Mercurial > hg > sv-dependency-builds

annotate src/capnproto-git-20161025/security-advisories/2015-03-02-0-c++-integer-overflow.md @ 55:284acf908dcd

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Add source for PortAudio stable v190600_20161030
author Chris Cannam
date Tue, 03 Jan 2017 13:44:07 +0000
parents 9530b331f8c1
children
rev   line source
cannam@48 1 Problem
cannam@48 2 =======
cannam@48 3
cannam@48 4 Integer overflow in pointer validation.
cannam@48 5
cannam@48 6 Discovered by
cannam@48 7 =============
cannam@48 8
cannam@48 9 Ben Laurie <ben@links.org> using [American Fuzzy Lop](http://lcamtuf.coredump.cx/afl/)
cannam@48 10
cannam@48 11 Announced
cannam@48 12 =========
cannam@48 13
cannam@48 14 2015-03-02
cannam@48 15
cannam@48 16 CVE
cannam@48 17 ===
cannam@48 18
cannam@48 19 CVE-2015-2310
cannam@48 20
cannam@48 21 Impact
cannam@48 22 ======
cannam@48 23
cannam@48 24 - Remotely segfault a peer by sending it a malicious message.
cannam@48 25 - Possible exfiltration of memory, depending on application behavior.
cannam@48 26
cannam@48 27 Fixed in
cannam@48 28 ========
cannam@48 29
cannam@48 30 - git commit [f343f0dbd0a2e87f17cd74f14186ed73e3fbdbfa][0]
cannam@48 31 - release 0.5.1.1:
cannam@48 32 - Unix: https://capnproto.org/capnproto-c++-0.5.1.1.tar.gz
cannam@48 33 - Windows: https://capnproto.org/capnproto-c++-win32-0.5.1.1.zip
cannam@48 34 - release 0.4.1.1:
cannam@48 35 - Unix: https://capnproto.org/capnproto-c++-0.4.1.1.tar.gz
cannam@48 36 - release 0.6 (future)
cannam@48 37
cannam@48 38 [0]: https://github.com/sandstorm-io/capnproto/commit/f343f0dbd0a2e87f17cd74f14186ed73e3fbdbfa
cannam@48 39
cannam@48 40 Details
cannam@48 41 =======
cannam@48 42
cannam@48 43 *The following text contains speculation about the exploitability of this
cannam@48 44 bug. This is provided for informational purposes, but as such speculation is
cannam@48 45 often shown to be wrong, you should not rely on the accuracy of this
cannam@48 46 section for the safety of your service. Please update your library.*
cannam@48 47
cannam@48 48 A specially-crafted pointer could escape bounds checking by triggering an
cannam@48 49 integer overflow in the check. This causes the message to appear as if it
cannam@48 50 contains an extremely long list (over 2^32 bytes), stretching far beyond the
cannam@48 51 memory actually allocated to the message. If the application reads that list,
cannam@48 52 it will likely segfault, but if it manages to avoid a segfault (e.g. because
cannam@48 53 it has mapped a very large contiguous block of memory following the message,
cannam@48 54 or because it only reads some parts of the list and not others), it could end
cannam@48 55 up treating arbitrary parts of memory as input. If the application happens to
cannam@48 56 pass that data back to the user in some way, this problem could lead to
cannam@48 57 exfiltration of secrets.
cannam@48 58
cannam@48 59 The pointer is transitively read-only, therefore it is believed that this
cannam@48 60 vulnerability on its own CANNOT lead to memory corruption nor code execution.
cannam@48 61
cannam@48 62 This vulnerability is NOT a Sandstorm sandbox breakout. A Sandstorm app's
cannam@48 63 Cap'n Proto communications pass through a supervisor process which performs a
cannam@48 64 deep copy of the structure. As the supervisor has a very small heap, this
cannam@48 65 will always lead to a segfault, which has the effect of killing the app, but
cannam@48 66 does not affect any other app or the system at large. If somehow the copy
cannam@48 67 succeeds, the copied message will no longer contain an invalid pointer and
cannam@48 68 so will not harm its eventual destination, and the supervisor itself has no
cannam@48 69 secrets to steal. These mitigations are by design.
cannam@48 70
cannam@48 71 Preventative measures
cannam@48 72 =====================
cannam@48 73
cannam@48 74 In order to gain confidence that this is a one-off bug rather than endemic,
cannam@48 75 and to help prevent new bugs from being added, we have taken / will take the
cannam@48 76 following preventative measures going forward:
cannam@48 77
cannam@48 78 1. A fuzz test of each pointer type has been added to the standard unit test
cannam@48 79 suite. This test was confirmed to find the vulnerability in question.
cannam@48 80 2. We will additionally add fuzz testing with American Fuzzy Lop to our
cannam@48 81 extended test suite. AFL was used to find the original vulnerability. Our
cannam@48 82 current tests with AFL show only one other (less-critical) vulnerability
cannam@48 83 which will be reported separately ([2015-03-02-2][2]).
cannam@48 84 3. In parallel, we will extend our use of template metaprogramming for
cannam@48 85 compile-time unit analysis (kj::Quantity in kj/units.h) to also cover
cannam@48 86 overflow detection (by tracking the maximum size of an integer value across
cannam@48 87 arithmetic expressions and raising an error when it overflows). Preliminary
cannam@48 88 work with this approach successfully detected the vulnerability reported
cannam@48 89 here as well as one other vulnerability ([2015-03-02-1][3]).
cannam@48 90 [See the blog post][4] for more details.
cannam@48 91 4. We will continue to require that all tests (including the new fuzz test) run
cannam@48 92 cleanly under Valgrind before each release.
cannam@48 93 5. We will commission a professional security review before any 1.0 release.
cannam@48 94 Until that time, we continue to recommend against using Cap'n Proto to
cannam@48 95 interpret data from potentially-malicious sources.
cannam@48 96
cannam@48 97 I am pleased that measures 1, 2, and 3 all detected this bug, suggesting that
cannam@48 98 they have a high probability of catching any similar bugs.
cannam@48 99
cannam@48 100 [1]: https://github.com/sandstorm-io/capnproto/tree/master/security-advisories/2015-03-02-0-all-cpu-amplification.md
cannam@48 101 [2]: https://github.com/sandstorm-io/capnproto/tree/master/security-advisories/2015-03-02-1-c++-integer-underflow.md
cannam@48 102 [3]: https://capnproto.org/news/2015-03-02-security-advisory-and-integer-overflow-protection.html