The way I understand it, it is a bug in C implementation of free() that causes it to do something weird when you call it twice on the same memory. Maybe In Rust you can never call free twice, so you would never come across this bug. But, also Rust probably doesn’t have the same bug.
My point is it seems it is a bug in the underlying implementation of free(), not to be caught by the compiler, and can’t Rust have such errors no matter its superior design?
The way that rust attempts to prevent this class of error is not by making an implementation of free that is safe to call twice, but by making the compiler refuse to compile programs where free could be called twice on a pointer.
Anyway, use after free doesn’t depend on a double free. It just means that the program frees memory but keeps the pointer (which now points at memory that could contain unrelated data at some future point in time) and if someone trying to exploit the program finds a way to induce the program to read or write to that memory they may be able to access data they are not expected to, or write data to be used by a different part of the program that they shouldn’t be able to
Thanks, I understand the problem with using memory after it’s been freed and possibly access it changed by another part of the process. I guess I was confused by the double free explanation I read, which didn’t really say how it could be exploited, but I think you are right it still needs to be accessed later by the original program, which would not happen in Rust.
Not really, the issue is that C/C++ is not memory safe, i.e. it allows you to access memory that has already been freed. Consider the following C++ code:
That will print 10, but the memory where data was defined has been freed, and is no longer in control of the program. Meaning that if something else allocated that memory they can control what my program does.
Consider that on that example above later in the program we do:
user.access_level = *ptr;
If someone manages to get control of that memory between when we freed it and we used it they can make the access_level of the user be whatever they want.
This is a problem with C/C++ allowing you to access memory that has been freed, which is why C/C++ programmers need to be extra careful.
The way I understand it, it is a bug in C implementation of free() that causes it to do something weird when you call it twice on the same memory. Maybe In Rust you can never call free twice, so you would never come across this bug. But, also Rust probably doesn’t have the same bug.
My point is it seems it is a bug in the underlying implementation of free(), not to be caught by the compiler, and can’t Rust have such errors no matter its superior design?
The way that rust attempts to prevent this class of error is not by making an implementation of free that is safe to call twice, but by making the compiler refuse to compile programs where free could be called twice on a pointer.
Anyway, use after free doesn’t depend on a double free. It just means that the program frees memory but keeps the pointer (which now points at memory that could contain unrelated data at some future point in time) and if someone trying to exploit the program finds a way to induce the program to read or write to that memory they may be able to access data they are not expected to, or write data to be used by a different part of the program that they shouldn’t be able to
Thanks, I understand the problem with using memory after it’s been freed and possibly access it changed by another part of the process. I guess I was confused by the double free explanation I read, which didn’t really say how it could be exploited, but I think you are right it still needs to be accessed later by the original program, which would not happen in Rust.
Not really, the issue is that C/C++ is not memory safe, i.e. it allows you to access memory that has already been freed. Consider the following C++ code:
int* wrong() { int data = 10; return &data; }If you try to use it it looks correct:
int* ptr = wrong(); std::cout << *ptr << std::endl;That will print
10, but the memory where data was defined has been freed, and is no longer in control of the program. Meaning that if something else allocated that memory they can control what my program does.Consider that on that example above later in the program we do:
If someone manages to get control of that memory between when we freed it and we used it they can make the access_level of the user be whatever they want.
This is a problem with C/C++ allowing you to access memory that has been freed, which is why C/C++ programmers need to be extra careful.
Thank you, that is very clear.