Double Free Detection
Detection Workflow
- •Identify free operations: Find all free() and delete/delete[] calls, note the pointers being freed
- •Track pointer usage: Use
xrefs_toto trace pointers and identify pointer aliases - •Analyze control flow: Map all code paths to free(), check for multiple free() calls on same pointer
- •Assess exploitability: Can attacker trigger double free? Is there useful heap corruption?
Key Patterns
- •Direct double free: free() called twice on same pointer
- •Conditional double free: free() in multiple code paths
- •Indirect double free: freeing same memory through different pointers
- •Reference counting issues
Output Format
Report with: id, type, subtype, severity, confidence, location, freed pointer, first free, second free, double free path, exploitability, attack scenario, impact, mitigation.
Severity Guidelines
- •CRITICAL: Double free with code execution potential
- •HIGH: Double free causing heap corruption
- •MEDIUM: Double free causing crashes
- •LOW: Double free with limited impact
See Also
- •
patterns.md- Detailed detection patterns and exploitation scenarios - •
examples.md- Example analysis cases and code samples - •
references.md- CWE references and mitigation strategies