Unsigned to signed conversion error
From OWASP
This is a Vulnerability. To view all vulnerabilities, please see the Vulnerability Category page.
Overview
An unsigned-to-signed conversion error takes place when a large unsigned primitive is used as an signed value - usually as a size variable.
Consequences
- Availability: Incorrect sign conversions generally lead to undefined behavior, and therefore crashes.
- Integrity: If a poor cast lead to a buffer underwrite, data integrity may be affected.
- Access control (instruction processing): Improper unsigned-to-signed conversions, often create buffer underwrite conditions which can be used to execute arbitrary code. This is usually outside the scope of a program's implicit security policy.
Exposure period
- Requirements specification: The choice could be made to use a language that is not susceptible to these issues.
- Design: Accessor functions may be designed to mitigate some of these logical issues.
- Implementation: Many logic errors can lead to this condition. It can be exacerbated by lack of or misuse of mitigating technologies.
Platform
- Languages: C, C++, Fortran, Assembly
- Operating platforms: All
Required resources
Any
Severity
High
Likelihood of exploit
Low to Medium
Avoidance and mitigation
- Requirements specification: The choice could be made to use a language that is not susceptible to these issues.
- Design: Ensure that interacting functions retain the same types and that only safe type casts must occur. If possible, use intelligent marshalling routines to translate between objects.
- Implementation: Use out-of-data band channels for transmitting error messages if unsigned size values must be transmitted. Check all errors.
- Build: Pay attention to compiler warnings which may alert you to improper type casting.
Discussion
Although less frequent an issue than signed-to-unsigned casting, unsigned-to-signed casting can be the perfect precursor to dangerous buffer underwrite conditions that allow attackers to move down the stack where they otherwise might not have access in a normal buffer overflow condition.
Buffer underwrites occur frequently when large unsigned values are cast to signed values, and then used as indexes into a buffer or for pointer arithmetic.
Examples
While not exploitable, the following program is an excellent example of how implicit casts, while not changing the value stored, significantly changes its use:
#include <stdio.h>
int main() {
int value;
value = (int)(~((int)0) ^ (1 << (sizeof(int)*8)));
printf("Max unsigned int: %u %1$x\nNow signed: %1$d %1$x\n",
value);
return (0);
}
The above code produces the following output:
Max unsigned int: 4294967295 ffffffff Now signed: -1 ffffffff
Note how the hex value remains unchanged.
