logo

Buffer Under-read

Draft Variant
Structure: Simple
Description

A buffer under-read occurs when a program attempts to read data from a memory location positioned before the start of an allocated buffer.

Extended Description

This vulnerability typically happens due to incorrect pointer arithmetic, where a pointer is decremented past the buffer's beginning, or when a negative index is used in an array access. These operations cause the program to read from unintended memory regions that were not allocated for the buffer's use. Reading from memory preceding the buffer can expose sensitive information, such as remnants of other data structures, passwords, or encryption keys, leading to information disclosure. It can also cause the application to crash if it accesses protected or invalid memory addresses, resulting in a denial of service.
Common Consequences 2
Scope: Confidentiality

Impact: Read Memory

Scope: Confidentiality

Impact: Bypass Protection Mechanism

By reading out-of-bounds memory, an attacker might be able to get secret values, such as memory addresses, which can bypass protection mechanisms such as ASLR in order to improve the reliability and likelihood of exploiting a separate weakness to achieve code execution instead of just denial of service.
Demonstrative Examples 1

ID : DX-100

In the following code, the method retrieves a value from an array at a specific array index location that is given as an input parameter to the method

Code Example:

Bad
C
c

// check that the array index is less than the maximum*

c
c
However, this method only verifies that the given array index is less than the maximum length of the array but does not check for the minimum value (Numeric Range Comparison Without Minimum Check). This will allow a negative value to be accepted as the input array index, which will result in reading data before the beginning of the buffer (Buffer Under-read) and may allow access to sensitive memory. The input array index should be checked to verify that is within the maximum and minimum range required for the array (Improper Validation of Array Index). In this example the if statement should be modified to include a minimum range check, as shown below.

Code Example:

Good
C
c

// check that the array index is within the correct*

c
Observed Examples 1
CVE-2021-40985HTML conversion package has a buffer under-read, allowing a crash
References 3
Breaking the memory secrecy assumption
Raoul Strackx, Yves Younan, Pieter Philippaerts, Frank Piessens, Sven Lachmund, and Thomas Walter
ACM
31-03-2009
https://dl.acm.org/doi/10.1145/1519144.1519145(2023-04-07)
ID: REF-1034
The info leak era on software exploitation
Fermin J. Serna
25-07-2012
https://media.blackhat.com/bh-us-12/Briefings/Serna/BH_US_12_Serna_Leak_Era_Slides.pdf
ID: REF-1035
24 Deadly Sins of Software Security
Michael Howard, David LeBlanc, and John Viega
McGraw-Hill
2010
ID: REF-44
Applicable Platforms
Languages:
C : UndeterminedC++ : Undetermined
Modes of Introduction
Implementation
Functional Areas
  1. Memory Management
Affected Resources
  1. Memory
Related Weaknesses
ChildOf: Out-of-bounds Read (CWE-125)
ChildOf: Access of Memory Location Before Start of Buffer (CWE-786)
Taxonomy Mapping
  • PLOVER
  • Software Fault Patterns
Notes
Research GapUnder-studied.