LOGBOOK

HELP

Quiz Entry - updated: 2026.07.07

How can integer type mismatches lead to security vulnerabilities?

A signed/unsigned mix-up can let a length check pass for a negative value, which then becomes a huge size — a classic memory-safety bug.

Flow: attacker sends maxlen = -1 as a signed int; a diamond check maxlen > KSIZE evaluates false so the length cap is skipped; len = -1 passes to memcpy's size_t parameter where it becomes roughly 4.29 billion, causing a massive over-read that leaks adjacent kernel memory along a red exploit path.

* A negative signed length passes a greater-than check unchanged and then becomes a huge unsigned value inside memcpy, triggering a memory-leaking over-read. *

// Kernel code with vulnerability:
int copy_from_kernel(void *user_dest, int maxlen) {
    int len = maxlen > KSIZE ? KSIZE : maxlen;
    memcpy(user_dest, kbuf, len);
    return len;
}

The bug:

  • maxlen is signed int
  • Comparison maxlen > KSIZE works for positive values
  • If attacker passes negative maxlen, check passes!
  • memcpy interprets negative as huge positive (unsigned)
  • Result: Reads arbitrary kernel memory!

Real-world impact: This was similar to FreeBSD's getpeername vulnerability - leaked kernel secrets like credit card numbers.

Go deeper:

From Quiz: REVE1 / Overview of Computer Systems | Updated: Jul 07, 2026