Buffer overflow

31.03.2013

Buffer overflow is an issue when a program is writing or reading data outside the buffer allocated in memory for this purpose. It usually occurs because of incorrect data and memory handling when the programming subsystem and operating system don't provide strict protection against this error. This type of errors is rather frequent and usually caused by misprints. There is also a related error - buffer underflow.

The Buffer Overflow and Buffer Underflow errors often cause uninitialized data to be used in the program and, as a consequence, its undefined behavior. Buffer overflow may also cause segmentation faults (Access Violation).

Since most high-level languages arrange program data in the process stack mixing them with control data, exploiting buffer overflows is one of the most popular hacking methods, as it allows an intruder to load and execute any machine code for the program and have the rights of the user account under which the program is running.

In such popular languages as C and C++ there is no integrated check of data reading/writing boundaries. This is a sacrifice for the efficient low-level memory handling. On the other hand, almost all the interpretive languages and JIT environments (Java RTE, .NET Framework) have an internal protection against buffer overflow.

To prevent using the buffer overflow vulnerability when executing a program there exist stack-smashing protection systems (Libsafe, StackGuard) and executable space protection systems. The difficulty of dynamic buffer overflow detection is determined by the fact that the program might work stably for a long time as long as uninitialized memory stores suitable values and the writable memory area is not used. Static analysis allows to find buffer overflow errors and related loopholes at the stage of code writing/debugging.

Here are several examples of this error detected in the code of real open-source projects with the PVS-Studio static analyzer.

The MAME project (game emulator). Buffer overflow.

#define CHD_SHA1_BYTES 20
#define CHD_V4_HEADER_SIZE 108
#define CHD_MAX_HEADER_SIZE CHD_V4_HEADER_SIZE

static chd_error header_read(...., chd_header *header)
{
  UINT8 rawheader[CHD_MAX_HEADER_SIZE];
  ...
  memcpy(header->parentsha1, &rawheader[100], CHD_SHA1_BYTES);
  ...
}

The 'rawheader' array consists of 108 bytes. The programmer intended to copy its contents starting with byte 100. The trouble is we will get outside the array boundaries: we're copying 20 bytes, while its only 8 bytes that can be copied.

Now consider an example of buffer underflow error. This is the Chromium project.

void Time::Explode(..., Exploded* exploded) const {
  ...
  ZeroMemory(exploded, sizeof(exploded));
  ...
}

The ZeroMemory function clears only a part of the Exploded structure. The reason is that the 'sizeof' operator returns the pointer size. We need to dereference the pointer to fix the error.

ZeroMemory(exploded, sizeof(*exploded));

Other samples of errors and vulnerabilities detected with the help of the static analysis methodology can be found here.

References