Difference between revisions of "Integer Overflows/Underflows"

From OWASP
Jump to: navigation, search
Line 1: Line 1:
 
{{Template:Attack}}
 
{{Template:Attack}}
 
{{Template:Stub}}
 
  
 
==Description==
 
==Description==
  
This article should cover attacks on integer overflow and underflow vulnerabilities.
+
Integer overflow belongs to a logic errors family. It occurs when given range of int (integer)
 +
type numbers is overflowed due to arithmetic operations. Generally there are only two operations,
 +
which causes these kind of errors - addition and multiplication.
  
 
==Examples ==
 
==Examples ==
 +
 +
Example 1 (add)
 +
<pre>
 +
rezos@bezel ~/labs/integer $ cat add.c
 +
#include <stdio.h>
 +
#include <limits.h>
 +
 +
int main(void)
 +
{
 +
int a;
 +
 +
//  a=2147483647;
 +
a=INT_MAX;
 +
 +
printf("int a (INT_MAX) = %d (0x%x), int a (INT_MAX) + 1 = %d (0x%x)\n", a,a,a+1,a+1);
 +
 +
return 0;
 +
}
 +
 +
rezos@bezel ~/labs/integer $ ./add
 +
int a (INT_MAX) = 2147483647 (0x7fffffff), int a (INT_MAX) + 1 = -2147483648 (0x80000000)
 +
</pre>
 +
By adding 1 to the biggest possible signed (+ or -) integer value we overwrite the sign bit.
 +
In short, by adding two positive numbers we get one big negative number.
 +
 +
 +
Example 2 (multiplication)
 +
<pre>
 +
rezos@bezel ~/labs/integer $ cat multiplication.c
 +
#include <stdio.h>
 +
#include <stdlib.h>
 +
#include <unistd.h>
 +
#include <string.h>
 +
 +
int main(int argc, char **argv)
 +
{
 +
int i, j, z=0x00000001;
 +
char *tab;
 +
 +
if(argc<2) _exit(1);
 +
 +
i=atoi(argv[1]);
 +
 +
if(i>0) {
 +
  tab = malloc(i * sizeof(char *));
 +
  if(tab == NULL) _exit(2);
 +
}
 +
 +
for(j=0; j<i; j++)
 +
  tab[j]=z++;
 +
 +
for(j=0; j<i; j++)
 +
  printf("tab[j]=0x%x\n", tab[j]);
 +
 +
return 0;
 +
}
 +
 +
rezos@bezel ~/labs/integer $ ./multiplication 1073741824
 +
Segmentation fault
 +
</pre>
 +
The program should write "z" value into the array of pointers and then print it out.
 +
With specially selected array size (number of its elements) it's possible to use
 +
integer overflow error to overflow the array "tab".
 +
 +
Below example should explain why it does happen.
 +
<pre>
 +
rezos@bezel ~/labs/integer $ cat multi.c
 +
#include <stdio.h>
 +
 +
int main(void)
 +
{
 +
printf ("1073741824 *4 = %d\n", 1073741824 * 4);
 +
return 0;
 +
}
 +
</pre>
 +
In this program we multiplicate 1073741824 * 4 because of sizeof(char *) will return 4.
 +
<pre>
 +
rezos@bezel ~/labs/integer $ gcc -ggdb multi.c -o multi
 +
multi.c: In function 'main':
 +
multi.c:6: warning: integer overflow in expression
 +
</pre>
 +
The compiler at this stage warn us, that in the program occurs expression, which cause an
 +
integer overflow. To make sure what the result of the multiplacation will be:
 +
<pre>
 +
rezos@bezel ~/labs/integer $ ./multi
 +
1073741824 *4 = 0
 +
</pre>
 +
malloc(0) (in the main example) will allocate memory with size 0 correctly(poprawnie)/successfully(z powodzeniem),
 +
and that will allow for overwriting memory segments on the heap.
 +
 +
Memory allocation with negative value may cause in fact allocation of very small or very big
 +
memory segments depending on the implementation of the *alloc() functions. Integer overflow
 +
errors may also lead to the situation where condition statements, which are supposed to check buffers
 +
boundaries, are omitted.
 +
 +
Integer overflow errors are not always a threat themselves. However they provide very often
 +
possibility to overwrite or to read memory content beyond boudries of the buffers. For instance
 +
during buffer indexing.
 +
  
 
==Related Threats==
 
==Related Threats==
 +
 +
*[[:Category:Command Execution]]
  
 
==Related Attacks==
 
==Related Attacks==
 +
 +
*[[buffer overflow]]
 +
*[[stack overflow attack]]
 +
*[[heap overflow attack]]
  
 
==Related Vulnerabilities==
 
==Related Vulnerabilities==
 +
 +
*[[Integer_Overflow]]
  
 
==Related Countermeasures==
 
==Related Countermeasures==
  
 +
* Use programming language and/or compiler, which will check the buffers boundries and their indexes.
 +
* Use libraries, which provides API for arithmetic operations (e.g. safe_iop)
 +
* Check results of the arithmetic operations, which used integer numbers and compare them with the expected values.
 +
 +
==Categories==
 +
 +
[[Category:Data Structure Attacks]]
 
[[Category:Attack]]
 
[[Category:Attack]]

Revision as of 17:34, 24 October 2007

This is an Attack. To view all attacks, please see the Attack Category page.


Description

Integer overflow belongs to a logic errors family. It occurs when given range of int (integer) type numbers is overflowed due to arithmetic operations. Generally there are only two operations, which causes these kind of errors - addition and multiplication.

Examples

Example 1 (add)

rezos@bezel ~/labs/integer $ cat add.c
#include <stdio.h>
#include <limits.h>

int main(void)
{
 int a;

//  a=2147483647;
 a=INT_MAX;

 printf("int a (INT_MAX) = %d (0x%x), int a (INT_MAX) + 1 = %d (0x%x)\n", a,a,a+1,a+1);

 return 0;
}

rezos@bezel ~/labs/integer $ ./add
int a (INT_MAX) = 2147483647 (0x7fffffff), int a (INT_MAX) + 1 = -2147483648 (0x80000000)

By adding 1 to the biggest possible signed (+ or -) integer value we overwrite the sign bit. In short, by adding two positive numbers we get one big negative number.


Example 2 (multiplication)

rezos@bezel ~/labs/integer $ cat multiplication.c
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>

int main(int argc, char **argv)
{
 int i, j, z=0x00000001;
 char *tab;

 if(argc<2) _exit(1);

 i=atoi(argv[1]);

 if(i>0) {
   tab = malloc(i * sizeof(char *));
   if(tab == NULL) _exit(2);
 }

 for(j=0; j<i; j++)
   tab[j]=z++;

 for(j=0; j<i; j++)
   printf("tab[j]=0x%x\n", tab[j]);

 return 0;
}

rezos@bezel ~/labs/integer $ ./multiplication 1073741824
Segmentation fault

The program should write "z" value into the array of pointers and then print it out. With specially selected array size (number of its elements) it's possible to use integer overflow error to overflow the array "tab".

Below example should explain why it does happen.

rezos@bezel ~/labs/integer $ cat multi.c
#include <stdio.h>

int main(void)
{
 printf ("1073741824 *4 = %d\n", 1073741824 * 4);
 return 0;
}

In this program we multiplicate 1073741824 * 4 because of sizeof(char *) will return 4.

rezos@bezel ~/labs/integer $ gcc -ggdb multi.c -o multi
multi.c: In function 'main':
multi.c:6: warning: integer overflow in expression

The compiler at this stage warn us, that in the program occurs expression, which cause an integer overflow. To make sure what the result of the multiplacation will be:

rezos@bezel ~/labs/integer $ ./multi
1073741824 *4 = 0

malloc(0) (in the main example) will allocate memory with size 0 correctly(poprawnie)/successfully(z powodzeniem), and that will allow for overwriting memory segments on the heap.

Memory allocation with negative value may cause in fact allocation of very small or very big memory segments depending on the implementation of the *alloc() functions. Integer overflow errors may also lead to the situation where condition statements, which are supposed to check buffers boundaries, are omitted.

Integer overflow errors are not always a threat themselves. However they provide very often possibility to overwrite or to read memory content beyond boudries of the buffers. For instance during buffer indexing.


Related Threats

Related Attacks

Related Vulnerabilities

Related Countermeasures

  • Use programming language and/or compiler, which will check the buffers boundries and their indexes.
  • Use libraries, which provides API for arithmetic operations (e.g. safe_iop)
  • Check results of the arithmetic operations, which used integer numbers and compare them with the expected values.

Categories