Details

Integer overflows (or underflows) occur when a multiplication happens that exceeds the size that can be represented by the datatype, generally wrapping around. This usually results in either writing to too-small buffers, or producing out of bound array indexes. Exploitation is most common via heap overflows, since the (too-small) buffers tend to be allocated on the heap. Additionally, reference counting can overflow and wrap around, leading to use-after-free exploits.

Examples

• slub overflow
• group_info refcount overflow
• keyring refcount overflow
• netfilter xt_alloc_table_info integer overflow

Mitigations

• check for refcount overflows (e.g. PAX_REFCOUNT)
• compiler instrumentation to detect multiplication overflows at runtime (e.g. PAX_SIZE_OVERFLOW)