CWE-789 未经控制的内存分配
Uncontrolled Memory Allocation
结构: Simple
Abstraction: Variant
状态: Draft
被利用可能性: Low
基本描述
The product allocates memory based on an untrusted size value, but it does not validate or incorrectly validates the size, allowing arbitrary amounts of memory to be allocated.
相关缺陷
-
cwe_Nature: ChildOf cwe_CWE_ID: 770 cwe_View_ID: 1000 cwe_Ordinal: Primary
-
cwe_Nature: ChildOf cwe_CWE_ID: 770 cwe_View_ID: 699 cwe_Ordinal: Primary
-
cwe_Nature: CanPrecede cwe_CWE_ID: 476 cwe_View_ID: 1000
适用平台
Language: [{'cwe_Name': 'C', 'cwe_Prevalence': 'Undetermined'}, {'cwe_Name': 'C++', 'cwe_Prevalence': 'Undetermined'}, {'cwe_Class': 'Language-Independent', 'cwe_Prevalence': 'Undetermined'}]
常见的影响
| 范围 | 影响 | 注释 |
|---|---|---|
| Availability | DoS: Resource Consumption (Memory) | Not controlling memory allocation can result in a request for too much system memory, possibly leading to a crash of the application due to out-of-memory conditions, or the consumption of a large amount of memory on the system. |
可能的缓解方案
['Implementation', 'Architecture and Design']
策略:
Perform adequate input validation against any value that influences the amount of memory that is allocated. Define an appropriate strategy for handling requests that exceed the limit, and consider supporting a configuration option so that the administrator can extend the amount of memory to be used if necessary.
Operation
策略:
Run your program using system-provided resource limits for memory. This might still cause the program to crash or exit, but the impact to the rest of the system will be minimized.
示例代码
例
Consider the following code, which accepts an untrusted size value and allocates a buffer to contain a string of the given size.
bad C
/ ignore integer overflow (CWE-190) for this example /
unsigned int totBytes = size * sizeof(char);
char string = (char )malloc(totBytes);
InitializeString(string);
Suppose an attacker provides a size value of:
None
This will cause 305,419,896 bytes (over 291 megabytes) to be allocated for the string.
例
Consider the following code, which accepts an untrusted size value and uses the size as an initial capacity for a HashMap.
bad Java
HashMap list = new HashMap(size);
The HashMap constructor will verify that the initial capacity is not negative, however there is no check in place to verify that sufficient memory is present. If the attacker provides a large enough value, the application will run into an OutOfMemoryError.
例
The following code obtains an untrusted number that it used as an index into an array of messages.
bad Perl
my @messages = ();
$messages[$num] = "Hello World";
The index is not validated at all (CWE-129), so it might be possible for an attacker to modify an element in @messages that was not intended. If an index is used that is larger than the current size of the array, the Perl interpreter automatically expands the array so that the large index works.
If $num is a large value such as 2147483648 (1<<31), then the assignment to $messages[$num] would attempt to create a very large array, then eventually produce an error message such as:
Out of memory during array extend
This memory exhaustion will cause the Perl program to exit, possibly a denial of service. In addition, the lack of memory could also prevent many other programs from successfully running on the system.
分析过的案例
| 标识 | 说明 | 链接 |
|---|---|---|
| CVE-2008-1708 | memory consumption and daemon exit by specifying a large value in a length field | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1708 |
| CVE-2008-0977 | large value in a length field leads to memory consumption and crash when no more memory is available | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0977 |
| CVE-2006-3791 | large key size in game program triggers crash when a resizing function cannot allocate enough memory | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3791 |
| CVE-2004-2589 | large Content-Length HTTP header value triggers application crash in instant messaging application due to failure in memory allocation | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2589 |
Notes
Relationship This weakness can be closely associated with integer overflows (CWE-190). Integer overflow attacks would concentrate on providing an extremely large number that triggers an overflow that causes less memory to be allocated than expected. By providing a large value that does not trigger an integer overflow, the attacker could still cause excessive amounts of memory to be allocated. Applicable Platform
分类映射
| 映射的分类名 | ImNode ID | Fit | Mapped Node Name |
|---|---|---|---|
| WASC | 35 | SOAP Array Abuse | |
| CERT C Secure Coding | MEM35-C | Imprecise | Allocate sufficient memory for an object |
| SEI CERT Perl Coding Standard | IDS32-PL | Imprecise | Validate any integer that is used as an array index |
| OMG ASCSM | ASCSM-CWE-789 |