Bitwise shifts include left-shift operations of the form shift-expression <<
additive-expression and right-shift operations of the form shift-expression >>
additive-expression. The integer promotions are performed on the operands, each of which has an integer type. The type of the result is that of the promoted left operand. If the value of the right operand is negative or is greater than or equal to the width of the promoted left operand, the behavior is undefined. See also undefined behavior 51 in Annex J of the C Standard.
In almost every case, an attempt to shift by a negative number of bits or by more bits than exist in the operand indicates a bug (logic error). This is different from overflow, where there is simply a representational deficiency. (See INT32-C. Ensure that operations on signed integers do not result in overflow.)
Noncompliant Code Example (Left Shift, Signed Type)
The result of E1 << E2
is E1
left-shifted E2
bit positions; vacated bits are filled with zeros. If E1
has a signed type and nonnegative value and E1
* 2
E2
is representable in the result type, then that is the resulting value; otherwise, the behavior is undefined.
This noncompliant code example can result in undefined behavior because there is no check to ensure that left and right operands have nonnegative values and that the right operand is less than or equal to the width of the promoted left operand.
int si1; int si2; int sresult; /* Initialize si1 and si2 */ sresult = si1 << si2;
Shift operators and other bitwise operators should be used only with unsigned integer operands in accordance with INT13-C. Use bitwise operators only on unsigned operands.
Noncompliant Code Example (Left Shift, Unsigned Type)
The result of E1 << E2
is E1
left-shifted E2
bit positions; vacated bits are filled with zeros. According to the C Standard, if E1
has an unsigned type, the value of the result is E1
* 2
E2
, reduced modulo one more than the maximum value representable in the result type.
This noncompliant code example can result in undefined behavior because there is no check to ensure that the right operand is less than or equal to the width of the promoted left operand.
unsigned int ui1; unsigned int ui2; unsigned int uresult; /* Initialize ui1 and ui2 */ uresult = ui1 << ui2;
Compliant Solution (Left Shift, Unsigned Type)
This compliant solution eliminates the possibility of undefined behavior resulting from a left-shift operation on unsigned integers.
unsigned int ui1; unsigned int ui2; unsigned int uresult; /* Initialize ui1 and ui2 */ if (ui2 >= sizeof(unsigned int)*CHAR_BIT) { /* handle error condition */ } else { uresult = ui1 << ui2; }
Modulo behavior resulting from left-shifting an unsigned integer type is permitted by this standard.
Noncompliant Code Example (Right Shift)
The result of E1 >> E2
is E1
right-shifted E2
bit positions. If E1
has an unsigned type or if E1
has a signed type and a nonnegative value, the value of the result is the integral part of the quotient of E1
/ 2
E2
. If E1
has a signed type and a negative value, the resulting value is implementation-defined and can be either an arithmetic (signed) shift:
or a logical (unsigned) shift:
This noncompliant code example fails to test whether the right operand is greater than or equal to the width of the promoted left operand, allowing undefined behavior.
unsigned int ui1; unsigned int ui2; unsigned int uresult; /* Initialize ui1 and ui2 */ uresult = ui1 >> ui2;
Making assumptions about whether a right shift is implemented as an arithmetic (signed) shift or a logical (unsigned) shift can also lead to vulnerabilities. See INT13-C. Use bitwise operators only on unsigned operands.
Compliant Solution (Right Shift)
This compliant solution tests the suspect shift operations to guarantee there is no possibility of undefined behavior.
unsigned int ui1; unsigned int ui2; unsigned int uresult; /* Initialize ui1 and ui2 */ if (ui2 >= sizeof(unsigned int) * CHAR_BIT) { /* handle error condition */ } else { uresult = ui1 >> ui2; }
Implementation Details
GCC has no options to handle shifts by negative amounts or by amounts outside the width of the type predictably or trap on them; they are always treated as undefined. Processors may reduce the shift amount modulo the width of the type. For example, 32-bit shifts are implemented using the following instructions on IA-32:
sa[rl]l %cl, %eax
The sa[rl]l
instructions take a bit mask of the least significant 5 bits from %cl
to produce a value in the range [0, 31] and then shift %eax
that many bits.
64 bit shifts become sh[rl]dl %eax, %edx sa[rl]l %cl, %eax
where %eax
stores the least significant bits in the doubleword to be shifted, and %edx
stores the most significant bits.
Risk Assessment
Although shifting a negative number of bits or more bits than exist in the operand is undefined behavior in C, the risk is generally low because processors frequently reduce the shift amount modulo the width of the type.
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
---|---|---|---|---|---|
INT34-C | low | unlikely | medium | P2 | L3 |
Automated Detection
Tool | Version | Checker | Description |
---|---|---|---|
Compass/ROSE |
|
| Can detect violations of this rule. Unsigned operands are detected when checking for INT13-C. Use bitwise operators only on unsigned operands. |
ECLAIR | 1.2 | shiftrhs | Partially implemented. |
Fortify SCA | 5.0 |
| Can detect violations of this rule with CERT C Rule Pack. |
9.7.1 | 403 S | Partially implemented. | |
PRQA QA-C | Unable to render {include} The included page could not be found. | 0499 | Partially implemented. |
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Related Guidelines
CERT C++ Secure Coding Standard | INT34-CPP. Do not shift a negative number of bits or more bits than exist in the operand |
---|---|
ISO/IEC TR 24772 | Wrap-around error [XYY] |
Bibliography
[Dowd 2006] | Chapter 6, "C Language Issues" |
---|---|
[ISO/IEC 2003] | Section 6.5.7, "Bitwise Shift Operators" |
[Seacord 2005a] | Chapter 5, "Integers" |
[Viega 2005] | Section 5.2.7, "Integer Overflow" |
A test program for this rule is available at www.securecoding.cert.org.