Incorrect Bitwise Shift of Integer

Description

This vulnerability occurs when a program attempts to shift an integer's bits by an invalid amount—either a negative number or a value equal to or greater than the integer's bit width (e.g., shifting a 32-bit integer by 32 or more places). This leads to unpredictable and platform-dependent results.

Extended Description

Shifting bits by a negative count is considered undefined behavior in languages like C and C++. Compilers and interpreters typically don't validate this at runtime, leaving the actual operation to be handled by the underlying hardware. Different CPU architectures may produce varying results—such as shifting in the opposite direction, yielding zero, or even causing a crash—which breaks code portability and introduces subtle bugs. Similarly, an overshift (shifting beyond the bit width) also produces undefined or implementation-defined results. Some languages or compilers might mask the shift count, wrap the value, or return zero, but you cannot rely on consistent behavior. This ambiguity makes the code's outcome architecture- and compiler-dependent, creating security risks when the shifted value is used for calculations, memory offsets, or access controls.

Common Consequences 1

Scope: Integrity

Impact: DoS: Crash, Exit, or Restart

Potential Mitigations 1

Phase: Implementation

Implicitly or explicitly add checks and mitigation for negative or over-shift values.

Demonstrative Examples 1

A negative shift amount for an x86 or x86_64 shift instruction will produce the number of bits to be shifted by taking a 2's-complement of the shift amount and effectively masking that amount to the lowest 6 bits for a 64 bit shift instruction.

Code Example:

Bad

unsigned int r = 1 << -5;

The example above ends up with a shift amount of -5. The hexadecimal value is FFFFFFFFFFFFFFFD which, when bits above the 6th bit are masked off, the shift amount becomes a binary shift value of 111101 which is 61 decimal. A shift of 61 produces a very different result than -5. The previous example is a very simple version of the following code which is probably more realistic of what happens in a real system.

Code Example:

Bad

int choose_bit(int reg_bit, int bit_number_from_elsewhere) {

Code Example:

Good

int choose_bit(int reg_bit, int bit_number_from_elsewhere) {

Note that the good example not only checks for negative shifts and disallows them, but it also checks for over-shifts. No bit operation is done if the shift is out of bounds. Depending on the program, perhaps an error message should be logged.

Observed Examples 8

CVE-2009-4307An unexpected large value in the ext4 filesystem causes an overshift condition resulting in a divide by zero.

CVE-2012-2100An unexpected large value in the ext4 filesystem causes an overshift condition resulting in a divide by zero - fix of CVE-2009-4307.

CVE-2020-8835An overshift in a kernel allowed out of bounds reads and writes resulting in a root takeover.

CVE-2015-1607Program is not properly handling signed bitwise left-shifts causing an overlapping memcpy memory range error.

CVE-2016-9842Compression function improperly executes a signed left shift of a negative integer.

CVE-2018-18445Some kernels improperly handle right shifts of 32 bit numbers in a 64 bit register.

CVE-2013-4206Putty has an incorrectly sized shift value resulting in an overshift.

CVE-2018-20788LED driver overshifts under certain conditions resulting in a DoS.