Quiz Entry - updated: 2026.07.07
How can you fix the integer overflow vulnerability in kernel code?
Use an unsigned type like size_t for sizes (so it can't be negative), or explicitly reject negative lengths before the comparison.
Vulnerable code:
int copy_from_kernel(void *user_dest, int maxlen) {
int len = maxlen > KSIZE ? KSIZE : maxlen;
Fixed code:
int copy_from_kernel(void *user_dest, size_t maxlen) {
size_t len = maxlen > KSIZE ? KSIZE : maxlen;
Key fixes:
- Use
size_t(unsigned) for sizes - can't be negative - Or explicitly check:
if (maxlen < 0) return -1; - Use consistent types in comparisons
Also fix the caller:
void getstuff() {
char mybuf[MSIZE];
// Use constant, not user input
copy_from_kernel(mybuf, MSIZE);
}
Go deeper:
C data types: size_t and stdint.h (Wikipedia) — use size_t / fixed-width unsigned types for sizes so lengths can't go negative or silently truncate.
CWE-190: Integer Overflow or Wraparound — Mitigations (MITRE) — validate ranges and use safe-arithmetic checks before allocating or copying.