CWE-1335: Incorrect Bitwise Shift of Integer

Description

An integer value is specified to be shifted by a negative amount or an amount greater than or equal to the number of bits contained in the value causing an unexpected or indeterminate result.

Extended Description

Specifying a value to be shifted by a negative amount is undefined in various languages. Various computer architectures implement this action in different ways. The compilers and interpreters when generating code to accomplish a shift generally do not do a check for this issue. Specifying an over-shift, a shift greater than or equal to the number of bits contained in a value to be shifted, produces a result which varies by architecture and compiler. In some languages, this action is specifically listed as producing an undefined result.

ThreatScore

Threat Mapped score: 0.0

Industry: Finiancial

Threat priority: Unclassified

Observed Examples (CVEs)

CVE: CVE-2009-4307

An unexpected large value in the ext4 filesystem causes an overshift condition resulting in a divide by zero.
CVE: CVE-2012-2100

An unexpected large value in the ext4 filesystem causes an overshift condition resulting in a divide by zero - fix of CVE-2009-4307.
CVE: CVE-2020-8835

An overshift in a kernel allowed out of bounds reads and writes resulting in a root takeover.
CVE: CVE-2015-1607

Program is not properly handling signed bitwise left-shifts causing an overlapping memcpy memory range error.
CVE: CVE-2016-9842

Compression function improperly executes a signed left shift of a negative integer.
CVE: CVE-2018-18445

Some kernels improperly handle right shifts of 32 bit numbers in a 64 bit register.
CVE: CVE-2013-4206

Putty has an incorrectly sized shift value resulting in an overshift.
CVE: CVE-2018-20788

LED driver overshifts under certain conditions resulting in a DoS.

Related Attack Patterns (CAPEC)

N/A

Attack TTPs

N/A

Modes of Introduction

Phase	Note
Implementation	Adding shifts without properly verifying the size and sign of the shift amount.

Common Consequences

Impact: DoS: Crash, Exit, or Restart — Notes:

Potential Mitigations

Implementation: Implicitly or explicitly add checks and mitigation for negative or over-shift values. (N/A)

Applicable Platforms

C (N/A, Undetermined)
C++ (N/A, Undetermined)
C# (N/A, Undetermined)
Java (N/A, Undetermined)
JavaScript (N/A, Undetermined)

Demonstrative Examples

Intro: A negative shift amount for an x86 or x86_64 shift instruction will produce the number of bits to be shifted by taking a 2's-complement of the shift amount and effectively masking that amount to the lowest 6 bits for a 64 bit shift instruction.

Body: The example above ends up with a shift amount of -5. The hexadecimal value is FFFFFFFFFFFFFFFD which, when bits above the 6th bit are masked off, the shift amount becomes a binary shift value of 111101 which is 61 decimal. A shift of 61 produces a very different result than -5. The previous example is a very simple version of the following code which is probably more realistic of what happens in a real system.

unsigned int r = 1 << -5;

Notes

No notes available.

← Back to CWE list