-
Notifications
You must be signed in to change notification settings - Fork 1.5k
/
IfStatementAdditionOverflow.qhelp
33 lines (32 loc) · 1.34 KB
/
IfStatementAdditionOverflow.qhelp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
<!DOCTYPE qhelp PUBLIC
"-//Semmle//qhelp//EN"
"qhelp.dtd">
<qhelp>
<overview>
<p>
Detects <code>if (a+b>c) a=c-b</code>, which incorrectly implements
<code>a = min(a,c-b)</code> if <code>a+b</code> overflows.
</p>
<p>
Also detects variants such as <code>if (b+a>c) a=c-b</code> (swapped
terms in addition), <code>if (a+b>c) { a=c-b }</code> (assignment
inside block), <code>c<a+b</code> (swapped operands), and
<code>>=</code>, <code><</code>, <code><=</code> instead of
<code>></code> (all operators).
</p>
<p>
This integer overflow is the root cause of the buffer overflow in
the SHA-3 reference implementation (CVE-2022-37454).
</p>
</overview>
<recommendation>
<p>
Replace by <code>if (a>c-b) a=c-b</code>. This avoids the overflow
and makes it easy to see that <code>a = min(a,c-b)</code>.
</p>
</recommendation>
<references>
<li>CVE-2022-37454: <a href="https://nvd.nist.gov/vuln/detail/CVE-2022-37454">The Keccak XKCP SHA-3 reference implementation before fdc6fef has an integer overflow and resultant buffer overflow that allows attackers to execute arbitrary code or eliminate expected cryptographic properties. This occurs in the sponge function interface.</a></li>
<li>GitHub Advisory Database: <a href="https://github.com/advisories/GHSA-6w4m-2xhg-2658">CVE-2022-37454: Buffer overflow in sponge queue functions</a></li>
</references>
</qhelp>