{"id":293,"date":"2025-12-22T14:33:07","date_gmt":"2025-12-22T14:33:07","guid":{"rendered":"https:\/\/haco.club\/?p=293"},"modified":"2025-12-22T14:33:07","modified_gmt":"2025-12-22T14:33:07","slug":"the-difference-of-overflow-and-underflow","status":"publish","type":"post","link":"https:\/\/haco.club\/?p=293","title":{"rendered":"The difference of overflow and underflow"},"content":{"rendered":"\n

In computer science\u2014and specifically in fuzzing and exploitation\u2014the terms Overflow<\/strong> and Underflow<\/strong> mean different things depending on whether you are talking about Numbers (Arithmetic)<\/strong> or Memory (Buffers)<\/strong>.<\/p>\n\n\n\n

Here is the breakdown of the differences.<\/p>\n\n\n\n

\n\n\n\n

1. Arithmetic (Integer) Context<\/h3>\n\n\n\n

This refers to the value of a number going beyond what the variable type can hold.<\/p>\n\n\n\n

Integer Overflow (Too Big)<\/h4>\n\n\n\n

Occurs when you try to store a value larger than the maximum limit. The value “wraps around” to the minimum.<\/p>\n\n\n\n

    \n
  • Analogy:<\/strong> A car odometer at 999,999<\/code> rolling over to 000,000<\/code>.<\/li>\n\n\n\n
  • Example (8-bit unsigned):<\/strong> The max value is 255.\n
      \n
    • 255 + 1 = 0<\/code><\/li>\n<\/ul>\n<\/li>\n\n\n\n
    • Security Risk:<\/strong> If you calculate size = num_elements * 10<\/code> and it overflows to a small number (e.g., 4), you might allocate only 4 bytes of memory but try to copy huge amounts of data into it, causing a heap overflow.<\/li>\n<\/ul>\n\n\n\n

      Integer Underflow (Too Small)<\/h4>\n\n\n\n

      Occurs when you try to go below the minimum limit. The value “wraps around” to the maximum.<\/p>\n\n\n\n

        \n
      • Analogy:<\/strong> Rolling a car odometer backward from 000,000<\/code> to 999,999<\/code>.<\/li>\n\n\n\n
      • Example (8-bit unsigned):<\/strong> The min value is 0.\n
          \n
        • 0 - 1 = 255<\/code><\/li>\n<\/ul>\n<\/li>\n\n\n\n
        • Security Risk:<\/strong> If you have a check like if (packet_len < header_len) return;<\/code>, and you do payload_size = packet_len - header_len<\/code>, an underflow could make payload_size<\/code> a massive number (like 4 billion), causing a massive copy loop.<\/li>\n<\/ul>\n\n\n\n
          \n\n\n\n

          2. Memory \/ Buffer Context<\/h3>\n\n\n\n

          This refers to accessing memory outside the bounds of an array or buffer. This is the most common target for AFL\/fuzzing.<\/p>\n\n\n\n

          Buffer Overflow (Going “Forward”)<\/h4>\n\n\n\n

          Writing data past the end<\/strong> of the allocated buffer (towards higher memory addresses).<\/p>\n\n\n\n

            \n
          • Direction:<\/strong> Low Address $\\to$ High Address.<\/li>\n\n\n\n
          • Code:<\/strong> buf[10] = 'A'<\/code> (when size is 10).<\/li>\n\n\n\n
          • Impact on Stack:<\/strong> Since the Stack grows down<\/strong> (High to Low), but buffers index up<\/strong> (Low to High), a buffer overflow overwrites data “above” it in the stack frame.\n
              \n
            • Main Thread:<\/strong> Overwrites the Return Address (saved LR).<\/li>\n\n\n\n
            • Secondary Thread:<\/strong> Writes towards the TCB<\/strong> (Thread Control Block) and stack_guard<\/code>.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n

              Buffer Underflow (Going “Backward”)<\/h4>\n\n\n\n

              Writing data before the start<\/strong> of the allocated buffer (towards lower memory addresses).<\/p>\n\n\n\n

                \n
              • Direction:<\/strong> High Address $\\to$ Low Address.<\/li>\n\n\n\n
              • Code:<\/strong> buf[-1] = 'A'<\/code>.<\/li>\n\n\n\n
              • Impact on Stack:<\/strong> This writes deeper into the stack (into unused space or the next function’s frame), which is usually less immediately dangerous than an overflow, but can still cause logic bugs.<\/li>\n<\/ul>\n\n\n\n
                \n\n\n\n

                3. The “Stack” Special Case<\/h3>\n\n\n\n

                There are two specific terms related to the Stack structure itself (Push\/Pop).<\/p>\n\n\n\n

                  \n
                • Stack Overflow:<\/strong> The stack grows so large (usually due to infinite recursion) that it hits the limit of the OS-allocated memory region (the “Guard Page”). This causes a SEGFAULT<\/code>.<\/li>\n\n\n\n
                • Stack Underflow:<\/strong> The program tries to POP<\/code> items off the stack when the stack is empty. This usually only happens in handwritten assembly or ROP (Return Oriented Programming) chains, not in normal C code.<\/li>\n<\/ul>\n\n\n\n
                  \n\n\n\n

                  Summary Table<\/h3>\n\n\n\n
                  Context<\/th>Term<\/th>What happens?<\/th>Direction \/ Result<\/th><\/tr><\/thead>
                  Arithmetic<\/strong><\/td>Overflow<\/strong><\/td>Value > Max<\/td>Wraps to Min (0)<\/td><\/tr>
                  Arithmetic<\/strong><\/td>Underflow<\/strong><\/td>Value < Min<\/td>Wraps to Max (Huge number)<\/td><\/tr>
                  Memory<\/strong><\/td>Overflow<\/strong><\/td>Index > Size<\/td>Writes to Higher<\/strong> Address<\/td><\/tr>
                  Memory<\/strong><\/td>Underflow<\/strong><\/td>Index < 0<\/td>Writes to Lower<\/strong> Address<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n

                  Relating to your previous question (The TCB)<\/h3>\n\n\n\n

                  In the context of the Secondary Thread<\/strong> layout I described previously:<\/p>\n\n\n\n

                    \n
                  1. Buffer Overflow:<\/strong> If you have a buffer on the stack and you write past the end (buf[1000]<\/code>), you write towards Higher Addresses<\/strong>.\n
                      \n
                    • Because the TCB is located at the top<\/strong> (High Address) of the thread’s memory block, a massive Buffer Overflow<\/strong> on the stack allows you to corrupt the TCB<\/strong>, stack_guard<\/code>, or TLS pointers.<\/li>\n<\/ul>\n<\/li>\n\n\n\n
                    • Buffer Underflow:<\/strong> If you write to buf[-1]<\/code>, you write towards Lower Addresses<\/strong>.\n
                        \n
                      • This moves away<\/em> from the TCB and towards<\/em> the Stack Guard Page at the bottom.<\/li>\n<\/ul>\n<\/li>\n<\/ol>\n","protected":false},"excerpt":{"rendered":"

                        In computer science\u2014and specifically in fuzzing and exploitation\u2014the terms Overflow […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[42],"tags":[5],"class_list":["post-293","post","type-post","status-publish","format-standard","hentry","category-knowledge-base","tag-security"],"_links":{"self":[{"href":"https:\/\/haco.club\/index.php?rest_route=\/wp\/v2\/posts\/293","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/haco.club\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/haco.club\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/haco.club\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/haco.club\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=293"}],"version-history":[{"count":1,"href":"https:\/\/haco.club\/index.php?rest_route=\/wp\/v2\/posts\/293\/revisions"}],"predecessor-version":[{"id":294,"href":"https:\/\/haco.club\/index.php?rest_route=\/wp\/v2\/posts\/293\/revisions\/294"}],"wp:attachment":[{"href":"https:\/\/haco.club\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=293"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/haco.club\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=293"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/haco.club\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=293"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}