Use-After-Free Detection
Detection Workflow
- Identify free operations: Find all free(), realloc(), delete calls and note the pointer being freed
- Trace pointer usage: Use
xrefs_toto find all dereferences of the pointer - Check control flow: Analyze paths through code to identify usage after free
- Assess exploitability: Can attacker control freed memory? Is there a useful use-after-free? Can memory be reallocated?
Key Patterns
- Pointer dereference after free()
- Double free vulnerabilities
- Invalid pointer access after realloc()
- Reference counting issues
Output Format
Report with: id, type, subtype, severity, confidence, location, freed pointer, free operation, use operation, use-after-free status, distance, exploitability, attack scenario, impact, mitigation.
Severity Guidelines
- CRITICAL: Use-after-free with code execution
- HIGH: Use-after-free with data corruption
- MEDIUM: Use-after-free causing crashes
- LOW: Use-after-free with limited impact
See Also
patterns.md- Detailed detection patterns and exploitation scenariosexamples.md- Example analysis cases and code samplesreferences.md- CWE references and mitigation strategies
微信扫一扫