Article directory
1. Integer overflow
Integer representation
Original code, inverse code and complement code represent:
For positive numbers, the original code, inverse code and complement code are themselves. The original code of a negative number is itself, the complement code is the inversion of all bits of the original code except the sign bit, and the complement code is the complement code plus 1.
CF is the unsigned overflow flag, and OF is the signed overflow flag. Even if the addition/subtraction of signed numbers results in CF=1, it is meaningless and cannot indicate whether the result is correct or not. At this time, OF=1 means the result overflows and an error occurs; OF=0 means the result is correct. This process has nothing to do with CF at all. CF=1/0 will not affect it.
This shows that different pointer types have different "interpretations" of a number.
Example
Type conversion leads to overflow.
Failure to pay attention to upper bound
overflow leads to infinite loop
complement range problem
. Return to itself. . . .
May cause buffer overflow
protection
- IntScope
- IntPatch detects and fixes subsequent buffer overflows
2. Format string vulnerability
When the stack grows from high to low, the order of pushing onto the stack is input actual parameters (from right to left), return address RA EBP, and local variables (in order). When pushing onto the stack, the
address of the formatted string is first placed (regarded as arg1 in the figure). Then put the actual parameter address
printf() to sequentially display the contents of the address behind the format parameter in the stack based on the number of format print format%, moving one word (4 bytes) each time.
The input is "hello world" and printing is normal; if the string you want to print happens to have formatting characters such as "%d" and "%x", then the parameter value of a variable will be taken from the stack.
There is no parameter after it, but printf thinks there is a parameter after it, so it will print the 4 bytes corresponding to the current stack (should be the high address) as %x. With specific designs, memory information at specific locations can be printed.
If it is %s, you can read any memory length (from low byte to high byte)
What if it is %n
3. Array out-of-bounds access vulnerability
Overflow and out-of-bounds are not exactly equal. Array out-of-bounds is divided into two situations: read/write, while overflow vulnerabilities belong to out-of-bounds writing.
The essence of some overflow vulnerabilities is array out-of-bounds.
produce
Example
**CVE-2014-0160 "OpenSSL Array Out-of-Bounds Access Vulnerability" (Heartbleed) **