Description
An integer value is specified to be shifted by a negative amount or an amount greater than or equal to the number of bits contained in the value causing an unexpected or indeterminate result.
Specifying a value to be shifted by a negative amount is undefined in various languages. Various computer architectures implement this action in different ways. The compilers and interpreters when generating code to accomplish a shift generally do not do a check for this issue. Specifying an over-shift, a shift greater than or equal to the number of bits contained in a value to be shifted, produces a result which varies by architecture and compiler. In some languages, this action is specifically listed as producing an undefined result.
Potential Impact
Integrity
DoS: Crash, Exit, or Restart
Demonstrative Examples
unsigned int r = 1 << -5;int choose_bit(int reg_bit, int bit_number_from_elsewhere)
{
if (NEED_TO_SHIFT)
{
reg_bit -= bit_number_from_elsewhere;
}
return reg_bit;
}
unsigned int handle_io_register(unsigned int *r)
{
unsigned int the_bit = 1 << choose_bit(5, 10);
*r |= the_bit;
return the_bit;
}int choose_bit(int reg_bit, int bit_number_from_elsewhere)
{
if (NEED_TO_SHIFT)
{
reg_bit -= bit_number_from_elsewhere;
}
return reg_bit;
}
unsigned int handle_io_register(unsigned int *r)
{
int the_bit_number = choose_bit(5, 10);
if ((the_bit_number > 0) && (the_bit_number < 63))
{
unsigned int the_bit = 1 << the_bit_number;
*r |= the_bit;
}
return the_bit;
}Mitigations & Prevention
Implicitly or explicitly add checks and mitigation for negative or over-shift values.
Detection Methods
- Automated Static Analysis High — Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then sea
Real-World CVE Examples
| CVE ID | Description |
|---|---|
| CVE-2023-4720 | multimedia product performs a left shift with a negative value, leading to a crash |
| CVE-2009-4307 | An unexpected large value in the ext4 filesystem causes an overshift condition resulting in a divide by zero. |
| CVE-2012-2100 | An unexpected large value in the ext4 filesystem causes an overshift condition resulting in a divide by zero - fix of CVE-2009-4307. |
| CVE-2020-8835 | An overshift in a kernel allowed out of bounds reads and writes resulting in a root takeover. |
| CVE-2015-1607 | Program is not properly handling signed bitwise left-shifts causing an overlapping memcpy memory range error. |
| CVE-2016-9842 | Compression function improperly executes a signed left shift of a negative integer. |
| CVE-2018-18445 | Some kernels improperly handle right shifts of 32 bit numbers in a 64 bit register. |
| CVE-2013-4206 | Putty has an incorrectly sized shift value resulting in an overshift. |
| CVE-2018-20788 | LED driver overshifts under certain conditions resulting in a DoS. |
Related Weaknesses
Frequently Asked Questions
What is CWE-1335?
CWE-1335 (Incorrect Bitwise Shift of Integer) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Base-level weakness. An integer value is specified to be shifted by a negative amount or an amount greater than or equal to the number of bits contained in the value causing an unexpected or indeterminate result.
How can CWE-1335 be exploited?
Attackers can exploit CWE-1335 (Incorrect Bitwise Shift of Integer) to dos: crash, exit, or restart. This weakness is typically introduced during the Implementation phase of software development.
How do I prevent CWE-1335?
Key mitigations include: Implicitly or explicitly add checks and mitigation for negative or over-shift values.
What is the severity of CWE-1335?
CWE-1335 is classified as a Base-level weakness (Medium abstraction). It has been observed in 9 real-world CVEs.