CWE-823

Nome

Use of Out-of-range Pointer Offset

Stato

Incomplete

Pubblicato

2010-09-27
00h00 +00:00

Modificato

2025-12-11
00h00 +00:00

Link ufficiali

CWE Mitre.org

Notifiche per un CWE specifico

Rimani informato su qualsiasi modifica relativa a un CWE specifico.

Gestione notifiche

Avvisi personalizzati

Attiva i tuoi avvisi personalizzati!

Per attivare i tuoi avvisi, è sufficiente essere connessi al proprio account gratuito. Se non hai ancora effettuato l'accesso, scegli una delle opzioni seguenti.

Accedi al tuo account Crea un account gratuito

Notifiche per un CWE specifico

Rimani informato su qualsiasi modifica relativa a un CWE specifico.

Parametri

È possibile specificare un titolo che verrà riportato negli avvisi inviati.

Specifica l'ID CWE che desideri monitorare.

Pianificazione

Mese

Calcolo della prossima esecuzione

Giorno

Giorno della settimana

Ora

Minuto

Data di creazione

Ultima esecuzione

Prossima esecuzione

Nome: Use of Out-of-range Pointer Offset

The product performs pointer arithmetic on a valid pointer, but it uses an offset that can point outside of the intended range of valid memory locations for the resulting pointer.

General Informations

Modes Of Introduction

Implementation

Piattaforme applicabili

Linguaggio

Class: Memory-Unsafe (Undetermined)
Name: C (Undetermined)
Name: C++ (Undetermined)

Conseguenze comuni

Ambito	Impatto	Probabilità
Confidentiality	Read Memory Note: If the untrusted pointer is used in a read operation, an attacker might be able to read sensitive portions of memory.
Availability	DoS: Crash, Exit, or Restart Note: If the untrusted pointer references a memory location that is not accessible to the program, or points to a location that is "malformed" or larger than expected by a read or write operation, the application may terminate unexpectedly.
Integrity Confidentiality Availability	Execute Unauthorized Code or Commands, Modify Memory Note: If the untrusted pointer is used in a function call, or points to unexpected data in a write operation, then code execution may be possible.

Esempi osservati

Riferimenti	Descrizione
CVE-2010-2160	Invalid offset in undocumented opcode leads to memory corruption.
CVE-2010-1281	Multimedia player uses untrusted value from a file when using file-pointer calculations.
CVE-2009-3129	Spreadsheet program processes a record with an invalid size field, which is later used as an offset.
CVE-2009-2694	Instant messaging library does not validate an offset value specified in a packet.
CVE-2009-2687	Language interpreter does not properly handle invalid offsets in JPEG image, leading to out-of-bounds memory access and crash.
CVE-2009-0690	negative offset leads to out-of-bounds read
CVE-2008-4114	untrusted offset in kernel
CVE-2010-2873	"blind trust" of an offset value while writing heap memory allows corruption of function pointer,leading to code execution
CVE-2010-2866	negative value (signed) causes pointer miscalculation
CVE-2010-2872	signed values cause incorrect pointer calculation
CVE-2007-5657	values used as pointer offsets
CVE-2010-2867	a return value from a function is sign-extended if the value is signed, then used as an offset for pointer arithmetic
CVE-2009-1097	portions of a GIF image used as offsets, causing corruption of an object pointer.
CVE-2008-1807	invalid numeric field leads to a free of arbitrary memory locations, then code execution.
CVE-2007-2500	large number of elements leads to a free of an arbitrary address
CVE-2008-1686	array index issue (CWE-129) with negative offset, used to dereference a function pointer
CVE-2010-2878	"buffer seek" value - basically an offset?

Detection Methods

Automated Static Analysis

Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
Effectiveness : High

Automated Dynamic Analysis

Use tools that are integrated during compilation to insert runtime error-checking mechanisms related to memory safety errors, such as AddressSanitizer (ASan) for C/C++ [REF-1518].
Effectiveness : Moderate

Note sulla mappatura delle vulnerabilità

Giustificazione : This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.
Commento : Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.

Pattern di attacco correlati

CAPEC-ID	Nome del pattern di attacco
CAPEC-129	Pointer Manipulation This attack pattern involves an adversary manipulating a pointer within a target application resulting in the application accessing an unintended memory location. This can result in the crashing of the application or, for certain pointer values, access to data that would not normally be possible or the execution of arbitrary code. Since pointers are simply integer variables, Integer Attacks may often be used in Pointer Attacks.

Note

There are close relationships between incorrect pointer dereferences and other weaknesses related to buffer operations. There may not be sufficient community agreement regarding these relationships. Further study is needed to determine when these relationships are chains, composites, perspective/layering, or other types of relationships. As of September 2010, most of the relationships are being captured as chains.
Many weaknesses related to pointer dereferences fall under the general term of "memory corruption" or "memory safety." As of September 2010, there is no commonly-used terminology that covers the lower-level variants.

Riferimenti

REF-62

The Art of Software Security Assessment
Mark Dowd, John McDonald, Justin Schuh.

REF-1518

AddressSanitizer
https://clang.llvm.org/docs/AddressSanitizer.html

Invio

Nome	Organizzazione	Data	Data di rilascio	Version
CWE Content Team	MITRE	2010-09-22 +00:00	2010-09-27 +00:00	1.10

Modifiche

Nome	Organizzazione	Data	Commento
CWE Content Team	MITRE	2011-06-01 +00:00	updated Common_Consequences
CWE Content Team	MITRE	2012-05-11 +00:00	updated References
CWE Content Team	MITRE	2019-06-20 +00:00	updated Related_Attack_Patterns
CWE Content Team	MITRE	2020-02-24 +00:00	updated Relationships
CWE Content Team	MITRE	2020-08-20 +00:00	updated Relationships
CWE Content Team	MITRE	2020-12-10 +00:00	updated Relationships
CWE Content Team	MITRE	2022-04-28 +00:00	updated Research_Gaps
CWE Content Team	MITRE	2023-01-31 +00:00	updated Description
CWE Content Team	MITRE	2023-04-27 +00:00	updated Detection_Factors, Relationships
CWE Content Team	MITRE	2023-06-29 +00:00	updated Mapping_Notes
CWE Content Team	MITRE	2025-09-09 +00:00	updated Affected_Resources, Functional_Areas
CWE Content Team	MITRE	2025-12-11 +00:00	updated Applicable_Platforms, Detection_Factors, References, Time_of_Introduction, Weakness_Ordinalities

CWE-823 Detail