Bug Classes/Integer overflow

From Linux Kernel Security Subsystem
Revision as of 21:02, 3 February 2016 by KeesCook (talk | contribs) (→‎Examples: paste-o)
Jump to navigation Jump to search
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.

Details

Integer overflows (or underflows) occur when a multiplication happens that exceeds the size that can be represented by the datatype, generally wrapping around. This usually results in either writing to too-small buffers, or producing out of bound array indexes. Exploitation is most common via heap overflows, since the (too-small) buffers tend to be allocated on the heap. Additionally, reference counting can overflow and wrap around, leading to use-after-free exploits.

Examples

Mitigations

  • check for refcount overflows (e.g. PAX_REFCOUNT)
  • compiler instrumentation to detect multiplication overflows at runtime (e.g. PAX_SIZE_OVERFLOW)