Module cwe_checker_lib::checkers::cwe_190

This module implements a check for CWE-190: Integer overflow or wraparound.

An integer overflow can lead to undefined behavior and is especially dangerous in conjunction with memory management functions.

See https://cwe.mitre.org/data/definitions/190.html for a detailed description.

How the check works

For each call to a function from the CWE190 symbol list we check whether the basic block directly before the call contains a multiplication instruction. If one is found, the call gets flagged as a CWE hit, as there is no overflow check corresponding to the multiplication before the call as well as the Pointer Inference can not exclude an overflow. The default CWE190 symbol list contains the memory allocation functions malloc, xmalloc, calloc and realloc. The list is configurable in config.json.

False Positives

• There is no check whether the result of the multiplication is actually used as input to the function call. However, this does not seem to generate a lot of false positives in practice.
• Values that are not absolute e.g. user controlled or depend on other values.

False Negatives

• All integer overflows not in a basic block right before a call to a function from the CWE190 symbol list.
• All integer overflows caused by addition or subtraction.

Structs

• Config
  The configuration struct. The symbols are extern function names.

Statics

• CWE_MODULE
  The module name and version

Functions

• check_cwe
  Run the CWE check. For each call to one of the symbols configured in config.json we check whether the block containing the call also contains a multiplication instruction.