CWE-194 未预期的符号扩展

Unexpected Sign Extension

结构: Simple

Abstraction: Variant

状态: Incomplete

被利用可能性: High

基本描述

The software performs an operation on a number that causes it to be sign extended when it is transformed into a larger data type. When the original number is negative, this can produce unexpected values that lead to resultant weaknesses.

相关缺陷

  • cwe_Nature: ChildOf cwe_CWE_ID: 681 cwe_View_ID: 1000 cwe_Ordinal: Primary

  • cwe_Nature: ChildOf cwe_CWE_ID: 681 cwe_View_ID: 699 cwe_Ordinal: Primary

适用平台

Language: [{'cwe_Name': 'C', 'cwe_Prevalence': 'Undetermined'}, {'cwe_Name': 'C++', 'cwe_Prevalence': 'Undetermined'}]

常见的影响

范围 影响 注释
['Integrity', 'Confidentiality', 'Availability', 'Other'] ['Read Memory', 'Modify Memory', 'Other'] When an unexpected sign extension occurs in code that operates directly on memory buffers, such as a size value or a memory index, then it could cause the program to write or read outside the boundaries of the intended buffer. If the numeric value is associated with an application-level resource, such as a quantity or price for a product in an e-commerce site, then the sign extension could produce a value that is much higher (or lower) than the application's allowable range.

可能的缓解方案

Implementation

策略:

Avoid using signed variables if you don't need to represent negative values. When negative values are needed, perform sanity checks after you save those values to larger data types, or before passing them to functions that are expecting unsigned values.

示例代码

The following code reads a maximum size and performs a sanity check on that size. It then performs a strncpy, assuming it will not exceed the boundaries of the array. While the use of "short s" is forced in this particular example, short int's are frequently used within real-world code, such as code that processes structured data.

bad C

int GetUntrustedInt () {
return(0x0000FFFF);
}

void main (int argc, char argv) {
char path[256];
char
input;
int i;
short s;
unsigned int sz;

i = GetUntrustedInt();
s = i;
/
s is -1 so it passes the safety check - CWE-697 /
if (s > 256) {
DiePainfully("go away!\n");
}

/
s is sign-extended and saved in sz /
sz = s;

/
output: i=65535, s=-1, sz=4294967295 - your mileage may vary /
printf("i=%d, s=%d, sz=%u\n", i, s, sz);

input = GetUserInput("Enter pathname:");

/
strncpy interprets s as unsigned int, so it's treated as MAX_INT
(CWE-195), enabling buffer overflow (CWE-119) /
strncpy(path, input, s);
path[255] = '\0'; /
don't want CWE-170 */
printf("Path is: %s\n", path);
}

This code first exhibits an example of CWE-839, allowing "s" to be a negative number. When the negative short "s" is converted to an unsigned integer, it becomes an extremely large positive integer. When this converted integer is used by strncpy() it will lead to a buffer overflow (CWE-119).

分析过的案例

标识 说明 链接
CVE-1999-0234 Sign extension error produces -1 value that is treated as a command separator, enabling OS command injection. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0234
CVE-2003-0161 Product uses "char" type for input character. When char is implemented as a signed type, ASCII value 0xFF (255), a sign extension produces a -1 value that is treated as a program-specific separator value, effectively disabling a length check and leading to a buffer overflow. This is also a multiple interpretation error. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0161
CVE-2007-4988 chain: signed short width value in image processor is sign extended during conversion to unsigned int, which leads to integer overflow and heap-based buffer overflow. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4988
CVE-2006-1834 chain: signedness error allows bypass of a length check; later sign extension makes exploitation easier. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1834
CVE-2005-2753 Sign extension when manipulating Pascal-style strings leads to integer overflow and improper memory copy. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2753

Notes

Relationship Sign extension errors can lead to buffer overflows and other memory-based problems. They are also likely to be factors in other weaknesses that are not based on memory operations, but rely on numeric calculation. Maintenance This entry is closely associated with signed-to-unsigned conversion errors (CWE-195) and other numeric errors. These relationships need to be more closely examined within CWE.

分类映射

映射的分类名 ImNode ID Fit Mapped Node Name
CLASP Sign extension error
Software Fault Patterns SFP1 Glitch in computation
CERT C Secure Coding INT31-C CWE More Specific Ensure that integer conversions do not result in lost or misinterpreted data

引用