
> On Tue, 18 Dec 2012, Martin Sebor wrote:
> > On 12/18/2012 12:30 PM, Steve Grubb wrote:
> >> Hello,
> >>
> >> I was curious if CWE-459 is specific to file descriptors as all the
> >> examples
> >> show, or would this also include something like calling delete on an
> >> array
> >> of
> >> classes when delete[] shave been called?
> >
> > I believe CWE-762: Mismatched Memory Management Routines
> > is the weakness you're looking for, though it could use
> > another example describing the mismatched forms of
> > operators new and delete.
>
> Agreed that CWE-762 could use additional examples.
>
> In this particular case, it seems appropriate to use CWE-762.  However, if
> I understand Steve's example correctly, there could be scenarios where the
> destructors are not called but the code continues to run.  In this case,
> there might be resources that are not released, which would be a chain
> where CWE-762 is primary and CWE-459 is resultant.
>
> In Steve's example, he says that glibc aborts the program due to memory
> corruption - so when glibc is running, there might be a chain with a
> different CWE than CWE-459.

This demonstrates the problem (although contrived):

// operator delete[] example
#include <iostream>
#include <new>
using namespace std;

struct myclass {
  myclass() {cout <<"myclass constructed\n";}
  ~myclass() {cout <<"myclass destroyed\n";}
};

int main (void) {
  myclass * pt;

  pt = new myclass[3];
  delete pt;

  return 0;
}

Trying it out:
$ ./test
myclass constructed
myclass constructed
myclass constructed
myclass destroyed
*** glibc detected *** ./test: munmap_chunk(): invalid pointer:
0x0000000001afa018 ***
======= Backtrace: =========
/lib64/libc.so.6[0x3e4107b646]
./test[0x4009ca]
/lib64/libc.so.6(__libc_start_main+0xf5)[0x3e41021a05]
./test[0x400899]


So, for a current gcc/glibc combo, you'd likely get a DoS. For older
versions/other implementations on other OS, it may keep running and leak
memory or exhaust descriptors, etc.

-Steve


> > CWE-459: Incomplete Cleanup is about leaking resources,
> > which may include file descriptors (though I don't see
> > any relevant examples).
>
> CWE-459 effectively covers file descriptors and any other type of
> resource, but note that CWE-775 (Missing Release of File Descriptor or
> Handle after Effective Lifetime) is a child of CWE-772 (Missing Release of
> Resource after Effective Lifetime), which is similar to CWE-459.  But,
> CWE-459 emphasizes temporary resources and its description mentions
> "improper" cleanup (which, by CWE's definition, means cleanup that is
> missing *or* incorrect).  So there may be some overlap between CWE-459 and
> CWE-772 that cannot be fully resolved because they focus on different
> aspects of a problem.
>
>
> Steve Christey
> CWE Technical Lead