Difference between revisions of "Bug Classes/Integer overflow"
Jump to navigation
Jump to search
(Created page with "= Details = Integer overflows (or underflows) occur when a multiplication happens that exceeds the size that can be represented by the datatype, generally wrapping around. Th...") |
|||
(3 intermediate revisions by the same user not shown) | |||
Line 6: | Line 6: | ||
* [https://jon.oberheide.org/blog/2010/09/10/linux-kernel-can-slub-overflow/ slub overflow] | * [https://jon.oberheide.org/blog/2010/09/10/linux-kernel-can-slub-overflow/ slub overflow] | ||
* [https://cyseclabs.com/page?n=02012016 group_info refcount overflow] | |||
* [http://perception-point.io/2016/01/14/analysis-and-exploitation-of-a-linux-kernel-vulnerability-cve-2016-0728/ keyring refcount overflow] | |||
* [https://code.google.com/p/google-security-research/issues/detail?id=758 netfilter xt_alloc_table_info integer overflow] | |||
= Mitigations = | = Mitigations = |
Latest revision as of 21:47, 9 March 2016
Details
Integer overflows (or underflows) occur when a multiplication happens that exceeds the size that can be represented by the datatype, generally wrapping around. This usually results in either writing to too-small buffers, or producing out of bound array indexes. Exploitation is most common via heap overflows, since the (too-small) buffers tend to be allocated on the heap. Additionally, reference counting can overflow and wrap around, leading to use-after-free exploits.
Examples
- slub overflow
- group_info refcount overflow
- keyring refcount overflow
- netfilter xt_alloc_table_info integer overflow
Mitigations
- check for refcount overflows (e.g. PAX_REFCOUNT)
- compiler instrumentation to detect multiplication overflows at runtime (e.g. PAX_SIZE_OVERFLOW)