Bug Classes/Integer overflow

From Linux Kernel Security Subsystem
(Difference between revisions)
Jump to: navigation, search
(Created page with "= Details = Integer overflows (or underflows) occur when a multiplication happens that exceeds the size that can be represented by the datatype, generally wrapping around. Th...")
 
(Examples)
Line 6: Line 6:
  
 
* [https://jon.oberheide.org/blog/2010/09/10/linux-kernel-can-slub-overflow/ slub overflow]
 
* [https://jon.oberheide.org/blog/2010/09/10/linux-kernel-can-slub-overflow/ slub overflow]
 
+
* [https://cyseclabs.com/page?n=02012016 refcount overflow]
  
 
= Mitigations =
 
= Mitigations =

Revision as of 20:06, 4 January 2016

Details

Integer overflows (or underflows) occur when a multiplication happens that exceeds the size that can be represented by the datatype, generally wrapping around. This usually results in either writing to too-small buffers, or producing out of bound array indexes. Exploitation is most common via heap overflows, since the (too-small) buffers tend to be allocated on the heap. Additionally, reference counting can overflow and wrap around, leading to use-after-free exploits.

Examples

Mitigations

  • check for refcount overflows (e.g. PAX_REFCOUNT)
  • compiler instrumentation to detect multiplication overflows at runtime (e.g. PAX_SIZE_OVERFLOW)
Personal tools
Namespaces

Variants
Actions
Navigation
Tools