{"@ID": "1335", "@Name": "Incorrect Bitwise Shift of Integer", "@Abstraction": "Base", "@Structure": "Simple", "@Status": "Draft", "Description": "An integer value is specified to be shifted by a negative amount or an amount greater than or equal to the number of bits contained in the value causing an unexpected or indeterminate result.", "Extended_Description": {"xhtml:p": ["Specifying a value to be shifted by a negative amount is undefined in various languages. Various computer architectures implement this action in different ways. The compilers and interpreters when generating code to accomplish a shift generally do not do a check for this issue.", "Specifying an over-shift, a shift greater than or equal to the number of bits contained in a value to be shifted, produces a result which varies by architecture and compiler. In some languages, this action is specifically listed as producing an undefined result."]}, "Related_Weaknesses": {"Related_Weakness": {"@Nature": "ChildOf", "@CWE_ID": "682", "@View_ID": "1000", "@Ordinal": "Primary"}}, "Weakness_Ordinalities": {"Weakness_Ordinality": {"Ordinality": "Primary"}}, "Applicable_Platforms": {"Language": [{"@Name": "C", "@Prevalence": "Undetermined"}, {"@Name": "C++", "@Prevalence": "Undetermined"}, {"@Name": "C#", "@Prevalence": "Undetermined"}, {"@Name": "Java", "@Prevalence": "Undetermined"}, {"@Name": "JavaScript", "@Prevalence": "Undetermined"}], "Operating_System": {"@Class": "Not OS-Specific", "@Prevalence": "Undetermined"}, "Technology": {"@Class": "Not Technology-Specific", "@Prevalence": "Undetermined"}}, "Modes_Of_Introduction": {"Introduction": {"Phase": "Implementation", "Note": "Adding shifts without properly verifying the size and sign of the shift amount."}}, "Common_Consequences": {"Consequence": {"Scope": "Integrity", "Impact": "DoS: Crash, Exit, or Restart"}}, "Detection_Methods": {"Detection_Method": {"@Detection_Method_ID": "DM-14", "Method": "Automated Static Analysis", "Description": "Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect \"sources\" (origins of input) with \"sinks\" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)", "Effectiveness": "High"}}, "Potential_Mitigations": {"Mitigation": {"Phase": "Implementation", "Description": "Implicitly or explicitly add checks and mitigation for negative or over-shift values."}}, "Demonstrative_Examples": {"Demonstrative_Example": {"Intro_Text": "A negative shift amount for an x86 or x86_64 shift instruction will produce the number of bits to be shifted by taking a 2's-complement of the shift amount and effectively masking that amount to the lowest 6 bits for a 64 bit shift instruction.", "Example_Code": [{"@Nature": "Bad", "@Language": "C", "#text": "unsigned int r = 1 << -5;"}, {"@Nature": "Bad", "@Language": "C", "xhtml:br": [null, null, null, null, null], "xhtml:div": [{"@style": "margin-left:1em;", "xhtml:br": [null, null, null, null], "xhtml:div": {"@style": "margin-left:1em;", "xhtml:br": null, "#text": "reg_bit -= bit_number_from_elsewhere;"}, "#text": "if (NEED_TO_SHIFT)\n\t\t\t\t\t    {\n\t\t\t\t\t    \n\t\t\t\t\t    }\n\t\t\t\t\t    return reg_bit;"}, {"@style": "margin-left:1em;", "xhtml:br": [null, null, null], "#text": "unsigned int the_bit = 1 << choose_bit(5, 10);\n\t\t\t\t\t    *r |= the_bit;\n\t\t\t\t\t    return the_bit;"}], "#text": "int choose_bit(int reg_bit, int bit_number_from_elsewhere) \n\t\t\t\t\t  {\n\t\t\t\t\t  \n\t\t\t\t\t  }\n\t\t\t\t\t  unsigned int handle_io_register(unsigned int *r)\n\t\t\t\t\t  {\n\t\t\t\t\t  \n\t\t\t\t\t  }"}, {"@Nature": "Good", "@Language": "C", "xhtml:br": [null, null, null, null, null, null], "xhtml:div": [{"@style": "margin-left:1em;", "xhtml:br": [null, null, null, null], "xhtml:div": {"@style": "margin-left:1em;", "xhtml:br": null, "#text": "reg_bit -= bit_number_from_elsewhere;"}, "#text": "if (NEED_TO_SHIFT)\n\t\t\t\t\t    {\n\t\t\t\t\t    \n\t\t\t\t\t    }\n\t\t\t\t\t    return reg_bit;"}, {"@style": "margin-left:1em;", "xhtml:br": [null, null, null, null, null], "xhtml:div": {"@style": "margin-left:1em;", "xhtml:br": [null, null], "#text": "unsigned int the_bit = 1 << the_bit_number;\n\t\t\t\t\t      *r |= the_bit;"}, "#text": "int the_bit_number = choose_bit(5, 10);\n\t\t\t\t\t    if ((the_bit_number > 0) && (the_bit_number < 63))\n\t\t\t\t\t    {\n\t\t\t\t\t    \n\t\t\t\t\t    }\n\t\t\t\t\t    return the_bit;"}], "#text": "int choose_bit(int reg_bit, int bit_number_from_elsewhere) \n\t\t\t\t\t  {\n\t\t\t\t\t  \n\t\t\t\t\t  }\n\t\t\t\t\t  \n\t\t\t\t\t  unsigned int handle_io_register(unsigned int *r)\n\t\t\t\t\t  {\n\t\t\t\t\t  \n\t\t\t\t\t  }"}], "Body_Text": ["The example above ends up with a shift amount of -5. The hexadecimal value is FFFFFFFFFFFFFFFD which, when bits above the  6th bit are masked off, the shift amount becomes a binary shift value of 111101 which is 61 decimal. A shift of 61 produces a very different result than -5. The previous example is a very simple version of the following code which is probably more realistic of what happens in a real system.", "Note that the good example not only checks for negative shifts and disallows them, but it also checks for over-shifts. No bit operation is done if the shift is out of bounds. Depending on the program, perhaps an error message should be logged."]}}, "Observed_Examples": {"Observed_Example": [{"Reference": "CVE-2023-4720", "Description": "multimedia product performs a left shift with a negative value, leading to a crash", "Link": "https://www.cve.org/CVERecord?id=CVE-2023-4720"}, {"Reference": "CVE-2009-4307", "Description": "An unexpected large value in the ext4 filesystem causes an overshift condition resulting in a divide by zero.", "Link": "https://www.cve.org/CVERecord?id=CVE-2009-4307"}, {"Reference": "CVE-2012-2100", "Description": "An unexpected large value in the ext4 filesystem causes an overshift condition resulting in a divide by zero - fix of CVE-2009-4307.", "Link": "https://www.cve.org/CVERecord?id=CVE-2012-2100"}, {"Reference": "CVE-2020-8835", "Description": "An overshift in a kernel allowed out of bounds reads and writes resulting in a root takeover.", "Link": "https://www.cve.org/CVERecord?id=CVE-2020-8835"}, {"Reference": "CVE-2015-1607", "Description": "Program is not properly handling signed bitwise left-shifts causing an overlapping memcpy memory range error.", "Link": "https://www.cve.org/CVERecord?id=CVE-2015-1607"}, {"Reference": "CVE-2016-9842", "Description": "Compression function improperly executes a signed left shift of a negative integer.", "Link": "https://www.cve.org/CVERecord?id=CVE-2016-9842"}, {"Reference": "CVE-2018-18445", "Description": "Some kernels improperly handle right shifts of 32 bit numbers in a 64 bit register.", "Link": "https://www.cve.org/CVERecord?id=CVE-2018-18445"}, {"Reference": "CVE-2013-4206", "Description": "Putty  has an incorrectly sized shift value resulting in an overshift.", "Link": "https://www.cve.org/CVERecord?id=CVE-2013-4206"}, {"Reference": "CVE-2018-20788", "Description": "LED driver overshifts under certain conditions resulting in a DoS.", "Link": "https://www.cve.org/CVERecord?id=CVE-2018-20788"}]}, "Mapping_Notes": {"Usage": "Allowed", "Rationale": "This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.", "Comments": "Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.", "Reasons": {"Reason": {"@Type": "Acceptable-Use"}}}, "Content_History": {"Submission": {"Submission_Name": "CWE Content Team", "Submission_Organization": "MITRE", "Submission_Date": "2021-03-29", "Submission_Version": "4.5", "Submission_ReleaseDate": "2021-07-20"}, "Modification": [{"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2022-10-13", "Modification_Version": "4.9", "Modification_ReleaseDate": "2022-10-13", "Modification_Comment": "updated Demonstrative_Examples, Observed_Examples"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2023-04-27", "Modification_Version": "4.11", "Modification_ReleaseDate": "2023-04-27", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2023-06-29", "Modification_Version": "4.12", "Modification_ReleaseDate": "2023-06-29", "Modification_Comment": "updated Mapping_Notes"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2025-12-11", "Modification_Version": "4.19", "Modification_ReleaseDate": "2025-12-11", "Modification_Comment": "updated Detection_Factors, Weakness_Ordinalities"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2026-04-30", "Modification_Version": "4.20", "Modification_ReleaseDate": "2026-04-30", "Modification_Comment": "updated Observed_Examples"}]}}
