|
|
|
|
CWE-122 Individual Dictionary Definition (Draft 9)
Weakness ID
| Status: Draft 122 (Weakness Variant) | | Description | Summary A heap overflow condition is a buffer overflow, where the buffer that can be overwritten
is allocated in the heap portion of memory, generally meaning that the buffer was allocated using
a routine such as malloc(). | | Likelihood of Exploit | High to Very High | | Weakness Ordinality | Primary (Weakness exists independent of other weaknesses) | | Causal Nature | Explicit (This is an explicit weakness resulting from behavior of the developer) | | Affected Resource | Memory | | Common Consequences | Availability: Buffer overflows generally lead to crashes. Other attacks
leading to lack of availability are possible, including putting the program into an infinite
loop. Access control (memory and instruction processing): Buffer overflows often can
be used to execute arbitrary code, which is usually outside the scope of a program's implicit
security policy. Other: When the consequence is arbitrary code execution, this can often be
used to subvert any other security service. | | Potential Mitigations | Pre-design: Use a language or compiler that performs automatic bounds checking. Design: Use an abstraction library to abstract away risky APIs. Not a complete
solution. Pre-design through Build: Canary style bounds checking, library changes which ensure
the validity of chunk data, and other such fixes are possible, but should not be relied upon. Operational: Use OS-level preventative functionality. Not a complete
solution. | Demonstrative Examples | C Example: #define BUFSIZE 256 int main(int argc, char **argv) { char *buf; buf = (char *)malloc(BUFSIZE); strcpy(buf, argv[1]); } | | Observed Examples | | Reference | Description |
|---|
| CVE-2007-4268 | Chain: integer signedness passes signed comparison, leads to
heap overflow |
| | Context Notes | Heap-based buffer overflows are usually just as dangerous as stack-based buffer
overflows. Besides important user data, heap-based overflows can be used to overwrite function
pointers that may be living in memory, pointing it to the attacker's code. Even in applications
that do not explicitly use function pointers, the run-time will usually leave many in memory. For
example, object methods in C++ are generally implemented using function pointers. Even in C
programs, there is often a global offset table used by the underlying runtime. | | Relationships | | | Source Taxonomies | CLASP - Heap overflow | | Applicable Platforms | C C++ | | Time of Introduction | Implementation | | Related Attack Patterns | | CAPEC-ID | Attack Pattern Name |
|---|
| 92 | Forced Integer Overflow |
| | White Box Definition | A buffer overflow where the buffer from the Buffer Write Operation is dynamically allocated
|
|