Mercurial > hg > sv-dependency-builds
comparison src/capnproto-git-20161025/security-advisories/2015-03-02-0-c++-integer-overflow.md @ 133:1ac99bfc383d
Add Cap'n Proto source
| author | Chris Cannam <cannam@all-day-breakfast.com> |
|---|---|
| date | Tue, 25 Oct 2016 11:17:01 +0100 |
| parents | |
| children |
comparison
equal
deleted
inserted
replaced
| 132:42a73082be24 | 133:1ac99bfc383d |
|---|---|
| 1 Problem | |
| 2 ======= | |
| 3 | |
| 4 Integer overflow in pointer validation. | |
| 5 | |
| 6 Discovered by | |
| 7 ============= | |
| 8 | |
| 9 Ben Laurie <ben@links.org> using [American Fuzzy Lop](http://lcamtuf.coredump.cx/afl/) | |
| 10 | |
| 11 Announced | |
| 12 ========= | |
| 13 | |
| 14 2015-03-02 | |
| 15 | |
| 16 CVE | |
| 17 === | |
| 18 | |
| 19 CVE-2015-2310 | |
| 20 | |
| 21 Impact | |
| 22 ====== | |
| 23 | |
| 24 - Remotely segfault a peer by sending it a malicious message. | |
| 25 - Possible exfiltration of memory, depending on application behavior. | |
| 26 | |
| 27 Fixed in | |
| 28 ======== | |
| 29 | |
| 30 - git commit [f343f0dbd0a2e87f17cd74f14186ed73e3fbdbfa][0] | |
| 31 - release 0.5.1.1: | |
| 32 - Unix: https://capnproto.org/capnproto-c++-0.5.1.1.tar.gz | |
| 33 - Windows: https://capnproto.org/capnproto-c++-win32-0.5.1.1.zip | |
| 34 - release 0.4.1.1: | |
| 35 - Unix: https://capnproto.org/capnproto-c++-0.4.1.1.tar.gz | |
| 36 - release 0.6 (future) | |
| 37 | |
| 38 [0]: https://github.com/sandstorm-io/capnproto/commit/f343f0dbd0a2e87f17cd74f14186ed73e3fbdbfa | |
| 39 | |
| 40 Details | |
| 41 ======= | |
| 42 | |
| 43 *The following text contains speculation about the exploitability of this | |
| 44 bug. This is provided for informational purposes, but as such speculation is | |
| 45 often shown to be wrong, you should not rely on the accuracy of this | |
| 46 section for the safety of your service. Please update your library.* | |
| 47 | |
| 48 A specially-crafted pointer could escape bounds checking by triggering an | |
| 49 integer overflow in the check. This causes the message to appear as if it | |
| 50 contains an extremely long list (over 2^32 bytes), stretching far beyond the | |
| 51 memory actually allocated to the message. If the application reads that list, | |
| 52 it will likely segfault, but if it manages to avoid a segfault (e.g. because | |
| 53 it has mapped a very large contiguous block of memory following the message, | |
| 54 or because it only reads some parts of the list and not others), it could end | |
| 55 up treating arbitrary parts of memory as input. If the application happens to | |
| 56 pass that data back to the user in some way, this problem could lead to | |
| 57 exfiltration of secrets. | |
| 58 | |
| 59 The pointer is transitively read-only, therefore it is believed that this | |
| 60 vulnerability on its own CANNOT lead to memory corruption nor code execution. | |
| 61 | |
| 62 This vulnerability is NOT a Sandstorm sandbox breakout. A Sandstorm app's | |
| 63 Cap'n Proto communications pass through a supervisor process which performs a | |
| 64 deep copy of the structure. As the supervisor has a very small heap, this | |
| 65 will always lead to a segfault, which has the effect of killing the app, but | |
| 66 does not affect any other app or the system at large. If somehow the copy | |
| 67 succeeds, the copied message will no longer contain an invalid pointer and | |
| 68 so will not harm its eventual destination, and the supervisor itself has no | |
| 69 secrets to steal. These mitigations are by design. | |
| 70 | |
| 71 Preventative measures | |
| 72 ===================== | |
| 73 | |
| 74 In order to gain confidence that this is a one-off bug rather than endemic, | |
| 75 and to help prevent new bugs from being added, we have taken / will take the | |
| 76 following preventative measures going forward: | |
| 77 | |
| 78 1. A fuzz test of each pointer type has been added to the standard unit test | |
| 79 suite. This test was confirmed to find the vulnerability in question. | |
| 80 2. We will additionally add fuzz testing with American Fuzzy Lop to our | |
| 81 extended test suite. AFL was used to find the original vulnerability. Our | |
| 82 current tests with AFL show only one other (less-critical) vulnerability | |
| 83 which will be reported separately ([2015-03-02-2][2]). | |
| 84 3. In parallel, we will extend our use of template metaprogramming for | |
| 85 compile-time unit analysis (kj::Quantity in kj/units.h) to also cover | |
| 86 overflow detection (by tracking the maximum size of an integer value across | |
| 87 arithmetic expressions and raising an error when it overflows). Preliminary | |
| 88 work with this approach successfully detected the vulnerability reported | |
| 89 here as well as one other vulnerability ([2015-03-02-1][3]). | |
| 90 [See the blog post][4] for more details. | |
| 91 4. We will continue to require that all tests (including the new fuzz test) run | |
| 92 cleanly under Valgrind before each release. | |
| 93 5. We will commission a professional security review before any 1.0 release. | |
| 94 Until that time, we continue to recommend against using Cap'n Proto to | |
| 95 interpret data from potentially-malicious sources. | |
| 96 | |
| 97 I am pleased that measures 1, 2, and 3 all detected this bug, suggesting that | |
| 98 they have a high probability of catching any similar bugs. | |
| 99 | |
| 100 [1]: https://github.com/sandstorm-io/capnproto/tree/master/security-advisories/2015-03-02-0-all-cpu-amplification.md | |
| 101 [2]: https://github.com/sandstorm-io/capnproto/tree/master/security-advisories/2015-03-02-1-c++-integer-underflow.md | |
| 102 [3]: https://capnproto.org/news/2015-03-02-security-advisory-and-integer-overflow-protection.html |