Mercurial > hg > sv-dependency-builds

annotate src/capnproto-0.6.0/security-advisories/2015-03-02-0-c++-integer-overflow.md @ 62:0994c39f1e94

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Cap'n Proto v0.6 + build for OSX
author Chris Cannam <cannam@all-day-breakfast.com>
date Mon, 22 May 2017 10:01:37 +0100
parents
children
rev   line source
cannam@62 1 Problem
cannam@62 2 =======
cannam@62 3
cannam@62 4 Integer overflow in pointer validation.
cannam@62 5
cannam@62 6 Discovered by
cannam@62 7 =============
cannam@62 8
cannam@62 9 Ben Laurie &lt;ben@links.org> using [American Fuzzy Lop](http://lcamtuf.coredump.cx/afl/)
cannam@62 10
cannam@62 11 Announced
cannam@62 12 =========
cannam@62 13
cannam@62 14 2015-03-02
cannam@62 15
cannam@62 16 CVE
cannam@62 17 ===
cannam@62 18
cannam@62 19 CVE-2015-2310
cannam@62 20
cannam@62 21 Impact
cannam@62 22 ======
cannam@62 23
cannam@62 24 - Remotely segfault a peer by sending it a malicious message.
cannam@62 25 - Possible exfiltration of memory, depending on application behavior.
cannam@62 26
cannam@62 27 Fixed in
cannam@62 28 ========
cannam@62 29
cannam@62 30 - git commit [f343f0dbd0a2e87f17cd74f14186ed73e3fbdbfa][0]
cannam@62 31 - release 0.5.1.1:
cannam@62 32 - Unix: https://capnproto.org/capnproto-c++-0.5.1.1.tar.gz
cannam@62 33 - Windows: https://capnproto.org/capnproto-c++-win32-0.5.1.1.zip
cannam@62 34 - release 0.4.1.1:
cannam@62 35 - Unix: https://capnproto.org/capnproto-c++-0.4.1.1.tar.gz
cannam@62 36 - release 0.6 (future)
cannam@62 37
cannam@62 38 [0]: https://github.com/sandstorm-io/capnproto/commit/f343f0dbd0a2e87f17cd74f14186ed73e3fbdbfa
cannam@62 39
cannam@62 40 Details
cannam@62 41 =======
cannam@62 42
cannam@62 43 *The following text contains speculation about the exploitability of this
cannam@62 44 bug. This is provided for informational purposes, but as such speculation is
cannam@62 45 often shown to be wrong, you should not rely on the accuracy of this
cannam@62 46 section for the safety of your service. Please update your library.*
cannam@62 47
cannam@62 48 A specially-crafted pointer could escape bounds checking by triggering an
cannam@62 49 integer overflow in the check. This causes the message to appear as if it
cannam@62 50 contains an extremely long list (over 2^32 bytes), stretching far beyond the
cannam@62 51 memory actually allocated to the message. If the application reads that list,
cannam@62 52 it will likely segfault, but if it manages to avoid a segfault (e.g. because
cannam@62 53 it has mapped a very large contiguous block of memory following the message,
cannam@62 54 or because it only reads some parts of the list and not others), it could end
cannam@62 55 up treating arbitrary parts of memory as input. If the application happens to
cannam@62 56 pass that data back to the user in some way, this problem could lead to
cannam@62 57 exfiltration of secrets.
cannam@62 58
cannam@62 59 The pointer is transitively read-only, therefore it is believed that this
cannam@62 60 vulnerability on its own CANNOT lead to memory corruption nor code execution.
cannam@62 61
cannam@62 62 This vulnerability is NOT a Sandstorm sandbox breakout. A Sandstorm app's
cannam@62 63 Cap'n Proto communications pass through a supervisor process which performs a
cannam@62 64 deep copy of the structure. As the supervisor has a very small heap, this
cannam@62 65 will always lead to a segfault, which has the effect of killing the app, but
cannam@62 66 does not affect any other app or the system at large. If somehow the copy
cannam@62 67 succeeds, the copied message will no longer contain an invalid pointer and
cannam@62 68 so will not harm its eventual destination, and the supervisor itself has no
cannam@62 69 secrets to steal. These mitigations are by design.
cannam@62 70
cannam@62 71 Preventative measures
cannam@62 72 =====================
cannam@62 73
cannam@62 74 In order to gain confidence that this is a one-off bug rather than endemic,
cannam@62 75 and to help prevent new bugs from being added, we have taken / will take the
cannam@62 76 following preventative measures going forward:
cannam@62 77
cannam@62 78 1. A fuzz test of each pointer type has been added to the standard unit test
cannam@62 79 suite. This test was confirmed to find the vulnerability in question.
cannam@62 80 2. We will additionally add fuzz testing with American Fuzzy Lop to our
cannam@62 81 extended test suite. AFL was used to find the original vulnerability. Our
cannam@62 82 current tests with AFL show only one other (less-critical) vulnerability
cannam@62 83 which will be reported separately ([2015-03-02-2][2]).
cannam@62 84 3. In parallel, we will extend our use of template metaprogramming for
cannam@62 85 compile-time unit analysis (kj::Quantity in kj/units.h) to also cover
cannam@62 86 overflow detection (by tracking the maximum size of an integer value across
cannam@62 87 arithmetic expressions and raising an error when it overflows). Preliminary
cannam@62 88 work with this approach successfully detected the vulnerability reported
cannam@62 89 here as well as one other vulnerability ([2015-03-02-1][3]).
cannam@62 90 [See the blog post][4] for more details.
cannam@62 91 4. We will continue to require that all tests (including the new fuzz test) run
cannam@62 92 cleanly under Valgrind before each release.
cannam@62 93 5. We will commission a professional security review before any 1.0 release.
cannam@62 94 Until that time, we continue to recommend against using Cap'n Proto to
cannam@62 95 interpret data from potentially-malicious sources.
cannam@62 96
cannam@62 97 I am pleased that measures 1, 2, and 3 all detected this bug, suggesting that
cannam@62 98 they have a high probability of catching any similar bugs.
cannam@62 99
cannam@62 100 [1]: https://github.com/sandstorm-io/capnproto/tree/master/security-advisories/2015-03-02-0-all-cpu-amplification.md
cannam@62 101 [2]: https://github.com/sandstorm-io/capnproto/tree/master/security-advisories/2015-03-02-1-c++-integer-underflow.md
cannam@62 102 [3]: https://capnproto.org/news/2015-03-02-security-advisory-and-integer-overflow-protection.html