cannam@62: Problem cannam@62: ======= cannam@62: cannam@62: Integer overflow in pointer validation. cannam@62: cannam@62: Discovered by cannam@62: ============= cannam@62: cannam@62: Ben Laurie <ben@links.org> using [American Fuzzy Lop](http://lcamtuf.coredump.cx/afl/) cannam@62: cannam@62: Announced cannam@62: ========= cannam@62: cannam@62: 2015-03-02 cannam@62: cannam@62: CVE cannam@62: === cannam@62: cannam@62: CVE-2015-2310 cannam@62: cannam@62: Impact cannam@62: ====== cannam@62: cannam@62: - Remotely segfault a peer by sending it a malicious message. cannam@62: - Possible exfiltration of memory, depending on application behavior. cannam@62: cannam@62: Fixed in cannam@62: ======== cannam@62: cannam@62: - git commit [f343f0dbd0a2e87f17cd74f14186ed73e3fbdbfa][0] cannam@62: - release 0.5.1.1: cannam@62: - Unix: https://capnproto.org/capnproto-c++-0.5.1.1.tar.gz cannam@62: - Windows: https://capnproto.org/capnproto-c++-win32-0.5.1.1.zip cannam@62: - release 0.4.1.1: cannam@62: - Unix: https://capnproto.org/capnproto-c++-0.4.1.1.tar.gz cannam@62: - release 0.6 (future) cannam@62: cannam@62: [0]: https://github.com/sandstorm-io/capnproto/commit/f343f0dbd0a2e87f17cd74f14186ed73e3fbdbfa cannam@62: cannam@62: Details cannam@62: ======= cannam@62: cannam@62: *The following text contains speculation about the exploitability of this cannam@62: bug. This is provided for informational purposes, but as such speculation is cannam@62: often shown to be wrong, you should not rely on the accuracy of this cannam@62: section for the safety of your service. Please update your library.* cannam@62: cannam@62: A specially-crafted pointer could escape bounds checking by triggering an cannam@62: integer overflow in the check. This causes the message to appear as if it cannam@62: contains an extremely long list (over 2^32 bytes), stretching far beyond the cannam@62: memory actually allocated to the message. If the application reads that list, cannam@62: it will likely segfault, but if it manages to avoid a segfault (e.g. because cannam@62: it has mapped a very large contiguous block of memory following the message, cannam@62: or because it only reads some parts of the list and not others), it could end cannam@62: up treating arbitrary parts of memory as input. If the application happens to cannam@62: pass that data back to the user in some way, this problem could lead to cannam@62: exfiltration of secrets. cannam@62: cannam@62: The pointer is transitively read-only, therefore it is believed that this cannam@62: vulnerability on its own CANNOT lead to memory corruption nor code execution. cannam@62: cannam@62: This vulnerability is NOT a Sandstorm sandbox breakout. A Sandstorm app's cannam@62: Cap'n Proto communications pass through a supervisor process which performs a cannam@62: deep copy of the structure. As the supervisor has a very small heap, this cannam@62: will always lead to a segfault, which has the effect of killing the app, but cannam@62: does not affect any other app or the system at large. If somehow the copy cannam@62: succeeds, the copied message will no longer contain an invalid pointer and cannam@62: so will not harm its eventual destination, and the supervisor itself has no cannam@62: secrets to steal. These mitigations are by design. cannam@62: cannam@62: Preventative measures cannam@62: ===================== cannam@62: cannam@62: In order to gain confidence that this is a one-off bug rather than endemic, cannam@62: and to help prevent new bugs from being added, we have taken / will take the cannam@62: following preventative measures going forward: cannam@62: cannam@62: 1. A fuzz test of each pointer type has been added to the standard unit test cannam@62: suite. This test was confirmed to find the vulnerability in question. cannam@62: 2. We will additionally add fuzz testing with American Fuzzy Lop to our cannam@62: extended test suite. AFL was used to find the original vulnerability. Our cannam@62: current tests with AFL show only one other (less-critical) vulnerability cannam@62: which will be reported separately ([2015-03-02-2][2]). cannam@62: 3. In parallel, we will extend our use of template metaprogramming for cannam@62: compile-time unit analysis (kj::Quantity in kj/units.h) to also cover cannam@62: overflow detection (by tracking the maximum size of an integer value across cannam@62: arithmetic expressions and raising an error when it overflows). Preliminary cannam@62: work with this approach successfully detected the vulnerability reported cannam@62: here as well as one other vulnerability ([2015-03-02-1][3]). cannam@62: [See the blog post][4] for more details. cannam@62: 4. We will continue to require that all tests (including the new fuzz test) run cannam@62: cleanly under Valgrind before each release. cannam@62: 5. We will commission a professional security review before any 1.0 release. cannam@62: Until that time, we continue to recommend against using Cap'n Proto to cannam@62: interpret data from potentially-malicious sources. cannam@62: cannam@62: I am pleased that measures 1, 2, and 3 all detected this bug, suggesting that cannam@62: they have a high probability of catching any similar bugs. cannam@62: cannam@62: [1]: https://github.com/sandstorm-io/capnproto/tree/master/security-advisories/2015-03-02-0-all-cpu-amplification.md cannam@62: [2]: https://github.com/sandstorm-io/capnproto/tree/master/security-advisories/2015-03-02-1-c++-integer-underflow.md cannam@62: [3]: https://capnproto.org/news/2015-03-02-security-advisory-and-integer-overflow-protection.html