Uninformed: Informative Information for the Uninformed

Vol 6» 2007.Jan

Integer Overflows in Size Calculations

A potential source of mistakes that could be made when processing relocations has to do with the handling of the SizeOfBlock attribute of a relocation block. There is a potential for an integer overflow to occur in applications that don't properly handle situations where the SizeOfBlock attribute is less than the size of the base relocation structure (which is 8 bytes). In order to calculate the total number of fixups in a section, it's common to see a calculation like (Block->SizeOfBlock - 8) / 2. However, if a check isn't made to ensure that SizeOfBlock is at least 8, an integer overflow will occur. If this happens, the application processing relocations would be tricked into processing a very large number of relocations. An example of a test for this issue is shown below:

static VOID TestIntegerOverflow(
      __in PPE_IMAGE Image,
      __in PRELOC_FUZZ_CONTEXT FuzzContext)
   PRELOCATION_BLOCK_CONTEXT EvilBlock = AllocateRelocationBlockContext(0);

   EvilBlock->SizeOfBlock = 0;
   EvilBlock->Rva         = 0x1000;


In this example, a relocation block is created that has its SizeOfBlock attribute set to zero. This is invalid because the minimum size of a block is 8 bytes. The results of this test against different applications are shown below:

Application Results

Does not perform appropriate checks which appears to result in an integer overflow:

(9d4.6dc): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=00014008 ecx=00011000 edx=80010000 esi=00015000 edi=ffffffff
eip=7c91e163 esp=0013fa98 ebp=0013faac iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010206
7c91e163 0fb706          movzx   eax,word ptr [esi] ds:0023:00015000=????

Ignores the relocation block, but may not process relocations correctly as a result (unclear at this point).

Refuses to show relocations:

Microsoft (R) COFF/PE Dumper Version 8.00.50727.42
Copyright (C) Microsoft Corporation.  All rights reserved.

Dump of file foo.exe




        1000 .data
        1000 .rdata
        1000 .reloc
        1000 .text