Unsigned to signed conversion error

From OWASP
Revision as of 13:38, 16 May 2006 by Deleted user (Talk | contribs)

Jump to: navigation, search


Overview

An unsigned-to-signed conversion error takes place when a large unsigned primitive is used as an signed value - usually as a size variable.

Consequences

  • Availability: Incorrect sign conversions generally lead to undefined behavior, and therefore crashes.
  • Integrity: If a poor cast lead to a buffer underwrite, data integrity may be affected.
  • Access control (instruction processing): Improper unsigned-to-signed conversions, often create buffer underwrite conditions which can be used to execute arbitrary code. This is usually outside the scope of a program's implicit security policy.

Exposure period

  • Requirements specification: The choice could be made to use a language that is not susceptible to these issues.
  • Design: Accessor functions may be designed to mitigate some of these logical issues.
  • Implementation: Many logic errors can lead to this condition. It can be exacerbated by lack of or misuse of mitigating technologies.

Platform

  • Languages: C, C++, Fortran, Assembly
  • Operating platforms: All

Required resources

Any

Severity

High

Likelihood of exploit

Low to Medium

Avoidance and mitigation

  • Requirements specification: The choice could be made to use a language that is not susceptible to these issues.
  • Design: Ensure that interacting functions retain the same types and that only safe type casts must occur. If possible, use intelligent marshalling routines to translate between objects.
  • Implementation: Use out-of-data band channels for transmitting error messages if unsigned size values must be transmitted. Check all errors.
  • Build: Pay attention to compiler warnings which may alert you to improper type casting.

Discussion

Although less frequent an issue than signed-to-unsigned casting, unsigned-to-signed casting can be the perfect precursor to dangerous buffer underwrite conditions that allow attackers to move down the stack where they otherwise might not have access in a normal buffer overflow condition.

Buffer underwrites occur frequently when large unsigned values are cast to signed values, and then used as indexes into a buffer or for pointer arithmetic.

Examples

While not exploitable, the following program is an excellent example of how implicit casts, while not changing the value stored, significantly changes its use:

#include <stdio.h>
		
int main() {   
  int value;    
  value = (int)(~((int)0) ^ (1 << (sizeof(int)*8)));    

  printf("Max unsigned int: %u %1$x\nNow signed: %1$d %1$x\n",
         value);    
  return (0);
}

The above code produces the following output:

Max unsigned int: 4294967295 ffffffff
Now signed: -1 ffffffff

Note how the hex value remains unchanged.

Related problems

Categories