CWE-823 使用越界的指针偏移

Use of Out-of-range Pointer Offset

结构: Simple

Abstraction: Base

状态: Incomplete

被利用可能性: unkown

基本描述

The program performs pointer arithmetic on a valid pointer, but it uses an offset that can point outside of the intended range of valid memory locations for the resulting pointer.

扩展描述

While a pointer can contain a reference to any arbitrary memory location, a program typically only intends to use the pointer to access limited portions of memory, such as contiguous memory used to access an individual array.

Programs may use offsets in order to access fields or sub-elements stored within structured data. The offset might be out-of-range if it comes from an untrusted source, is the result of an incorrect calculation, or occurs because of another error.

If an attacker can control or influence the offset so that it points outside of the intended boundaries of the structure, then the attacker may be able to read or write to memory locations that are used elsewhere in the program. As a result, the attack might change the state of the software as accessed through program variables, cause a crash or instable behavior, and possibly lead to code execution.

相关缺陷

  • cwe_Nature: ChildOf cwe_CWE_ID: 119 cwe_View_ID: 1000 cwe_Ordinal: Primary

  • cwe_Nature: ChildOf cwe_CWE_ID: 119 cwe_View_ID: 699 cwe_Ordinal: Primary

  • cwe_Nature: CanPrecede cwe_CWE_ID: 125 cwe_View_ID: 1000

  • cwe_Nature: CanPrecede cwe_CWE_ID: 787 cwe_View_ID: 1000

常见的影响

范围 影响 注释
Confidentiality Read Memory If the untrusted pointer is used in a read operation, an attacker might be able to read sensitive portions of memory.
Availability DoS: Crash, Exit, or Restart If the untrusted pointer references a memory location that is not accessible to the program, or points to a location that is "malformed" or larger than expected by a read or write operation, the application may terminate unexpectedly.
['Integrity', 'Confidentiality', 'Availability'] ['Execute Unauthorized Code or Commands', 'Modify Memory'] If the untrusted pointer is used in a function call, or points to unexpected data in a write operation, then code execution may be possible.

分析过的案例

标识 说明 链接
CVE-2010-2160 Invalid offset in undocumented opcode leads to memory corruption. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2160
CVE-2010-1281 Multimedia player uses untrusted value from a file when using file-pointer calculations. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1281
CVE-2009-3129 Spreadsheet program processes a record with an invalid size field, which is later used as an offset. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3129
CVE-2009-2694 Instant messaging library does not validate an offset value specified in a packet. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2694
CVE-2009-2687 Language interpreter does not properly handle invalid offsets in JPEG image, leading to out-of-bounds memory access and crash. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2687
CVE-2009-0690 negative offset leads to out-of-bounds read https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0690
CVE-2008-4114 untrusted offset in kernel https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4114
CVE-2010-2873 "blind trust" of an offset value while writing heap memory allows corruption of function pointer,leading to code execution https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2873
CVE-2010-2866 negative value (signed) causes pointer miscalculation https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2866
CVE-2010-2872 signed values cause incorrect pointer calculation https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2872
CVE-2007-5657 values used as pointer offsets https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5657
CVE-2010-2867 a return value from a function is sign-extended if the value is signed, then used as an offset for pointer arithmetic https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2867
CVE-2009-1097 portions of a GIF image used as offsets, causing corruption of an object pointer. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1097
CVE-2008-1807 invalid numeric field leads to a free of arbitrary memory locations, then code execution. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1807
CVE-2007-2500 large number of elements leads to a free of an arbitrary address https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2500
CVE-2008-1686 array index issue (CWE-129) with negative offset, used to dereference a function pointer https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1686
CVE-2010-2878 "buffer seek" value - basically an offset? https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2878

Notes

Maintenance There are close relationships between incorrect pointer dereferences and other weaknesses related to buffer operations. There may not be sufficient community agreement regarding these relationships. Further study is needed to determine when these relationships are chains, composites, perspective/layering, or other types of relationships. As of September 2010, most of the relationships are being captured as chains. Terminology Many weaknesses related to pointer dereferences fall under the general term of "memory corruption" or "memory safety." As of September 2010, there is no commonly-used terminology that covers the lower-level variants. Research Gap Under-studied and probably under-reported as of September 2010. This weakness has been reported in high-visibility software, but applied vulnerability researchers have only been investigating it since approximately 2008, and there are only a few public reports. Few reports identify weaknesses at such a low level, which makes it more difficult to find and study real-world code examples.

相关攻击模式

  • CAPEC-129

引用