Mercurial > hg > sv-dependency-builds

annotate src/capnproto-git-20161025/security-advisories/2015-03-02-1-c++-integer-underflow.md @ 83:ae30d91d2ffe

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Replace these with versions built using an older toolset (so as to avoid ABI compatibilities when linking on Ubuntu 14.04 for packaging purposes)
author Chris Cannam
date Fri, 07 Feb 2020 11:51:13 +0000
parents 9530b331f8c1
children
rev   line source
cannam@48 1 Problem
cannam@48 2 =======
cannam@48 3
cannam@48 4 Integer underflow in pointer validation.
cannam@48 5
cannam@48 6 Discovered by
cannam@48 7 =============
cannam@48 8
cannam@48 9 Kenton Varda <kenton@sandstorm.io>
cannam@48 10
cannam@48 11 Announced
cannam@48 12 =========
cannam@48 13
cannam@48 14 2015-03-02
cannam@48 15
cannam@48 16 CVE
cannam@48 17 ===
cannam@48 18
cannam@48 19 CVE-2015-2311
cannam@48 20
cannam@48 21 Impact
cannam@48 22 ======
cannam@48 23
cannam@48 24 - Remotely segfault a peer by sending it a malicious message.
cannam@48 25 - Possible exfiltration of memory, depending on application behavior.
cannam@48 26 - If the application performs a sequence of operations that "probably" no
cannam@48 27 application does (see below), possible memory corruption / code execution.
cannam@48 28
cannam@48 29 Fixed in
cannam@48 30 ========
cannam@48 31
cannam@48 32 - git commit [26bcceda72372211063d62aab7e45665faa83633][0]
cannam@48 33 - release 0.5.1.1:
cannam@48 34 - Unix: https://capnproto.org/capnproto-c++-0.5.1.1.tar.gz
cannam@48 35 - Windows: https://capnproto.org/capnproto-c++-win32-0.5.1.1.zip
cannam@48 36 - release 0.4.1.1:
cannam@48 37 - Unix: https://capnproto.org/capnproto-c++-0.4.1.1.tar.gz
cannam@48 38 - release 0.6 (future)
cannam@48 39
cannam@48 40 [0]: https://github.com/sandstorm-io/capnproto/commit/26bcceda72372211063d62aab7e45665faa83633
cannam@48 41
cannam@48 42 Details
cannam@48 43 =======
cannam@48 44
cannam@48 45 *The following text contains speculation about the exploitability of this
cannam@48 46 bug. This is provided for informational purposes, but as such speculation is
cannam@48 47 often shown to be wrong, you should not rely on the accuracy of this
cannam@48 48 section for the safety of your service. Please update your library.*
cannam@48 49
cannam@48 50 A `Text` pointer, when non-null, must point to a NUL-terminated string, meaning
cannam@48 51 it must have a size of at least 1. Under most circumstances, Cap'n Proto will
cannam@48 52 reject zero-size text objects. However, if an application performs the
cannam@48 53 following sequence, they may hit a code path that was missing a check:
cannam@48 54
cannam@48 55 1. Receive a message containing a `Text` value, but do not actually look at
cannam@48 56 that value.
cannam@48 57 2. Copy the message into a `MessageBuilder`.
cannam@48 58 3. Call the `get()` method for the `Text` value within the `MessageBuilder`,
cannam@48 59 obtaining a `Text::Builder` for the *copy*.
cannam@48 60
cannam@48 61 In this case, the `Text::Builder` will appear to point at a string with size
cannam@48 62 2^32-1, starting at a location within the Cap'n Proto message.
cannam@48 63
cannam@48 64 The `Text::Builder` is writable. If the application decided to overwrite the
cannam@48 65 text in-place, it could overwrite arbitrary memory in the next 4GB of virtual
cannam@48 66 address space. However, there are several reasons to believe this is unusual:
cannam@48 67
cannam@48 68 - Usually, when an application `get()`s a text field, it only intends to
cannam@48 69 read it. Overwriting the text in-place is unusual.
cannam@48 70 - Calling `set()` on the field -- the usual way to overwrite text -- will
cannam@48 71 create an all-new text object and harmlessly discard the old, invalid
cannam@48 72 pointer.
cannam@48 73
cannam@48 74 Note that even if an application does overwrite the text, it would still be
cannam@48 75 hard for the attacker to exploit this for code execution unless the attacker
cannam@48 76 also controls the data that the application writes into the field.
cannam@48 77
cannam@48 78 This vulnerability is somewhat more likely to allow exfiltration of memory.
cannam@48 79 However, this requires the app to additionally echo the text back to the
cannam@48 80 attacker. To do this without segfaulting, the app would either need to attempt
cannam@48 81 to read only a subset of the text, or would need to have 2^32 contiguous bytes
cannam@48 82 of virtual memory mapped into its address space.
cannam@48 83
cannam@48 84 A related problem, also fixed in this change, occurs when a `Text` value
cannam@48 85 has non-zero size but lacks a NUL terminator. Again, if an application
cannam@48 86 performs the series of operations described above, the NUL terminator check
cannam@48 87 may be bypassed. If the app then passes the string to an API that assumes
cannam@48 88 NUL-terminated strings, the contents of memory after the text blob may be
cannam@48 89 interpreted as being part of the string, up to the next zero-valued byte.
cannam@48 90 This again could lead to exfiltration of data, this time without the high
cannam@48 91 chance of segfault, although only up to the next zero-valued byte, which
cannam@48 92 are typically quite common.
cannam@48 93
cannam@48 94 Preventative measures
cannam@48 95 =====================
cannam@48 96
cannam@48 97 This problem was discovered through preventative measures implemented after
cannam@48 98 the security problem discussed in the [previous advisory][1]. Specifically, this
cannam@48 99 problem was found by using template metaprogramming to implement integer
cannam@48 100 bounds analysis in order to effectively "prove" that there are no integer
cannam@48 101 overflows in the core pointer validation code (capnp/layout.c++).
cannam@48 102 Tentatively, I believe that this analysis exhaustively covers this file.
cannam@48 103 The instrumentation has not been merged into master yet as it requires some
cannam@48 104 cleanup, but [check the Cap'n Proto blog for an in-depth discussion][2].
cannam@48 105
cannam@48 106 This problem is also caught by capnp/fuzz-test.c++, which *has* been
cannam@48 107 merged into master but likely doesn't have as broad coverage.
cannam@48 108
cannam@48 109 [1]: https://github.com/sandstorm-io/capnproto/tree/master/security-advisories/2015-03-02-0-c++-integer-overflow.md
cannam@48 110 [2]: https://capnproto.org/news/2015-03-02-security-advisory-and-integer-overflow-protection.html