Mercurial > hg > sv-dependency-builds

annotate src/capnproto-git-20161025/security-advisories/2015-03-02-0-c++-integer-overflow.md @ 83:ae30d91d2ffe

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Replace these with versions built using an older toolset (so as to avoid ABI compatibilities when linking on Ubuntu 14.04 for packaging purposes)
author Chris Cannam
date Fri, 07 Feb 2020 11:51:13 +0000
parents 9530b331f8c1
children
rev   line source
cannam@48 1 Problem
cannam@48 2 =======
cannam@48 3
cannam@48 4 Integer overflow in pointer validation.
cannam@48 5
cannam@48 6 Discovered by
cannam@48 7 =============
cannam@48 8
cannam@48 9 Ben Laurie <ben@links.org> using [American Fuzzy Lop](http://lcamtuf.coredump.cx/afl/)
cannam@48 10
cannam@48 11 Announced
cannam@48 12 =========
cannam@48 13
cannam@48 14 2015-03-02
cannam@48 15
cannam@48 16 CVE
cannam@48 17 ===
cannam@48 18
cannam@48 19 CVE-2015-2310
cannam@48 20
cannam@48 21 Impact
cannam@48 22 ======
cannam@48 23
cannam@48 24 - Remotely segfault a peer by sending it a malicious message.
cannam@48 25 - Possible exfiltration of memory, depending on application behavior.
cannam@48 26
cannam@48 27 Fixed in
cannam@48 28 ========
cannam@48 29
cannam@48 30 - git commit [f343f0dbd0a2e87f17cd74f14186ed73e3fbdbfa][0]
cannam@48 31 - release 0.5.1.1:
cannam@48 32 - Unix: https://capnproto.org/capnproto-c++-0.5.1.1.tar.gz
cannam@48 33 - Windows: https://capnproto.org/capnproto-c++-win32-0.5.1.1.zip
cannam@48 34 - release 0.4.1.1:
cannam@48 35 - Unix: https://capnproto.org/capnproto-c++-0.4.1.1.tar.gz
cannam@48 36 - release 0.6 (future)
cannam@48 37
cannam@48 38 [0]: https://github.com/sandstorm-io/capnproto/commit/f343f0dbd0a2e87f17cd74f14186ed73e3fbdbfa
cannam@48 39
cannam@48 40 Details
cannam@48 41 =======
cannam@48 42
cannam@48 43 *The following text contains speculation about the exploitability of this
cannam@48 44 bug. This is provided for informational purposes, but as such speculation is
cannam@48 45 often shown to be wrong, you should not rely on the accuracy of this
cannam@48 46 section for the safety of your service. Please update your library.*
cannam@48 47
cannam@48 48 A specially-crafted pointer could escape bounds checking by triggering an
cannam@48 49 integer overflow in the check. This causes the message to appear as if it
cannam@48 50 contains an extremely long list (over 2^32 bytes), stretching far beyond the
cannam@48 51 memory actually allocated to the message. If the application reads that list,
cannam@48 52 it will likely segfault, but if it manages to avoid a segfault (e.g. because
cannam@48 53 it has mapped a very large contiguous block of memory following the message,
cannam@48 54 or because it only reads some parts of the list and not others), it could end
cannam@48 55 up treating arbitrary parts of memory as input. If the application happens to
cannam@48 56 pass that data back to the user in some way, this problem could lead to
cannam@48 57 exfiltration of secrets.
cannam@48 58
cannam@48 59 The pointer is transitively read-only, therefore it is believed that this
cannam@48 60 vulnerability on its own CANNOT lead to memory corruption nor code execution.
cannam@48 61
cannam@48 62 This vulnerability is NOT a Sandstorm sandbox breakout. A Sandstorm app's
cannam@48 63 Cap'n Proto communications pass through a supervisor process which performs a
cannam@48 64 deep copy of the structure. As the supervisor has a very small heap, this
cannam@48 65 will always lead to a segfault, which has the effect of killing the app, but
cannam@48 66 does not affect any other app or the system at large. If somehow the copy
cannam@48 67 succeeds, the copied message will no longer contain an invalid pointer and
cannam@48 68 so will not harm its eventual destination, and the supervisor itself has no
cannam@48 69 secrets to steal. These mitigations are by design.
cannam@48 70
cannam@48 71 Preventative measures
cannam@48 72 =====================
cannam@48 73
cannam@48 74 In order to gain confidence that this is a one-off bug rather than endemic,
cannam@48 75 and to help prevent new bugs from being added, we have taken / will take the
cannam@48 76 following preventative measures going forward:
cannam@48 77
cannam@48 78 1. A fuzz test of each pointer type has been added to the standard unit test
cannam@48 79 suite. This test was confirmed to find the vulnerability in question.
cannam@48 80 2. We will additionally add fuzz testing with American Fuzzy Lop to our
cannam@48 81 extended test suite. AFL was used to find the original vulnerability. Our
cannam@48 82 current tests with AFL show only one other (less-critical) vulnerability
cannam@48 83 which will be reported separately ([2015-03-02-2][2]).
cannam@48 84 3. In parallel, we will extend our use of template metaprogramming for
cannam@48 85 compile-time unit analysis (kj::Quantity in kj/units.h) to also cover
cannam@48 86 overflow detection (by tracking the maximum size of an integer value across
cannam@48 87 arithmetic expressions and raising an error when it overflows). Preliminary
cannam@48 88 work with this approach successfully detected the vulnerability reported
cannam@48 89 here as well as one other vulnerability ([2015-03-02-1][3]).
cannam@48 90 [See the blog post][4] for more details.
cannam@48 91 4. We will continue to require that all tests (including the new fuzz test) run
cannam@48 92 cleanly under Valgrind before each release.
cannam@48 93 5. We will commission a professional security review before any 1.0 release.
cannam@48 94 Until that time, we continue to recommend against using Cap'n Proto to
cannam@48 95 interpret data from potentially-malicious sources.
cannam@48 96
cannam@48 97 I am pleased that measures 1, 2, and 3 all detected this bug, suggesting that
cannam@48 98 they have a high probability of catching any similar bugs.
cannam@48 99
cannam@48 100 [1]: https://github.com/sandstorm-io/capnproto/tree/master/security-advisories/2015-03-02-0-all-cpu-amplification.md
cannam@48 101 [2]: https://github.com/sandstorm-io/capnproto/tree/master/security-advisories/2015-03-02-1-c++-integer-underflow.md
cannam@48 102 [3]: https://capnproto.org/news/2015-03-02-security-advisory-and-integer-overflow-protection.html