Mercurial > hg > sv-dependency-builds

annotate src/capnproto-git-20161025/security-advisories/2015-03-02-2-all-cpu-amplification.md @ 169:223a55898ab9 tip default

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Add null config files
author Chris Cannam <cannam@all-day-breakfast.com>
date Mon, 02 Mar 2020 14:03:47 +0000
parents 1ac99bfc383d
children
rev   line source
cannam@133 1 Problem
cannam@133 2 =======
cannam@133 3
cannam@133 4 CPU usage amplification attack.
cannam@133 5
cannam@133 6 Discovered by
cannam@133 7 =============
cannam@133 8
cannam@133 9 Ben Laurie &lt;ben@links.org> using [American Fuzzy Lop](http://lcamtuf.coredump.cx/afl/)
cannam@133 10
cannam@133 11 Announced
cannam@133 12 =========
cannam@133 13
cannam@133 14 2015-03-02
cannam@133 15
cannam@133 16 CVE
cannam@133 17 ===
cannam@133 18
cannam@133 19 CVE-2015-2312
cannam@133 20
cannam@133 21 Impact
cannam@133 22 ======
cannam@133 23
cannam@133 24 - Remotely cause a peer to use excessive CPU time and other resources to
cannam@133 25 process a very small message, possibly enabling a DoS attack.
cannam@133 26
cannam@133 27 Fixed in
cannam@133 28 ========
cannam@133 29
cannam@133 30 - git commit [104870608fde3c698483fdef6b97f093fc15685d][0]
cannam@133 31 - release 0.5.1.1:
cannam@133 32 - Unix: https://capnproto.org/capnproto-c++-0.5.1.1.tar.gz
cannam@133 33 - Windows: https://capnproto.org/capnproto-c++-win32-0.5.1.1.zip
cannam@133 34 - release 0.4.1.1:
cannam@133 35 - Unix: https://capnproto.org/capnproto-c++-0.4.1.1.tar.gz
cannam@133 36 - release 0.6 (future)
cannam@133 37
cannam@133 38 [0]: https://github.com/sandstorm-io/capnproto/commit/104870608fde3c698483fdef6b97f093fc15685d
cannam@133 39
cannam@133 40 Details
cannam@133 41 =======
cannam@133 42
cannam@133 43 The Cap'n Proto list pointer format allows encoding a list whose elements are
cannam@133 44 claimed each to have a size of zero. Such a list could claim to have up to
cannam@133 45 2^29-1 elements while only taking 8 or 16 bytes on the wire. The receiving
cannam@133 46 application may expect, say, a list of structs. A zero-size struct is a
cannam@133 47 perfectly legal (and, in fact, canonical) encoding for a struct whose fields
cannam@133 48 are all set to their default values. Therefore, the application may notice
cannam@133 49 nothing wrong and proceed to iterate through and handle each element in the
cannam@133 50 list, potentially taking a lot of time and resources to do so.
cannam@133 51
cannam@133 52 Note that this kind of vulnerability is very common in other systems. Any
cannam@133 53 system which accepts compressed input can allow an attacker to deliver an
cannam@133 54 arbitrarily large uncompressed message using very little compressed bandwidth.
cannam@133 55 Applications should do their own validation to ensure that lists and blobs
cannam@133 56 inside a message have reasonable size. However, Cap'n Proto takes the
cannam@133 57 philosophy that any security mistake that is likely to be common in
cannam@133 58 naively-written application code is in fact a bug in Cap'n Proto -- we should
cannam@133 59 provide defenses so that the application developer doesn't have to.
cannam@133 60
cannam@133 61 To fix the problem, this change institutes the policy that, for the purpose of
cannam@133 62 the "message traversal limit", a list of zero-sized elements will be counted as
cannam@133 63 if each element were instead one word wide. The message traversal limit is an
cannam@133 64 existing anti-amplification measure implemented by Cap'n Proto; see:
cannam@133 65
cannam@133 66 https://capnproto.org/encoding.html#amplification-attack
cannam@133 67
cannam@133 68 Preventative measures
cannam@133 69 =====================
cannam@133 70
cannam@133 71 This problem was discovered through fuzz testing using American Fuzzy Lop,
cannam@133 72 which identified the problem as a "hang", although in fact the test case just
cannam@133 73 took a very long time to complete. We are incorporating testing with AFL into
cannam@133 74 our release process going forward.