Quick Security Auditing Puzzle
Thursday, 21. December 2006, 19:10:51
Here's an interesting problem, how can I make this simple program crash? (assume IA32)
scroll down for the solution.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
The code correctly checks for divide by zero, so attempting this wont work:
But not every invalid operation has been checked, while every programmer knows to avoid dividing by zero, very few are aware that it's also illegal to divide INT_MIN by -1. The reason is obvious, on a twos complement system |INT_MIN| is one greater than INT_MAX, so the result of the operation simply cannot fit in an integer.
This little known fact is almost guaranteed to crash any system that uses integer division on user controlled values as so few developers check for this unusual case.
#include <stdlib.h>
#include <stdio.h>
int main(int argc, char **argv)
{
int a, b;
if (argc != 3)
return 1;
a = atoi(argv[1]);
b = atoi(argv[2]);
return b ? a / b : 0;
}
scroll down for the solution.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
The code correctly checks for divide by zero, so attempting this wont work:
$ ./a.out 42 0; echo $? 0 $
But not every invalid operation has been checked, while every programmer knows to avoid dividing by zero, very few are aware that it's also illegal to divide INT_MIN by -1. The reason is obvious, on a twos complement system |INT_MIN| is one greater than INT_MAX, so the result of the operation simply cannot fit in an integer.
This little known fact is almost guaranteed to crash any system that uses integer division on user controlled values as so few developers check for this unusual case.
$ ./a.out -2147483648 -1; echo $? Floating point exception (core dumped) 136









Anonymous # 21. December 2006, 20:52
It's important to note that many interpreted languages do not seem to be vulnerable to this, and they support growing past those bounds with a seemingly transparent big integer implementation.
$ php
2147483648
Anonymous # 23. December 2006, 08:53
OMFG.
Kudos to you, didn't know that one.
Anonymous # 23. December 2006, 11:40
most dynamic typed languages aren't vulnerable like this
Anonymous # 10. January 2007, 00:22
PowerPC code is not vulnerable : there's a convention where 0/0=0 and -2147483648/-1=0 (for the divw opcode at least)
Anonymous # 22. February 2007, 19:35
wouldn't this be the same case for INT_MIN*-1?