|
Status: Incomplete Weakness ID: 124 (Weakness Base)Description Summary The software allows a condition where buffers are written to using buffer access mechanisms such as indexes or pointers that reference memory locations prior to the targeted buffer. Extended Description This typically occurs when indexes are negative numbers or when pointer arithmetic results in a position before the beginning of the valid memory location. This can occur when a negative number is used as an offset, or if the pointer or its index is decremented to a position before the buffer. Alternate Terms buffer underrun Some prominent vendors and researchers use the term "buffer underrun". "Buffer underflow" is more commonly used, although both terms are also sometimes used to describe a buffer under-read (CWE-127). Likelihood of Exploit Medium Weakness Ordinalities Primary (where the weakness exists independent of other weaknesses) Causal Nature Explicit (an explicit
weakness resulting from behavior of the developer) Common Consequences Availability Buffer underwrites will very likely result in the corruption of relevant memory, and perhaps instructions, leading to a crash. Access control (memory and instruction processing): If the corrupted memory can be effectively controlled, it may be possible to execute arbitrary code. If the corrupted memory is data rather than instructions, the system will continue to function with improper changes, possibly in violation of an implicit or explicit policy. The consequences would only be limited by how the affected data is used, such as an adjacent memory location that is used to specify whether the user has special privileges. Other When the consequence is arbitrary code execution, this can often be used to subvert any other security service. Potential Mitigations Requirements specification: The choice could be made to use a language that is not susceptible to these issues. Implementation Sanity checks should be performed on all calculated values used as index or for pointer arithmetic. Demonstrative Examples The following is an example of code that may result in a buffer underwrite, if find() returns a negative value to indicate that ch is not found in srcBuf: C Example: int main() { ... strncpy(destBuf, &srcBuf[find(srcBuf, ch)], 1024); ... }
If the index to srcBuf is somehow under user control, this is an arbitrary write-what-where condition. Observed Examples
Research Gaps Much attention has been paid to buffer overflows, but "underflows" sometimes exist in products that are relatively free of overflows, so it is likely that this variant has been under-studied. References "Buffer UNDERFLOWS: What do you know about it?". Vuln-Dev Mailing List. 2004-01-10. <http:/ Relationships
Relationship Notes This could be resultant from several errors, including a bad offset or an array index that decrements before the beginning of the buffer (see CWE-129). Taxonomy Mappings
Applicable Platforms Languages C C++ Time of Introduction Architecture and Design ImplementationContent History Submissions PLOVER. (Externally Mined) Modifications Eric Dalci. Cigital. 2008-07-01. (External) updated Time_of_Introduction CWE Content Team. MITRE. 2008-09-08. (Internal) updated Alternate_Terms, Applicable_Platforms, Common_Consequences, Description, Relationships, Relationship_Notes, Taxonomy_Mappings, Weakness_Ordinalities |
|
|
|||