lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <20061125175122.932.0@paddy.troja.mff.cuni.cz>
Date: Sat, 25 Nov 2006 19:02:16 +0100 (CET)
From: Pavel Kankovsky <peak@...o.troja.mff.cuni.cz>
To: "Steven M. Christey" <coley@...re.org>
Cc: bugtraq@...urityfocus.com
Subject: Re: Clarifying integer overflows vs. signedness errors

On Tue, 21 Nov 2006, Steven M. Christey wrote:

> I think of an integer overflow as being: "some computation (addition,
> multiplication) would produce an integer value that is too large to be
> stored in the actual memory location, so the integer wraps to some
> other value."  (let's leave integer "underflow" out of this for the
> moment).

The passing of a signed variable called "len" to an unsigned parameter of
copyout() is a (trivial) computation producing a value that does not fit
into the target type. Negative values "wrap around" and monotonicity
(length <= buffer size) is not preserved.

IMHO these two classes of problems grow from one common root.

--Pavel Kankovsky aka Peak  [ Boycott Microsoft--http://www.vcnet.com/bms ]
"Resistance is futile. Open your source code and prepare for assimilation."

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ