SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 2

changes.mady.by.user Robert Seacord (Manager)

Saved on

compared with

New Version 3

changes.mady.by.user Robert Seacord (Manager)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

This behavior is more informally referred to as unsigned integer wrapping_. Most operations on unsigned Unsigned integer operations can wrap if the resulting value cannot be represented by the underlying representation of the integer. The following table indicates which operators can result in wrapping:

...

Addition is between two operands of arithmetic type or between a pointer to an object type and an integer type (see ARR37-C. Do not add or subtract an integer to a pointer to a non-array object and ARR38-C. Do not add or subtract an integer to a pointer if the resulting value does not refer to an element within the array for rules about adding a pointer to an integer). Incrementing is equivalent to adding one.

...

This code may result in an unsigned integer overflow wrap during the addition of the unsigned operands ui1 and ui2. If this behavior is unexpected, the resulting value may be used to allocate insufficient memory for a subsequent operation or in some other manner that could lead to an exploitable vulnerability.

...

This compliant solution tests the suspect addition operation to guarantee there is no possibility of unsigned overflowwrap.

Code Block
bgColor#ccccff
unsigned int ui1, ui2, sum;

if (UINT_MAX - ui1 < ui2) {
  /* handle error condition */
}
sum = ui1 + ui2;

...

Subtraction is between two operands of arithmetic type, two pointers to qualified or unqualified versions of compatible object types, or between a pointer to an object type and an integer type. See ARR36-C. Do not subtract or compare two pointers that do not refer to the same array, ARR37-C. Do not add or subtract an integer to a pointer to a non-array object, and ARR38-C. Do not add or subtract an integer to a pointer if the resulting value does not refer to an element within the array for rules about pointer subtraction. Decrementing is equivalent to subtracting one.

...

This code may result in an unsigned integer overflow wrap during the subtraction of the unsigned operands ui1 and ui2. If this behavior is unanticipated, it may lead to an exploitable vulnerability.

...

This compliant solution tests the suspect unsigned subtraction operation to guarantee there is no possibility of unsigned overflowwrap.

Code Block
bgColor#ccccff
unsigned int ui1, ui2, result;

if (ui1 < ui2){
   /* handle error condition */
}

result = ui1 - ui2;

...

Wiki Markup
The Mozilla Scalable Vector Graphics (SVG) viewer contains a heap buffer overflowwrap vulnerability resulting from an unsigned integer overflowwrap during the multiplication of the {{signed int}} value {{pen->num_vertices}} and the {{size_t}} value {{sizeof(cairo_pen_vertex_t)}} \[[VU#551436|AA. C References#VU551436]\].  The {{signed int}} operand is converted to {{unsigned int}} prior to the multiplication operation (see [INT02-A. Understand integer conversion rules]).

Code Block
bgColor#FFcccc
pen->num_vertices = _cairo_pen_vertices_needed(gstate->tolerance, radius, &gstate->ctm);
pen->vertices = malloc(pen->num_vertices * sizeof(cairo_pen_vertex_t));

The unsigned integer overflow wrap can result in allocating memory of insufficient size.

...

This compliant solution tests the suspect multiplication operation to guarantee that there is no unsigned integer overflowwrap.

Code Block
bgColor#ccccff
pen->num_vertices = _cairo_pen_vertices_needed(gstate->tolerance, radius, &gstate->ctm);

if (pen->num_vertices > SIZE_MAX/sizeof(cairo_pen_vertex_t)) {
   /* handle error condition */
}
pen->vertices = malloc(pen->num_vertices * sizeof(cairo_pen_vertex_t));

...

This code can result in an unsigned overflow wrap during the shift operation of the unsigned operands ui1 and ui2. If this behavior is unanticipated, the resulting value may be used to allocate insufficient memory for a subsequent operation or in some other manner that could lead to an exploitable vulnerability.

...

This compliant solution tests the suspect shift operation to guarantee there is no possibility of unsigned overflowwrap. This solution must also be compliant with INT36-C. Do not shift a negative number of bits or more bits than exist in the operand.

...

INT32-EX1. Unsigned integers can exhibit modulo behavior only when this behavior is necessary for the proper execution of the program. It is recommended that the variable declaration be clearly commented as supporting modulo behavior and that each operation on that integer also be clearly commented as supporting modulo behavior.

Risk Assessment

Integer overflow wrap can lead to buffer overflows and the execution of arbitrary code by an attacker.

...

A Linux kernel vmsplice exploit, described at http://www.avertlabs.com/research/blog/index.php/2008/02/13/analyzing-the-linux-kernel-vmsplice-exploit/,
documents a vulnerability and exploit arising directly out of unsigned integer overflowwrapping.

References

Wiki Markup
\[[Dowd 06|AA. C References#Dowd 06]\] Chapter 6, "C Language Issues" (Arithmetic Boundary Conditions, pp. 211-223)
\[[ISO/IEC 9899-1999|AA. C References#ISO/IEC 9899-1999]\] Section 6.2.5, "Types," Section 6.5, "Expressions," and Section 7.10, "Sizes of integer types <limits.h>"
\[[ISO/IEC PDTR 24772|AA. C References#ISO/IEC PDTR 24772]\] "XYY Wrap-around Error"
\[[Seacord 05|AA. C References#Seacord 05]\] Chapter 5, "Integers"
\[[Viega 05|AA. C References#Viega 05]\] Section 5.2.7, "Integer overflow"
\[[VU#551436|AA. C References#VU551436]\]
\[[Warren 02|AA. C References#Warren 02]\] Chapter 2, "Basics"

...