Description
A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().
Modes of Introduction:
– Architecture and Design
Likelihood of Exploit: High
Related Weaknesses
Consequences
Availability: DoS: Crash, Exit, or Restart, DoS: Resource Consumption (CPU), DoS: Resource Consumption (Memory)
Buffer overflows generally lead to crashes. Other attacks leading to lack of availability are possible, including putting the program into an infinite loop.
Integrity, Confidentiality, Availability, Access Control: Execute Unauthorized Code or Commands, Bypass Protection Mechanism, Modify Memory
Buffer overflows often can be used to execute arbitrary code, which is usually outside the scope of a program’s implicit security policy. Besides important user data, heap-based overflows can be used to overwrite function pointers that may be living in memory, pointing it to the attacker’s code. Even in applications that do not explicitly use function pointers, the run-time will usually leave many in memory. For example, object methods in C++ are generally implemented using function pointers. Even in C programs, there is often a global offset table used by the underlying runtime.
Integrity, Confidentiality, Availability, Access Control, Other: Execute Unauthorized Code or Commands, Bypass Protection Mechanism, Other
When the consequence is arbitrary code execution, this can often be used to subvert any other security service.
Potential Mitigations
Phase:
Description:
Pre-design: Use a language or compiler that performs automatic bounds checking.
Phase: Architecture and Design
Description:
Use an abstraction library to abstract away risky APIs. Not a complete solution.
Phase: Build and Compilation
Description:
Pre-design through Build: Canary style bounds checking, library changes which ensure the validity of chunk data, and other such fixes are possible, but should not be relied upon.
Phase: Implementation
Description:
Implement and perform bounds checking on input.
Phase: Implementation
Description:
Do not use dangerous functions such as gets. Look for their safe equivalent, which checks for the boundary.
Phase: Operation
Description:
Use OS-level preventative functionality. This is not a complete solution, but it provides some defense in depth.
CVE References
- CVE-2007-4268
- Chain: integer signedness error (CWE-195) passes signed comparison, leading to heap overflow (CWE-122)
- CVE-2009-2523
- Chain: product does not handle when an input string is not NULL terminated (CWE-170), leading to buffer over-read (CWE-125) or heap-based buffer overflow (CWE-122).
- CVE-2021-29529
- Chain: machine-learning product can have a heap-based
buffer overflow (CWE-122) when some integer-oriented bounds are
calculated by using ceiling() and floor() on floating point values
(CWE-1339)
- Chain: machine-learning product can have a heap-based
More Stories
The Most Dangerous Vulnerabilities in Apache Tomcat and How to Protect Against Them
Apache Tomcat is an open-source web server and servlet container that is widely used in enterprise environments to run Java...
ZDI-CAN-18333: A Critical Zero-Day Vulnerability in Microsoft Windows
Zero-day vulnerabilities are a serious threat to cybersecurity, as they can be exploited by malicious actors to gain unauthorized access...
CWE-669 – Incorrect Resource Transfer Between Spheres
Description The product does not properly transfer a resource/behavior to another sphere, or improperly imports a resource/behavior from another sphere,...
CWE-67 – Improper Handling of Windows Device Names
Description The software constructs pathnames from user input, but it does not handle or incorrectly handles a pathname containing a...
CWE-670 – Always-Incorrect Control Flow Implementation
Description The code contains a control flow path that does not reflect the algorithm that the path is intended to...
CWE-671 – Lack of Administrator Control over Security
Description The product uses security features in a way that prevents the product's administrator from tailoring security settings to reflect...