Compilers generate SAR instruction when right shift operator ">>" is used on a signed integer.
The use of SAR instruction can potentially lead to create a signedness bug if it's assumed the shift is unsigned.
Given the following simplified example.
char retItem(char* arr, int value)
{
return arr[value>>24];
}
If
value is positive the code is working as expected. However if value is negative the program can read out of the bounds of arr.Other example would be to compare the signed value after the shift to an unsigned value leading to implicit conversion that may lead to trigger bug.
In my experiment, in several cases, it is seen that memory is being dereferenced involving SAR instruction. These places may be worthy to look for bugs, specially if the value to be shifted is a user input or is a controlled one.
If an unsigned jump is followed by a signed shift that could be a potential to look for bugs as well.
Regular expressions or scripts can be used to search for patterns of occurrences of SAR instructions. When it's not feasible to review all occurrences of SAR, a pintool may be used to highlight what SAR instructions have been executed, and only focus on those executed.
