The Integer-Overflow (IOF) vulnerability family is responsible for a dominant part of C/C++ code vulnerabilities, as I shown in my previous post with a specific example. However, the Integer vulnerability class has more than IOFs in it, and this will be the topic of this post.
After a long patching process, CVE 2016-8636 was now fixed and can be publicly disclosed. CVE 2016-8636 is caused by a classic integer-overflow vulnerability, showing that even the linux kernel suffers from this major vulnerability family.
The C/C++ programing language seems simple and quite straight forward to most common/embedded developers. Unfortunately, most of the programmers lack knowledge of the C standard, resulting in many security vulnerabilities that can be found in those dark shadows of the code. This post will try to introduce a small part of the integer overflow world, and specifically it’s sometimes undefined behavior.