logo

Buffer Under-read

Draft Variant
Structure: Simple
Description

The product reads from a buffer using buffer access mechanisms such as indexes or pointers that reference memory locations prior to the targeted buffer.

Extended Description

This typically occurs when the pointer or its index is decremented to a position before the buffer, when pointer arithmetic results in a position before the beginning of the valid memory location, or when a negative index is used. This may result in exposure of sensitive information or possibly a crash.
Common Consequences 2
Scope: Confidentiality

Impact: Read Memory

Scope: Confidentiality

Impact: Bypass Protection Mechanism

By reading out-of-bounds memory, an attacker might be able to get secret values, such as memory addresses, which can bypass protection mechanisms such as ASLR in order to improve the reliability and likelihood of exploiting a separate weakness to achieve code execution instead of just denial of service.
Demonstrative Examples 1

ID : DX-100

In the following code, the method retrieves a value from an array at a specific array index location that is given as an input parameter to the method

Code Example:

Bad
C
c

// check that the array index is less than the maximum*

c
c
However, this method only verifies that the given array index is less than the maximum length of the array but does not check for the minimum value (Numeric Range Comparison Without Minimum Check). This will allow a negative value to be accepted as the input array index, which will result in reading data before the beginning of the buffer (Buffer Under-read) and may allow access to sensitive memory. The input array index should be checked to verify that is within the maximum and minimum range required for the array (Improper Validation of Array Index). In this example the if statement should be modified to include a minimum range check, as shown below.

Code Example:

Good
C
c

// check that the array index is within the correct*

c
Observed Examples 1
CVE-2021-40985HTML conversion package has a buffer under-read, allowing a crash
References 3
Breaking the memory secrecy assumption
Raoul Strackx, Yves Younan, Pieter Philippaerts, Frank Piessens, Sven Lachmund, and Thomas Walter
ACM
31-03-2009
https://dl.acm.org/doi/10.1145/1519144.1519145(2023-04-07)
ID: REF-1034
The info leak era on software exploitation
Fermin J. Serna
25-07-2012
https://media.blackhat.com/bh-us-12/Briefings/Serna/BH_US_12_Serna_Leak_Era_Slides.pdf
ID: REF-1035
24 Deadly Sins of Software Security
Michael Howard, David LeBlanc, and John Viega
McGraw-Hill
2010
ID: REF-44
Applicable Platforms
Languages:
C : UndeterminedC++ : Undetermined
Modes of Introduction
Implementation
Functional Areas
  1. Memory Management
Affected Resources
  1. Memory
Related Weaknesses
ChildOf: Out-of-bounds Read (CWE-125)
ChildOf: Access of Memory Location Before Start of Buffer (CWE-786)
Taxonomy Mapping
  • PLOVER
  • Software Fault Patterns
Notes
Research GapUnder-studied.