lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-Id: <200611212153.kALLrYG9009899@faron.mitre.org>
Date: Tue, 21 Nov 2006 16:53:34 -0500 (EST)
From: "Steven M. Christey" <coley@...re.org>
To: bugtraq@...urityfocus.com
Subject: Clarifying integer overflows vs. signedness errors


A terminology question for people.

In this reference:

  BUGTRAQ:20061115 Re: DragonFlyBSD all versions FireWire IOCTL kernel integer overflow information disclousure
  http://www.securityfocus.com/archive/1/archive/1/451677/100/0/threaded

The issue is being described as an integer overflow.

I think of an integer overflow as being: "some computation (addition,
multiplication) would produce an integer value that is too large to be
stored in the actual memory location, so the integer wraps to some
other value."  (let's leave integer "underflow" out of this for the
moment).

However, the relevant code is given as:

  if (crom_buf->len < len)
     len = crom_buf->len;

  ...

  err = copyout(ptr, crom_buf->ptr, len);


Here, the "len" value is not computed in any way, it's simply set.
The comparison succeeds because it is in a signed context, but the
copyout() is using an unsigned value.

So, to me, this doesn't look like an "integer overflow," rather some
issue that's directly related to what I call a "signedness error" and
what others sometimes refer to as "signed comparison" issues.

Based on what I've seen, integer overflows and signedness errors are
often closely related, sometimes appearing in the same part of the
code, so I think they get confused pretty frequently.

Or am I not understanding something basic here?


- Steve

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ