security: arithmetic compound assignment panics on overflow (TM-DOS-043) #491
Description
Summary
execute_arithmetic_with_side_effects() at interpreter/mod.rs:1563-1565 uses native +, -, * operators instead of wrapping_* variants. In debug mode, i64 overflow causes a panic (process crash). The non-compound path in parse_arithmetic_impl correctly uses wrapping operations.
A second overflow site exists in evaluate_arithmetic_with_assign() at interpreter/mod.rs:7022-7043 for the <<= and >>= compound assignment paths, which don't clamp the shift amount (the non-compound path clamps to 0..=63 at :7455).
Impact — HIGH
Process crash (DoS) in debug mode. Silent wrapping in release mode (inconsistent with non-compound path).
Reproduction
# Panics in debug mode:
x=9223372036854775807; ((x+=1)); echo $x
# "attempt to add with overflow" at interpreter/mod.rs:1563Recommended fix
Replace native operators with wrapping variants at mod.rs:1563-1565:
'+' => current.wrapping_add(rhs_value),
'-' => current.wrapping_sub(rhs_value),
'*' => current.wrapping_mul(rhs_value),And clamp shift amounts at mod.rs:7042-7043:
"<<" => lhs_val.wrapping_shl((rhs_val & 63) as u32),
">>" => lhs_val.wrapping_shr((rhs_val & 63) as u32),Also add overflow protection for / and % (i64::MIN / -1 and i64::MIN % -1).
Tests
Regression tests (currently #[ignore]):
security_audit_compound_add_no_panicsecurity_audit_compound_shift_clamped
Cross-references
- Threat model: TM-DOS-043
- Related: TM-DOS-029 (original arithmetic overflow threat)
- PR: test(security): deep security audit with regression tests #487