

IDIV DoS (INT_MIN / -1) - alter8
http://kqueue.org/blog/2012/12/31/idiv-dos/

======
makomk
If anyone here has used Second Life's scripting language LSL, they had to work
around this issue. Apparently they now calculate x / -1 as -x instead, which
gets a counter-intuitive result when x=INT_MIN but doesn't crash. I believe
once upon a time this was documented and everything.

~~~
loeg
But -1*INT_MIN is still 1 greater than INT_MAX in two's complement ... so
that's signed overflow and thus undefined behavior in C.

Assuming x86 signed overflow behavior, you're just back to INT_MIN again? Or
am I crazy?

~~~
bdonlan
The language in question isn't C, so they can have whatever semantics they
want.

~~~
loeg
Sorry, the use of the nym INT_MIN suggested to me that the implementation
under the covers was C.

It looks like it was once an interpreter, but is now compiled down to CLR and
run with Mono.

------
0x0
Reminds me about that fairly recent strtod() infinite loop that caused DoS in
several languages.

[http://www.exploringbinary.com/why-volatile-fixes-
the-2-2250...](http://www.exploringbinary.com/why-volatile-fixes-
the-2-2250738585072011e-308-bug/)

~~~
ctz
Did it affect any languages other than PHP? The linked article suggests that
it was PHP only (and this agrees with zend_strtod being the problem function
and not any C library implementation of strtod(3)).

~~~
0x0
It affected a whole bunch of languages, libraries and compilers, apparently
because the strtod() implementation in question has been a popular copy&paste
piece.

This guy here over at <http://blog.andreas.org/display?id=9> mentions at
least: "Android libc, gcc libio, gcc java runtime, newlib libc, GNU Mono,
Apple's libc, mozilla"

It was particularly nasty because it could easily be exploited simply by
putting that specific decimal number into a web form or whatever, and for each
request a thread on the backend server would lock a CPU to 100% usage until
sysadmins discover and kill those threads, worst case.

------
ScottBurson
Fixed-precision integer arithmetic is evil.

~~~
malkia
And then a lot of game programmers would disagree :)

I for one just learned to love doubles...

------
huhsamovar
I just tried the C version and it compiles and exits gracefully with gcc
4.2.1.

~~~
haberman
That's probably because the code in the article uses compile-time constants as
operands. Try this one and pass "-1" as the command-line parameter:

    
    
      int main(int argc, char *argv[]) { return (1LL << 63) / atoi(argv[1]); }
    

Note that this issue has been written about before by Tavis Ormandy:
<http://my.opera.com/taviso/blog/show.dml/639454>

~~~
huhsamovar
Floating point exception: 8

