CWE - CWE-194: Unexpected Sign Extension (2.8)

Unexpected Sign Extension

Weakness ID: 194 (Weakness Base)

Status: Incomplete

Description

Description Summary

The software performs an operation on a number that causes it to be sign extended when it is transformed into a larger data type. When the original number is negative, this can produce unexpected values that lead to resultant weaknesses.

Time of Introduction

Implementation

Applicable Platforms

Languages

C++

Common Consequences

Scope

Effect

Integrity

Confidentiality

Availability

Other

Technical Impact: Read memory; Modify memory; Other

When an unexpected sign extension occurs in code that operates directly on memory buffers, such as a size value or a memory index, then it could cause the program to write or read outside the boundaries of the intended buffer. If the numeric value is associated with an application-level resource, such as a quantity or price for a product in an e-commerce site, then the sign extension could produce a value that is much higher (or lower) than the application's allowable range.

Likelihood of Exploit

High

Demonstrative Examples

Example 1

The following code reads a maximum size and performs a sanity check on that size. It then performs a strncpy, assuming it will not exceed the boundaries of the array. While the use of "short s" is forced in this particular example, short int's are frequently used within real-world code, such as code that processes structured data.

(Bad Code)

Example Language: C

int GetUntrustedInt () {

return(0x0000FFFF);

}

void main (int argc, char **argv) {

char path[256];

char *input;

int i;

short s;

unsigned int sz;

i = GetUntrustedInt();

s = i;

/* s is -1 so it passes the safety check - CWE-697 */

if (s > 256) {

DiePainfully("go away!\n");

}

/* s is sign-extended and saved in sz */

sz = s;

/* output: i=65535, s=-1, sz=4294967295 - your mileage may vary */

printf("i=%d, s=%d, sz=%u\n", i, s, sz);

input = GetUserInput("Enter pathname:");

/* strncpy interprets s as unsigned int, so it's treated as MAX_INT

(CWE-195), enabling buffer overflow (CWE-119) */

strncpy(path, input, s);

path[255] = '\0'; /* don't want CWE-170 */

printf("Path is: %s\n", path);

}

This code first exhibits an example of CWE-839, allowing "s" to be a negative number. When the negative short "s" is converted to an unsigned integer, it becomes an extremely large positive integer. When this converted integer is used by strncpy() it will lead to a buffer overflow (CWE-119).

Observed Examples

Reference	Description
CVE-1999-0234	Sign extension error produces -1 value that is treated as a command separator, enabling OS command injection.
CVE-2003-0161	Product uses "char" type for input character. When char is implemented as a signed type, ASCII value 0xFF (255), a sign extension produces a -1 value that is treated as a program-specific separator value, effectively disabling a length check and leading to a buffer overflow. This is also a multiple interpretation error.
CVE-2007-4988	chain: signed short width value in image processor is sign extended during conversion to unsigned int, which leads to integer overflow and heap-based buffer overflow.
CVE-2006-1834	chain: signedness error allows bypass of a length check; later sign extension makes exploitation easier.
CVE-2005-2753	Sign extension when manipulating Pascal-style strings leads to integer overflow and improper memory copy.

Potential Mitigations

Phase: Implementation

Avoid using signed variables if you don't need to represent negative values. When negative values are needed, perform sanity checks after you save those values to larger data types, or before passing them to functions that are expecting unsigned values.

Relationships

Nature	Type	ID	Name	View(s) this relationship pertains to
ChildOf	Weakness Base	681	Incorrect Conversion between Numeric Types	Development Concepts (primary)699 Research Concepts (primary)1000
ChildOf	Category	998	SFP Secondary Cluster: Glitch in Computation	Software Fault Pattern (SFP) Clusters (primary)888
CanAlsoBe	Category	192	Integer Coercion Error	Research Concepts1000
CanAlsoBe	Weakness Base	197	Numeric Truncation Error	Research Concepts1000

Relationship Notes

Sign extension errors can lead to buffer overflows and other memory-based problems. They are also likely to be factors in other weaknesses that are not based on memory operations, but rely on numeric calculation.

Taxonomy Mappings

Mapped Taxonomy Name	Node ID	Fit	Mapped Node Name
CLASP			Sign extension error
Software Fault Patterns	SFP1		Glitch in computation

References

John McDonald, Mark Dowd and Justin Schuh. "C Language Issues for Application Security". 2008-01-25. <http://www.informit.com/articles/article.aspx?p=686170&seqNum=6>.

Robert Seacord. "Integral Security". 2006-11-03. <http://www.ddj.com/security/193501774>.

Maintenance Notes

This entry is closely associated with signed-to-unsigned conversion errors (CWE-195) and other numeric errors. These relationships need to be more closely examined within CWE.

Content History

Submissions
Submission Date	Submitter	Organization	Source
	CLASP		Externally Mined

Modifications
Modification Date	Modifier	Organization	Source
2008-09-08	CWE Content Team	MITRE	Internal
2008-09-08	updated Applicable_Platforms, Common_Consequences, Description, Relationships, Taxonomy_Mappings
2008-11-05	CWE Content Team	MITRE	Internal
2008-11-05	complete rewrite of the entire entry
2008-11-24	CWE Content Team	MITRE	Internal
2008-11-24	updated Common_Consequences, Demonstrative_Examples, Description, Maintenance_Notes, Name, Observed_Examples, Potential_Mitigations, References, Relationship_Notes, Relationships
2009-05-27	CWE Content Team	MITRE	Internal
2009-05-27	updated Demonstrative_Examples
2009-10-29	CWE Content Team	MITRE	Internal
2009-10-29	updated Demonstrative_Examples
2010-04-05	CWE Content Team	MITRE	Internal
2010-04-05	updated Demonstrative_Examples
2010-12-13	CWE Content Team	MITRE	Internal
2010-12-13	updated Applicable_Platforms
2011-06-01	CWE Content Team	MITRE	Internal
2011-06-01	updated Common_Consequences
2012-05-11	CWE Content Team	MITRE	Internal
2012-05-11	updated Demonstrative_Examples, Relationships
2014-07-30	CWE Content Team	MITRE	Internal
2014-07-30	updated Relationships, Taxonomy_Mappings
Previous Entry Names
Change Date	Previous Entry Name
2008-04-11	Sign Extension Error

2008-11-24	Incorrect Sign Extension


	CWE is co-sponsored by the office of Cybersecurity and Communications at the U.S. Department of Homeland Security. This Web site is sponsored and managed by The MITRE Corporation to enable stakeholder collaboration. Copyright © 2006-2015, The MITRE Corporation. CWE, CWSS, CWRAF, and the CWE logo are trademarks of The MITRE Corporation. Contact cwe@mitre.org for more information.	Privacy policy Terms of use Contact us

Common Weakness Enumeration

CWE-194: Unexpected Sign Extension