Insecure Compiler Optimization: Pointer Arithmetic

ABSTRACT

數組邊界檢查可能被錯誤地進行了優化。

EXPLANATION

如果數組邊界檢查涉及計算非法指針，然后確定該指針超出邊界，那么一些編譯器將優化檢查，假設程序員絕不會故意創建非法指針。

例：


char *buf;
int len;
  ...
len = 1<<30;

if (buf+len < buf)  //wrap check
[handle overflow]

運算 buf + len 大于 2^32，因此生成的值小于 buf。但由于指針上的運算溢出是 undefined behavior，因此一些編譯器將假設 buf + len >= buf，并優化封裝檢查。此優化的結果是，跟蹤此數據塊的代碼會產生 buffer overflow 漏洞。

REFERENCES

[1] Standards Mapping - OWASP Top 10 2004 - (OWASP 2004) A5 Buffer Overflow

[2] Standards Mapping - Security Technical Implementation Guide Version 3 - (STIG 3) APP3590.1 CAT I

[3] Standards Mapping - Security Technical Implementation Guide Version 3.4 - (STIG 3.4) APP3590.1 CAT I

[4] Standards Mapping - Common Weakness Enumeration - (CWE) CWE ID 733

[5] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 - (PCI 2.0) Requirement 6.5.2

[6] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 - (PCI 1.1) Requirement 6.5.5

[7] Vulnerability Note VU#162289 CERT

Copyright 2013 Fortify Software - All rights reserved.
(Generated from version 2013.1.1.0008 of the Fortify Secure Coding Rulepacks)
desc.structural.cpp.insecure_compiler_optimization_pointer_arithmetic

这里只有精品视频