Bug Classes/Integer overflow
Jump to navigation
Jump to search
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.
Details
Integer overflows (or underflows) occur when a multiplication happens that exceeds the size that can be represented by the datatype, generally wrapping around. This usually results in either writing to too-small buffers, or producing out of bound array indexes. Exploitation is most common via heap overflows, since the (too-small) buffers tend to be allocated on the heap. Additionally, reference counting can overflow and wrap around, leading to use-after-free exploits.
Examples
- slub overflow
- group_info refcount overflow
- keyring refcount overflow
- netfilter xt_alloc_table_info integer overflow
Mitigations
- check for refcount overflows (e.g. PAX_REFCOUNT)
- compiler instrumentation to detect multiplication overflows at runtime (e.g. PAX_SIZE_OVERFLOW)