Re: CWE-459

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

Re: CWE-459

rcvalle
> On Tue, 18 Dec 2012, Martin Sebor wrote:
>
>> On 12/18/2012 12:30 PM, Steve Grubb wrote:
>>> Hello,
>>>
>>> I was curious if CWE-459 is specific to file descriptors as all the
>>> examples
>>> show, or would this also include something like calling delete on an array
>>> of
>>> classes when delete[] shave been called?
>>
>> I believe CWE-762: Mismatched Memory Management Routines
>> is the weakness you're looking for, though it could use
>> another example describing the mismatched forms of
>> operators new and delete.
> ... [show rest of quote]
>
> Agreed that CWE-762 could use additional examples.
>
> In this particular case, it seems appropriate to use CWE-762.  However, if
> I understand Steve's example correctly, there could be scenarios where the
> destructors are not called but the code continues to run.  In this case,
> there might be resources that are not released, which would be a chain
> where CWE-762 is primary and CWE-459 is resultant.
>
> In Steve's example, he says that glibc aborts the program due to memory
> corruption - so when glibc is running, there might be a chain with a
> different CWE than CWE-459.
>
>> CWE-459: Incomplete Cleanup is about leaking resources,
>> which may include file descriptors (though I don't see
>> any relevant examples).
>
> CWE-459 effectively covers file descriptors and any other type of
> resource, but note that CWE-775 (Missing Release of File Descriptor or
> Handle after Effective Lifetime) is a child of CWE-772 (Missing Release of
> Resource after Effective Lifetime), which is similar to CWE-459.  But,
> CWE-459 emphasizes temporary resources and its description mentions
> "improper" cleanup (which, by CWE's definition, means cleanup that is
> missing *or* incorrect).  So there may be some overlap between CWE-459 and
> CWE-772 that cannot be fully resolved because they focus on different
> aspects of a problem.
I know it has been some time, but I was checking the archives and I
noticed I sent my reply to this to the wrong thread at
http://making-security-measurable.1364806.n2.nabble.com/Use-after-free-tp7579488p7579537.html,
where I explain why I think it is best mapped to CWE-404 instead of CWE-459.

>
>
> Steve Christey
> CWE Technical Lead

--
Ramon de C Valle / Red Hat Product Security Team