Skip navigation.

exploreopera

| Help

Sign up | Help

taviso

linux, programming and security

Quick Security Auditing Puzzle

, , ,

Here's an interesting problem, how can I make this simple program crash? (assume IA32)

#include <stdlib.h>
#include <stdio.h>

int main(int argc, char **argv)
{
    int a, b;

    if (argc != 3)
        return 1;

    a = atoi(argv[1]);
    b = atoi(argv[2]);

    return b ? a / b : 0;
}


scroll down for the solution.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.


The code correctly checks for divide by zero, so attempting this wont work:

$ ./a.out 42 0; echo $?
0
$


But not every invalid operation has been checked, while every programmer knows to avoid dividing by zero, very few are aware that it's also illegal to divide INT_MIN by -1. The reason is obvious, on a twos complement system |INT_MIN| is one greater than INT_MAX, so the result of the operation simply cannot fit in an integer.

This little known fact is almost guaranteed to crash any system that uses integer division on user controlled values as so few developers check for this unusual case.

$ ./a.out -2147483648 -1; echo $?
Floating point exception (core dumped)
136


McAfee Unhappy with Gentoo SecurityPartitioning schemes and security

Comments

avatar
Anonymous writes:

It's important to note that many interpreted languages do not seem to be vulnerable to this, and they support growing past those bounds with a seemingly transparent big integer implementation.

$ php
<?php echo -2147483648 / -1; ?>

2147483648

By anonymous user, # 21. December 2006, 20:52:33

avatar
Anonymous writes:

OMFG.

Kudos to you, didn't know that one.

By anonymous user, # 23. December 2006, 08:53:56

avatar
Anonymous writes:

most dynamic typed languages aren't vulnerable like this

By anonymous user, # 23. December 2006, 11:40:04

avatar
Schmurtz writes:

PowerPC code is not vulnerable : there's a convention where 0/0=0 and -2147483648/-1=0 (for the divw opcode at least)

By anonymous user, # 10. January 2007, 00:22:26

avatar
Anonymous writes:

wouldn't this be the same case for INT_MIN*-1?

By anonymous user, # 22. February 2007, 19:35:22

Write a comment

Comment
(BBcode and HTML is turned off for anonymous user comments.)

Please type this security code : 3909ca

Smilies