|
cannam@147
|
1 Problem
|
|
cannam@147
|
2 =======
|
|
cannam@147
|
3
|
|
cannam@147
|
4 Integer overflow in pointer validation.
|
|
cannam@147
|
5
|
|
cannam@147
|
6 Discovered by
|
|
cannam@147
|
7 =============
|
|
cannam@147
|
8
|
|
cannam@147
|
9 Ben Laurie <ben@links.org> using [American Fuzzy Lop](http://lcamtuf.coredump.cx/afl/)
|
|
cannam@147
|
10
|
|
cannam@147
|
11 Announced
|
|
cannam@147
|
12 =========
|
|
cannam@147
|
13
|
|
cannam@147
|
14 2015-03-02
|
|
cannam@147
|
15
|
|
cannam@147
|
16 CVE
|
|
cannam@147
|
17 ===
|
|
cannam@147
|
18
|
|
cannam@147
|
19 CVE-2015-2310
|
|
cannam@147
|
20
|
|
cannam@147
|
21 Impact
|
|
cannam@147
|
22 ======
|
|
cannam@147
|
23
|
|
cannam@147
|
24 - Remotely segfault a peer by sending it a malicious message.
|
|
cannam@147
|
25 - Possible exfiltration of memory, depending on application behavior.
|
|
cannam@147
|
26
|
|
cannam@147
|
27 Fixed in
|
|
cannam@147
|
28 ========
|
|
cannam@147
|
29
|
|
cannam@147
|
30 - git commit [f343f0dbd0a2e87f17cd74f14186ed73e3fbdbfa][0]
|
|
cannam@147
|
31 - release 0.5.1.1:
|
|
cannam@147
|
32 - Unix: https://capnproto.org/capnproto-c++-0.5.1.1.tar.gz
|
|
cannam@147
|
33 - Windows: https://capnproto.org/capnproto-c++-win32-0.5.1.1.zip
|
|
cannam@147
|
34 - release 0.4.1.1:
|
|
cannam@147
|
35 - Unix: https://capnproto.org/capnproto-c++-0.4.1.1.tar.gz
|
|
cannam@147
|
36 - release 0.6 (future)
|
|
cannam@147
|
37
|
|
cannam@147
|
38 [0]: https://github.com/sandstorm-io/capnproto/commit/f343f0dbd0a2e87f17cd74f14186ed73e3fbdbfa
|
|
cannam@147
|
39
|
|
cannam@147
|
40 Details
|
|
cannam@147
|
41 =======
|
|
cannam@147
|
42
|
|
cannam@147
|
43 *The following text contains speculation about the exploitability of this
|
|
cannam@147
|
44 bug. This is provided for informational purposes, but as such speculation is
|
|
cannam@147
|
45 often shown to be wrong, you should not rely on the accuracy of this
|
|
cannam@147
|
46 section for the safety of your service. Please update your library.*
|
|
cannam@147
|
47
|
|
cannam@147
|
48 A specially-crafted pointer could escape bounds checking by triggering an
|
|
cannam@147
|
49 integer overflow in the check. This causes the message to appear as if it
|
|
cannam@147
|
50 contains an extremely long list (over 2^32 bytes), stretching far beyond the
|
|
cannam@147
|
51 memory actually allocated to the message. If the application reads that list,
|
|
cannam@147
|
52 it will likely segfault, but if it manages to avoid a segfault (e.g. because
|
|
cannam@147
|
53 it has mapped a very large contiguous block of memory following the message,
|
|
cannam@147
|
54 or because it only reads some parts of the list and not others), it could end
|
|
cannam@147
|
55 up treating arbitrary parts of memory as input. If the application happens to
|
|
cannam@147
|
56 pass that data back to the user in some way, this problem could lead to
|
|
cannam@147
|
57 exfiltration of secrets.
|
|
cannam@147
|
58
|
|
cannam@147
|
59 The pointer is transitively read-only, therefore it is believed that this
|
|
cannam@147
|
60 vulnerability on its own CANNOT lead to memory corruption nor code execution.
|
|
cannam@147
|
61
|
|
cannam@147
|
62 This vulnerability is NOT a Sandstorm sandbox breakout. A Sandstorm app's
|
|
cannam@147
|
63 Cap'n Proto communications pass through a supervisor process which performs a
|
|
cannam@147
|
64 deep copy of the structure. As the supervisor has a very small heap, this
|
|
cannam@147
|
65 will always lead to a segfault, which has the effect of killing the app, but
|
|
cannam@147
|
66 does not affect any other app or the system at large. If somehow the copy
|
|
cannam@147
|
67 succeeds, the copied message will no longer contain an invalid pointer and
|
|
cannam@147
|
68 so will not harm its eventual destination, and the supervisor itself has no
|
|
cannam@147
|
69 secrets to steal. These mitigations are by design.
|
|
cannam@147
|
70
|
|
cannam@147
|
71 Preventative measures
|
|
cannam@147
|
72 =====================
|
|
cannam@147
|
73
|
|
cannam@147
|
74 In order to gain confidence that this is a one-off bug rather than endemic,
|
|
cannam@147
|
75 and to help prevent new bugs from being added, we have taken / will take the
|
|
cannam@147
|
76 following preventative measures going forward:
|
|
cannam@147
|
77
|
|
cannam@147
|
78 1. A fuzz test of each pointer type has been added to the standard unit test
|
|
cannam@147
|
79 suite. This test was confirmed to find the vulnerability in question.
|
|
cannam@147
|
80 2. We will additionally add fuzz testing with American Fuzzy Lop to our
|
|
cannam@147
|
81 extended test suite. AFL was used to find the original vulnerability. Our
|
|
cannam@147
|
82 current tests with AFL show only one other (less-critical) vulnerability
|
|
cannam@147
|
83 which will be reported separately ([2015-03-02-2][2]).
|
|
cannam@147
|
84 3. In parallel, we will extend our use of template metaprogramming for
|
|
cannam@147
|
85 compile-time unit analysis (kj::Quantity in kj/units.h) to also cover
|
|
cannam@147
|
86 overflow detection (by tracking the maximum size of an integer value across
|
|
cannam@147
|
87 arithmetic expressions and raising an error when it overflows). Preliminary
|
|
cannam@147
|
88 work with this approach successfully detected the vulnerability reported
|
|
cannam@147
|
89 here as well as one other vulnerability ([2015-03-02-1][3]).
|
|
cannam@147
|
90 [See the blog post][4] for more details.
|
|
cannam@147
|
91 4. We will continue to require that all tests (including the new fuzz test) run
|
|
cannam@147
|
92 cleanly under Valgrind before each release.
|
|
cannam@147
|
93 5. We will commission a professional security review before any 1.0 release.
|
|
cannam@147
|
94 Until that time, we continue to recommend against using Cap'n Proto to
|
|
cannam@147
|
95 interpret data from potentially-malicious sources.
|
|
cannam@147
|
96
|
|
cannam@147
|
97 I am pleased that measures 1, 2, and 3 all detected this bug, suggesting that
|
|
cannam@147
|
98 they have a high probability of catching any similar bugs.
|
|
cannam@147
|
99
|
|
cannam@147
|
100 [1]: https://github.com/sandstorm-io/capnproto/tree/master/security-advisories/2015-03-02-0-all-cpu-amplification.md
|
|
cannam@147
|
101 [2]: https://github.com/sandstorm-io/capnproto/tree/master/security-advisories/2015-03-02-1-c++-integer-underflow.md
|
|
cannam@147
|
102 [3]: https://capnproto.org/news/2015-03-02-security-advisory-and-integer-overflow-protection.html
|
