Unexpected Sign Extension| ID: 194 | Date: (C)2012-05-14 (M)2022-10-10 |
| Type: weakness | Status: INCOMPLETE |
| Abstraction Type: Base |
Description
The software performs an operation on a number that causes it
to be sign extended when it is transformed into a larger data type. When the
original number is negative, this can produce unexpected values that lead to
resultant weaknesses.
Likelihood of Exploit: High
Applicable PlatformsLanguage: CLanguage: C++
Time Of Introduction
Common Consequences
| Scope | Technical Impact | Notes |
|---|
| IntegrityConfidentialityAvailabilityOther | Read memoryModify memoryOther | When an unexpected sign extension occurs in code that operates
directly on memory buffers, such as a size value or a memory index, then
it could cause the program to write or read outside the boundaries of
the intended buffer. If the numeric value is associated with an
application-level resource, such as a quantity or price for a product in
an e-commerce site, then the sign extension could produce a value that
is much higher (or lower) than the application's allowable range. |
Detection MethodsNone
Potential Mitigations
| Phase | Strategy | Description | Effectiveness | Notes |
|---|
| Implementation | | Avoid using signed variables if you don't need to represent negative
values. When negative values are needed, perform sanity checks after you
save those values to larger data types, or before passing them to
functions that are expecting unsigned values. | | |
RelationshipsSign extension errors can lead to buffer overflows and other memory-based
problems. They are also likely to be factors in other weaknesses that are
not based on memory operations, but rely on numeric calculation.
| Related CWE | Type | View | Chain |
|---|
| CWE-194 ChildOf CWE-885 | Category | CWE-888 | |
Demonstrative Examples (Details)
- The following code reads a maximum size and performs a sanity check
on that size. It then performs a strncpy, assuming it will not exceed the
boundaries of the array. While the use of "short s" is forced in this
particular example, short int's are frequently used within real-world code,
such as code that processes structured data. (Demonstrative Example Id DX-23)
Observed Examples
- CVE-1999-0234 : Sign extension error produces -1 value that is treated as a command separator, enabling OS command injection.
- CVE-2003-0161 : Product uses "char" type for input character. When char is implemented as a signed type, ASCII value 0xFF (255), a sign extension produces a -1 value that is treated as a program-specific separator value, effectively disabling a length check and leading to a buffer overflow. This is also a multiple interpretation error.
- CVE-2007-4988 : chain: signed short width value in image processor is sign extended during conversion to unsigned int, which leads to integer overflow and heap-based buffer overflow.
- CVE-2006-1834 : chain: signedness error allows bypass of a length check; later sign extension makes exploitation easier.
- CVE-2005-2753 : Sign extension when manipulating Pascal-style strings leads to integer overflow and improper memory copy.
For more examples, refer to CVE relations in the bottom box.
White Box Definitions None
Black Box Definitions None
Taxynomy Mappings
| Taxynomy | Id | Name | Fit |
|---|
| CLASP | | Sign extension error | |
References:
- John McDonald Mark Dowd Justin Schuh .C Language Issues for Application Security. 2008-01-25.
- Robert Seacord .Integral Security. 2006-11-03.
