CWE-789 未经控制的内存分配

Uncontrolled Memory Allocation

结构: Simple

Abstraction: Variant

状态: Draft

被利用可能性: Low

基本描述

The product allocates memory based on an untrusted size value, but it does not validate or incorrectly validates the size, allowing arbitrary amounts of memory to be allocated.

相关缺陷

  • cwe_Nature: ChildOf cwe_CWE_ID: 770 cwe_View_ID: 1000 cwe_Ordinal: Primary

  • cwe_Nature: ChildOf cwe_CWE_ID: 770 cwe_View_ID: 699 cwe_Ordinal: Primary

  • cwe_Nature: CanPrecede cwe_CWE_ID: 476 cwe_View_ID: 1000

适用平台

Language: [{'cwe_Name': 'C', 'cwe_Prevalence': 'Undetermined'}, {'cwe_Name': 'C++', 'cwe_Prevalence': 'Undetermined'}, {'cwe_Class': 'Language-Independent', 'cwe_Prevalence': 'Undetermined'}]

常见的影响

范围 影响 注释
Availability DoS: Resource Consumption (Memory) Not controlling memory allocation can result in a request for too much system memory, possibly leading to a crash of the application due to out-of-memory conditions, or the consumption of a large amount of memory on the system.

可能的缓解方案

['Implementation', 'Architecture and Design']

策略:

Perform adequate input validation against any value that influences the amount of memory that is allocated. Define an appropriate strategy for handling requests that exceed the limit, and consider supporting a configuration option so that the administrator can extend the amount of memory to be used if necessary.

Operation

策略:

Run your program using system-provided resource limits for memory. This might still cause the program to crash or exit, but the impact to the rest of the system will be minimized.

示例代码

Consider the following code, which accepts an untrusted size value and allocates a buffer to contain a string of the given size.

bad C

unsigned int size = GetUntrustedInt();
/ ignore integer overflow (CWE-190) for this example /

unsigned int totBytes = size * sizeof(char);
char string = (char )malloc(totBytes);
InitializeString(string);

Suppose an attacker provides a size value of:

None

This will cause 305,419,896 bytes (over 291 megabytes) to be allocated for the string.

Consider the following code, which accepts an untrusted size value and uses the size as an initial capacity for a HashMap.

bad Java

unsigned int size = GetUntrustedInt();
HashMap list = new HashMap(size);

The HashMap constructor will verify that the initial capacity is not negative, however there is no check in place to verify that sufficient memory is present. If the attacker provides a large enough value, the application will run into an OutOfMemoryError.

The following code obtains an untrusted number that it used as an index into an array of messages.

bad Perl

my $num = GetUntrustedNumber();
my @messages = ();

$messages[$num] = "Hello World";

The index is not validated at all (CWE-129), so it might be possible for an attacker to modify an element in @messages that was not intended. If an index is used that is larger than the current size of the array, the Perl interpreter automatically expands the array so that the large index works.

If $num is a large value such as 2147483648 (1<<31), then the assignment to $messages[$num] would attempt to create a very large array, then eventually produce an error message such as:

Out of memory during array extend

This memory exhaustion will cause the Perl program to exit, possibly a denial of service. In addition, the lack of memory could also prevent many other programs from successfully running on the system.

分析过的案例

标识 说明 链接
CVE-2008-1708 memory consumption and daemon exit by specifying a large value in a length field https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1708
CVE-2008-0977 large value in a length field leads to memory consumption and crash when no more memory is available https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0977
CVE-2006-3791 large key size in game program triggers crash when a resizing function cannot allocate enough memory https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3791
CVE-2004-2589 large Content-Length HTTP header value triggers application crash in instant messaging application due to failure in memory allocation https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2589

Notes

Relationship This weakness can be closely associated with integer overflows (CWE-190). Integer overflow attacks would concentrate on providing an extremely large number that triggers an overflow that causes less memory to be allocated than expected. By providing a large value that does not trigger an integer overflow, the attacker could still cause excessive amounts of memory to be allocated. Applicable Platform

分类映射

映射的分类名 ImNode ID Fit Mapped Node Name
WASC 35 SOAP Array Abuse
CERT C Secure Coding MEM35-C Imprecise Allocate sufficient memory for an object
SEI CERT Perl Coding Standard IDS32-PL Imprecise Validate any integer that is used as an array index
OMG ASCSM ASCSM-CWE-789

引用