An unsigned-to-signed conversion error takes place when a large
unsigned primitive is used as a signed value.
Time of Introduction
Implementation
Applicable Platforms
Languages
C
C++
Common Consequences
Scope
Effect
Availability
Incorrect sign conversions generally lead to undefined behavior, and
therefore crashes.
Integrity
If a poor cast lead to a buffer overflow or similar condition, data
integrity may be affected.
Integrity
Improper signed-to-unsigned conversions without proper checking can
sometimes trigger buffer overflows which can be used to execute
arbitrary code. This is usually outside the scope of a program's
implicit security policy.
Likelihood of Exploit
Medium
Demonstrative Examples
Example 1
In the following example, it is possible to request that memcpy move
a much larger segment of memory than assumed:
(Bad Code)
C
int returnChunkSize(void *) {
/* if chunk info is valid, return the size of usable
memory,
If returnChunkSize() happens to encounter an error, and returns -1,
memcpy will assume that the value is unsigned and therefore interpret it
as MAXINT-1, therefore copying far more memory than is likely available
in the destination buffer.
Potential Mitigations
Phase
Description
Requirements specification: Choose a language which is not subject to
these casting flaws.
Architecture and Design
Design object accessor functions to implicitly check values for valid
sizes. Ensure that all functions which will be used as a size are
checked previous to use as a size. If the language permits, throw
exceptions rather than using in-band errors.
Implementation
Error check the return values of all functions. Be aware of implicit
casts made, and use unsigned variables for sizes if at all
possible.
Other Notes
Often, functions will return negative values to indicate a failure state.
In the case of functions which return values which are meant to be used as
sizes, negative return values can have unexpected results. If these values
are passed to the standard memory copy or allocation functions, they will
implicitly cast the negative error-indicating value to a large unsigned
value. In the case of allocation, this may not be an issue; however, in the
case of memory and string copy functions, this can lead to a buffer overflow
condition which may be exploitable. Also, if the variables in question are
used as indexes into a buffer, it may result in a buffer underflow
condition.
Although less frequent an issue than signed-to-unsigned casting,
unsigned-to-signed casting can be the perfect precursor to dangerous buffer
underwrite conditions that allow attackers to move down the stack where they
otherwise might not have access in a normal buffer overflow condition.
Buffer underwrites occur frequently when large unsigned values are cast to
signed values, and then used as indexes into a buffer or for pointer
arithmetic.
Description
