Mercurial > hg > sv-dependency-builds
comparison src/capnproto-git-20161025/security-advisories/2015-03-02-0-c++-integer-overflow.md @ 133:1ac99bfc383d
Add Cap'n Proto source
author | Chris Cannam <cannam@all-day-breakfast.com> |
---|---|
date | Tue, 25 Oct 2016 11:17:01 +0100 |
parents | |
children |
comparison
equal
deleted
inserted
replaced
132:42a73082be24 | 133:1ac99bfc383d |
---|---|
1 Problem | |
2 ======= | |
3 | |
4 Integer overflow in pointer validation. | |
5 | |
6 Discovered by | |
7 ============= | |
8 | |
9 Ben Laurie <ben@links.org> using [American Fuzzy Lop](http://lcamtuf.coredump.cx/afl/) | |
10 | |
11 Announced | |
12 ========= | |
13 | |
14 2015-03-02 | |
15 | |
16 CVE | |
17 === | |
18 | |
19 CVE-2015-2310 | |
20 | |
21 Impact | |
22 ====== | |
23 | |
24 - Remotely segfault a peer by sending it a malicious message. | |
25 - Possible exfiltration of memory, depending on application behavior. | |
26 | |
27 Fixed in | |
28 ======== | |
29 | |
30 - git commit [f343f0dbd0a2e87f17cd74f14186ed73e3fbdbfa][0] | |
31 - release 0.5.1.1: | |
32 - Unix: https://capnproto.org/capnproto-c++-0.5.1.1.tar.gz | |
33 - Windows: https://capnproto.org/capnproto-c++-win32-0.5.1.1.zip | |
34 - release 0.4.1.1: | |
35 - Unix: https://capnproto.org/capnproto-c++-0.4.1.1.tar.gz | |
36 - release 0.6 (future) | |
37 | |
38 [0]: https://github.com/sandstorm-io/capnproto/commit/f343f0dbd0a2e87f17cd74f14186ed73e3fbdbfa | |
39 | |
40 Details | |
41 ======= | |
42 | |
43 *The following text contains speculation about the exploitability of this | |
44 bug. This is provided for informational purposes, but as such speculation is | |
45 often shown to be wrong, you should not rely on the accuracy of this | |
46 section for the safety of your service. Please update your library.* | |
47 | |
48 A specially-crafted pointer could escape bounds checking by triggering an | |
49 integer overflow in the check. This causes the message to appear as if it | |
50 contains an extremely long list (over 2^32 bytes), stretching far beyond the | |
51 memory actually allocated to the message. If the application reads that list, | |
52 it will likely segfault, but if it manages to avoid a segfault (e.g. because | |
53 it has mapped a very large contiguous block of memory following the message, | |
54 or because it only reads some parts of the list and not others), it could end | |
55 up treating arbitrary parts of memory as input. If the application happens to | |
56 pass that data back to the user in some way, this problem could lead to | |
57 exfiltration of secrets. | |
58 | |
59 The pointer is transitively read-only, therefore it is believed that this | |
60 vulnerability on its own CANNOT lead to memory corruption nor code execution. | |
61 | |
62 This vulnerability is NOT a Sandstorm sandbox breakout. A Sandstorm app's | |
63 Cap'n Proto communications pass through a supervisor process which performs a | |
64 deep copy of the structure. As the supervisor has a very small heap, this | |
65 will always lead to a segfault, which has the effect of killing the app, but | |
66 does not affect any other app or the system at large. If somehow the copy | |
67 succeeds, the copied message will no longer contain an invalid pointer and | |
68 so will not harm its eventual destination, and the supervisor itself has no | |
69 secrets to steal. These mitigations are by design. | |
70 | |
71 Preventative measures | |
72 ===================== | |
73 | |
74 In order to gain confidence that this is a one-off bug rather than endemic, | |
75 and to help prevent new bugs from being added, we have taken / will take the | |
76 following preventative measures going forward: | |
77 | |
78 1. A fuzz test of each pointer type has been added to the standard unit test | |
79 suite. This test was confirmed to find the vulnerability in question. | |
80 2. We will additionally add fuzz testing with American Fuzzy Lop to our | |
81 extended test suite. AFL was used to find the original vulnerability. Our | |
82 current tests with AFL show only one other (less-critical) vulnerability | |
83 which will be reported separately ([2015-03-02-2][2]). | |
84 3. In parallel, we will extend our use of template metaprogramming for | |
85 compile-time unit analysis (kj::Quantity in kj/units.h) to also cover | |
86 overflow detection (by tracking the maximum size of an integer value across | |
87 arithmetic expressions and raising an error when it overflows). Preliminary | |
88 work with this approach successfully detected the vulnerability reported | |
89 here as well as one other vulnerability ([2015-03-02-1][3]). | |
90 [See the blog post][4] for more details. | |
91 4. We will continue to require that all tests (including the new fuzz test) run | |
92 cleanly under Valgrind before each release. | |
93 5. We will commission a professional security review before any 1.0 release. | |
94 Until that time, we continue to recommend against using Cap'n Proto to | |
95 interpret data from potentially-malicious sources. | |
96 | |
97 I am pleased that measures 1, 2, and 3 all detected this bug, suggesting that | |
98 they have a high probability of catching any similar bugs. | |
99 | |
100 [1]: https://github.com/sandstorm-io/capnproto/tree/master/security-advisories/2015-03-02-0-all-cpu-amplification.md | |
101 [2]: https://github.com/sandstorm-io/capnproto/tree/master/security-advisories/2015-03-02-1-c++-integer-underflow.md | |
102 [3]: https://capnproto.org/news/2015-03-02-security-advisory-and-integer-overflow-protection.html |