Mercurial > hg > sv-dependency-builds
comparison src/capnproto-git-20161025/security-advisories/2015-03-02-1-c++-integer-underflow.md @ 48:9530b331f8c1
Add Cap'n Proto source
| author | Chris Cannam <cannam@all-day-breakfast.com> |
|---|---|
| date | Tue, 25 Oct 2016 11:17:01 +0100 |
| parents | |
| children |
comparison
equal
deleted
inserted
replaced
| 47:d93140aac40b | 48:9530b331f8c1 |
|---|---|
| 1 Problem | |
| 2 ======= | |
| 3 | |
| 4 Integer underflow in pointer validation. | |
| 5 | |
| 6 Discovered by | |
| 7 ============= | |
| 8 | |
| 9 Kenton Varda <kenton@sandstorm.io> | |
| 10 | |
| 11 Announced | |
| 12 ========= | |
| 13 | |
| 14 2015-03-02 | |
| 15 | |
| 16 CVE | |
| 17 === | |
| 18 | |
| 19 CVE-2015-2311 | |
| 20 | |
| 21 Impact | |
| 22 ====== | |
| 23 | |
| 24 - Remotely segfault a peer by sending it a malicious message. | |
| 25 - Possible exfiltration of memory, depending on application behavior. | |
| 26 - If the application performs a sequence of operations that "probably" no | |
| 27 application does (see below), possible memory corruption / code execution. | |
| 28 | |
| 29 Fixed in | |
| 30 ======== | |
| 31 | |
| 32 - git commit [26bcceda72372211063d62aab7e45665faa83633][0] | |
| 33 - release 0.5.1.1: | |
| 34 - Unix: https://capnproto.org/capnproto-c++-0.5.1.1.tar.gz | |
| 35 - Windows: https://capnproto.org/capnproto-c++-win32-0.5.1.1.zip | |
| 36 - release 0.4.1.1: | |
| 37 - Unix: https://capnproto.org/capnproto-c++-0.4.1.1.tar.gz | |
| 38 - release 0.6 (future) | |
| 39 | |
| 40 [0]: https://github.com/sandstorm-io/capnproto/commit/26bcceda72372211063d62aab7e45665faa83633 | |
| 41 | |
| 42 Details | |
| 43 ======= | |
| 44 | |
| 45 *The following text contains speculation about the exploitability of this | |
| 46 bug. This is provided for informational purposes, but as such speculation is | |
| 47 often shown to be wrong, you should not rely on the accuracy of this | |
| 48 section for the safety of your service. Please update your library.* | |
| 49 | |
| 50 A `Text` pointer, when non-null, must point to a NUL-terminated string, meaning | |
| 51 it must have a size of at least 1. Under most circumstances, Cap'n Proto will | |
| 52 reject zero-size text objects. However, if an application performs the | |
| 53 following sequence, they may hit a code path that was missing a check: | |
| 54 | |
| 55 1. Receive a message containing a `Text` value, but do not actually look at | |
| 56 that value. | |
| 57 2. Copy the message into a `MessageBuilder`. | |
| 58 3. Call the `get()` method for the `Text` value within the `MessageBuilder`, | |
| 59 obtaining a `Text::Builder` for the *copy*. | |
| 60 | |
| 61 In this case, the `Text::Builder` will appear to point at a string with size | |
| 62 2^32-1, starting at a location within the Cap'n Proto message. | |
| 63 | |
| 64 The `Text::Builder` is writable. If the application decided to overwrite the | |
| 65 text in-place, it could overwrite arbitrary memory in the next 4GB of virtual | |
| 66 address space. However, there are several reasons to believe this is unusual: | |
| 67 | |
| 68 - Usually, when an application `get()`s a text field, it only intends to | |
| 69 read it. Overwriting the text in-place is unusual. | |
| 70 - Calling `set()` on the field -- the usual way to overwrite text -- will | |
| 71 create an all-new text object and harmlessly discard the old, invalid | |
| 72 pointer. | |
| 73 | |
| 74 Note that even if an application does overwrite the text, it would still be | |
| 75 hard for the attacker to exploit this for code execution unless the attacker | |
| 76 also controls the data that the application writes into the field. | |
| 77 | |
| 78 This vulnerability is somewhat more likely to allow exfiltration of memory. | |
| 79 However, this requires the app to additionally echo the text back to the | |
| 80 attacker. To do this without segfaulting, the app would either need to attempt | |
| 81 to read only a subset of the text, or would need to have 2^32 contiguous bytes | |
| 82 of virtual memory mapped into its address space. | |
| 83 | |
| 84 A related problem, also fixed in this change, occurs when a `Text` value | |
| 85 has non-zero size but lacks a NUL terminator. Again, if an application | |
| 86 performs the series of operations described above, the NUL terminator check | |
| 87 may be bypassed. If the app then passes the string to an API that assumes | |
| 88 NUL-terminated strings, the contents of memory after the text blob may be | |
| 89 interpreted as being part of the string, up to the next zero-valued byte. | |
| 90 This again could lead to exfiltration of data, this time without the high | |
| 91 chance of segfault, although only up to the next zero-valued byte, which | |
| 92 are typically quite common. | |
| 93 | |
| 94 Preventative measures | |
| 95 ===================== | |
| 96 | |
| 97 This problem was discovered through preventative measures implemented after | |
| 98 the security problem discussed in the [previous advisory][1]. Specifically, this | |
| 99 problem was found by using template metaprogramming to implement integer | |
| 100 bounds analysis in order to effectively "prove" that there are no integer | |
| 101 overflows in the core pointer validation code (capnp/layout.c++). | |
| 102 Tentatively, I believe that this analysis exhaustively covers this file. | |
| 103 The instrumentation has not been merged into master yet as it requires some | |
| 104 cleanup, but [check the Cap'n Proto blog for an in-depth discussion][2]. | |
| 105 | |
| 106 This problem is also caught by capnp/fuzz-test.c++, which *has* been | |
| 107 merged into master but likely doesn't have as broad coverage. | |
| 108 | |
| 109 [1]: https://github.com/sandstorm-io/capnproto/tree/master/security-advisories/2015-03-02-0-c++-integer-overflow.md | |
| 110 [2]: https://capnproto.org/news/2015-03-02-security-advisory-and-integer-overflow-protection.html |