[C-safe-secure-studygroup] On MISRA C:2012 Rule 12.4 - unsigned integer wraparound in constant expressions

Robert Seacord rcseacord at gmail.com
Tue Dec 11 18:05:53 GMT 2018


Unsigned integer wraparound is a major security issue, and presumably a
safety issue as well.  Not having a rule against unsigned integer
wraparound in general is a major shortcoming of MISRA. An unsigned integer
wraparound rule is already present in TS 17961.

rCs

On Tue, Dec 11, 2018 at 12:09 PM Fulvio Baccaglini <fbaccaglini at perforce.com>
wrote:

> Hi,
>
> Here is my understanding/interpretation of some points raised about Rule
> 12.4 during the teleconference of 28th Nov.
>
> Rule 12.4 "Evaluation of constant expressions should not lead to unsigned
> integer wrap-around".
>
> For security purposes this Rule would need to be classified at a higher
> level than "Advisory", because it may result in incorrect indexing, for
> instance in situations where memcpy is used.
>
> Would unsigned integer wrap-around result in a constraint violation in
> C18, when occurring in a constant expression and/or in a constant
> sub-expression?
>
> The relevant C18 paragraph has not changed from C99 (the version on which
> Rule 12.4 is based):
>
> [C18-6.6.4] Constant expressions - Constraints: "Each constant expression
> shall evaluate to a constant that is in the range of representable values
> for its type."
>
> In the case of a right-shift operation for instance:
>
> [C18-6.5.7] "... the value of the result is ... reduced modulo one more
> than the maximum value representable in the result type."
>
> This indicates that the value of the result is in range and the constraint
> violation does not apply.
>
> There is no distinction in the semantics of the operation during and after
> preprocessing, the distinction is that the type of a constant is determined
> implicitly, after which the usual arithmetic conversions apply in the same
> way.
>
> [C18-6.4.4-3] Constants: "Each constant has a type, determined by its form
> and value ..."
>
> Some tests were run on different compilers, to assess their response to
> combinations of:
>
> - left-shifting a constant value to higher bits and then performing a
> bitwise and to preserve lower bits only
> - array indexing
> - constant expressions versus invariant expressions composed from const
> objects
> - wrap-around and invariancy arising in expressions versus sub-expressions
>
> In certain cases inconsistencies in the diagnostics were noted.
>
> Fulvio
>
> _______________________________________________
> C-safe-secure-studygroup mailing list
> C-safe-secure-studygroup at lists.trustable.io
>
> https://lists.trustable.io/cgi-bin/mailman/listinfo/c-safe-secure-studygroup
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.trustable.io/pipermail/c-safe-secure-studygroup/attachments/20181211/d2d6733f/attachment.html>


More information about the C-safe-secure-studygroup mailing list