Tavis Ormandy

Quick Security Auditing Puzzle

Thursday, 21. December 2006, 19:10:51

Here's an interesting problem, how can I make this simple program crash? (assume IA32)

#include <stdlib.h>
#include <stdio.h>

int main(int argc, char **argv)
{
    int a, b;

    if (argc != 3)
        return 1;

    a = atoi(argv[1]);
    b = atoi(argv[2]);

    return b ? a / b : 0;
}

scroll down for the solution.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

The code correctly checks for divide by zero, so attempting this wont work:

$ ./a.out 42 0; echo $?
0
$

But not every invalid operation has been checked, while every programmer knows to avoid dividing by zero, very few are aware that it's also illegal to divide INT_MIN by -1. The reason is obvious, on a twos complement system |INT_MIN| is one greater than INT_MAX, so the result of the operation simply cannot fit in an integer.

This little known fact is almost guaranteed to crash any system that uses integer division on user controlled values as so few developers check for this unusual case.

$ ./a.out -2147483648 -1; echo $?
Floating point exception (core dumped)
136

McAfee Unhappy with Gentoo SecurityPartitioning schemes and security

Comments

Anonymous # 21. December 2006, 20:52

Anonymous writes:

It's important to note that many interpreted languages do not seem to be vulnerable to this, and they support growing past those bounds with a seemingly transparent big integer implementation.

$ php

2147483648

Anonymous # 23. December 2006, 08:53

Anonymous writes:

OMFG.

Kudos to you, didn't know that one.

Anonymous # 23. December 2006, 11:40

Anonymous writes:

most dynamic typed languages aren't vulnerable like this

Anonymous # 10. January 2007, 00:22

Schmurtz writes:

PowerPC code is not vulnerable : there's a convention where 0/0=0 and -2147483648/-1=0 (for the divw opcode at least)

Anonymous # 22. February 2007, 19:35

Anonymous writes:

wouldn't this be the same case for INT_MIN*-1?