Incorrect Bitwise Shift of Integer

Draft Base

Structure: Simple

Description

An integer value is specified to be shifted by a negative amount or an amount greater than or equal to the number of bits contained in the value causing an unexpected or indeterminate result.

Extended Description

Specifying a value to be shifted by a negative amount is undefined in various languages. Various computer architectures implement this action in different ways. The compilers and interpreters when generating code to accomplish a shift generally do not do a check for this issue. Specifying an over-shift, a shift greater than or equal to the number of bits contained in a value to be shifted, produces a result which varies by architecture and compiler. In some languages, this action is specifically listed as producing an undefined result.

Common Consequences 1

Scope: Integrity

Impact: DoS: Crash, Exit, or Restart

Potential Mitigations 1

Phase: Implementation

Implicitly or explicitly add checks and mitigation for negative or over-shift values.

Demonstrative Examples 1

A negative shift amount for an x86 or x86_64 shift instruction will produce the number of bits to be shifted by taking a 2's-complement of the shift amount and effectively masking that amount to the lowest 6 bits for a 64 bit shift instruction.

Code Example:

Bad

unsigned int r = 1 << -5;

The example above ends up with a shift amount of -5. The hexadecimal value is FFFFFFFFFFFFFFFD which, when bits above the 6th bit are masked off, the shift amount becomes a binary shift value of 111101 which is 61 decimal. A shift of 61 produces a very different result than -5. The previous example is a very simple version of the following code which is probably more realistic of what happens in a real system.

Code Example:

Bad

int choose_bit(int reg_bit, int bit_number_from_elsewhere) {

Code Example:

Good

int choose_bit(int reg_bit, int bit_number_from_elsewhere) {

Note that the good example not only checks for negative shifts and disallows them, but it also checks for over-shifts. No bit operation is done if the shift is out of bounds. Depending on the program, perhaps an error message should be logged.

Observed Examples 8

CVE-2009-4307An unexpected large value in the ext4 filesystem causes an overshift condition resulting in a divide by zero.

CVE-2012-2100An unexpected large value in the ext4 filesystem causes an overshift condition resulting in a divide by zero - fix of CVE-2009-4307.

CVE-2020-8835An overshift in a kernel allowed out of bounds reads and writes resulting in a root takeover.

CVE-2015-1607Program is not properly handling signed bitwise left-shifts causing an overlapping memcpy memory range error.

CVE-2016-9842Compression function improperly executes a signed left shift of a negative integer.

CVE-2018-18445Some kernels improperly handle right shifts of 32 bit numbers in a 64 bit register.

CVE-2013-4206Putty has an incorrectly sized shift value resulting in an overshift.

CVE-2018-20788LED driver overshifts under certain conditions resulting in a DoS.

Applicable Platforms

Languages:

C : UndeterminedC++ : UndeterminedC# : UndeterminedJava : UndeterminedJavaScript : Undetermined

Technologies:

Not Technology-Specific : Undetermined

Modes of Introduction

Implementation

Related Weaknesses

ChildOf:

Incorrect Calculation (CWE-682)