Potentially exploitable undefined behavior can result from any of the following:
...
UB | Description | Example Code |
---|---|---|
Addition or subtraction of a pointer into, or just beyond, an array object and an integer type produces a result that does not point into, or just beyond, the same array object. | ARR30-C. Do not form or use out of bounds pointers or array subscripts | |
Addition or subtraction of a pointer into, or just beyond, an array object and an integer type produces a result that points just beyond the array object and is used as the operand of a unary | ARR30-C. Do not form or use out of bounds pointers or array subscripts, ARR30-C. Do not form or use out of bounds pointers or array subscripts | |
An array subscript is out of range, even if an object is apparently accessible with the given subscript (as in the lvalue expression | ARR30-C. Do not form or use out of bounds pointers or array subscripts | |
An attempt is made to access, or generate a pointer to just past, a flexible array member of a structure when the referenced object provides no elements for that array. | ARR30-C. Do not form or use out of bounds pointers or array subscripts | |
The pointer passed to a library function array parameter does not have a value such that all address computations and object accesses are valid. |
...
In the following noncompliant code example the function f()
attempts to validate the index
before using it as an offset to the statically allocated table
of integers. However, the function fails to reject negative index
values. When index
is less than zero, the behavior of the addition expression in the return statement of the function is undefined 46. On some implementations, the addition alone can trigger a hardware trap. On other implementations, the addition may produce a result that when dereferenced can trigger a hardware trap. Other implementations still may produce a dereferenceable pointer that points to an object distinct from table
. Using such a pointer to access the object may lead to information exposure or cause the wrong object to be modified.
...
The following noncompliant code example shows the flawed logic in the Windows Distributed Component Object Model (DCOM) Remote Procedure Call (RPC) interface that was exploited by the W32.Blaster.Worm. The error is that the while loop in the GetMachineName()
function (used to extract the host name from a longer string) is not sufficiently bounded. When the character array pointed to by pwszTemp
does not contain the backslash character among the first MAX_COMPUTERNAME_LENGTH_FQDN + 1
elements, the final valid iteration of the loop will dereference past the end pointer, resulting in exploitable undefined behavior 47. In this case, the actual exploit allowed the attacker to inject executable code into a running program. Economic damage from the Blaster worm has been estimated to be at least $525 million [Pethia 2003].
For a discussion of this programming error in the Common Weakness Enumeration database, see CWE-119, "Failure to constrain operations within the bounds of a memory buffer," and CWE-121, "Stack-based buffer overflow."
...
The following noncompliant code example declares matrix
to consist of 7 rows and 5 columns in row-major order. The function init_matrix
then iterates over all 35 elements in an attempt to initialize each to the value given by the function argument x
. However, since multidimensional arrays are declared in C in row-major order, and the function iterates over the elements in column-major order, and when the value of j
reaches the value COLS
during the first iteration of the outer loop, the function attempts to access element matrix[0][5]
. Because the type of matrix
is int[7][5]
, the j
subscript is out of range, and the access has undefined behavior 49.
Code Block | ||||
---|---|---|---|---|
| ||||
static const size_t COLS = 5; static const size_t ROWS = 7; static int matrix[ROWS][COLS]; void init_matrix(int x) { for (size_t i = 0; i != COLS; ++i) for (size_t j = 0; j != ROWS; ++j) matrix[i][j] = x; } |
...
In the following noncompliant code example the function find()
attempts to iterate over the elements of the flexible array member buf
, starting with the second element. However, since function g()
does not allocate any storage for the member, the expression first++
in find()
attempts to form a pointer just past the end of buf
when there are no elements. This attempt results in undefined behavior 62.
Code Block | ||||
---|---|---|---|---|
| ||||
struct S { size_t len; char buf[]; /* flexible array member */ }; char* find(const struct S *s, int c) { char *first = s->buf; char *last = s->buf + s->len; while (first++ != last) /* undefined behavior here */ if (*first == (unsigned char)c) return first; return NULL; } void g() { struct S *s = (struct S*)malloc(sizeof (struct S)); s->len = 0; /* ... */ char *where = find(s, '.'); /* ... */ } |
...
In the following noncompliant code example, the function f()
calls fread()
to read nitems
of type wchar_t
, each size
bytes in size, into an array of BUFSIZ
elements, wbuf
. However, the expression used to compute the value of nitems
fails to account for the fact that, unlike the size of char
, the size of wchar_t
may be greater than 1. Thus, fread()
could attempt to form pointers past the end of wbuf
and use them to assign values to nonexisting elements of the array. Such an attempt results in undefined behavior 109. A likely manifestation of this undefined behavior is a classic buffer overflow, which is often exploitable by code injection attacks.
...
Tool | Version | Checker | Description | ||||||
---|---|---|---|---|---|---|---|---|---|
| ARRAY_VS_SINGLETON | Can detect the access of memory past the end of a memory buffer/array. | |||||||
| NEGATIVE_RETURNS | Can detect when the loop bound may become negative. | |||||||
| OVERRUN_STATIC | Can detect the out-of-bound read/write to array allocated statically or dynamically. | |||||||
| ABV.ITERATOR SV.TAINTED.LOOP_BOUND | ||||||||
Compass/ROSE | Could be configured to catch violations of this rule. The way to catch the noncompliant code example is to first hunt for example code that follows this pattern: for (LPWSTR pwszTemp = pwszPath + 2; *pwszTemp != L'\\'; In particular, the iteration variable is a pointer, it gets incremented, and the loop condition does not set an upper bound on the pointer. Once this case is handled, we can handle cases like the real noncompliant code example, which is effectively the same semantics, just different syntax. | ||||||||
LDRA tool suite |
| 47 S | Partially implemented. | ||||||
PRQA QA-C |
| 3680 3681 3682 3683 3685 [U] 3686 3688 3689 [U] 3690 3692 | Partially implemented |
Related Vulnerabilities
...
ISO/IEC TR 17961 (Draft) Forming or using out-of-bounds pointers or array subscripts [invptr]
ISO/IEC TR 24772 "XYX Boundary beginning violation," "XYY Wrap-around error," and "XYZ Unchecked array indexing"
...
MITRE CWE: CWE-805, "Buffer access with incorrect length value"
Bibliography
[Finlay 2003]
[Microsoft 2003]
[Pethia 2003]
[Seacord 2005a] Chapter 1, "Running with Scissors"
[Viega 2005] Section 5.2.13, "Unchecked array indexing"
[xorl 2009 ] "CVE-2008-1517: Apple Mac OS X (XNU) Missing Array Index Validation"
...