cannam@62: Problem cannam@62: ======= cannam@62: cannam@62: Integer underflow in pointer validation. cannam@62: cannam@62: Discovered by cannam@62: ============= cannam@62: cannam@62: Kenton Varda <kenton@sandstorm.io> cannam@62: cannam@62: Announced cannam@62: ========= cannam@62: cannam@62: 2015-03-02 cannam@62: cannam@62: CVE cannam@62: === cannam@62: cannam@62: CVE-2015-2311 cannam@62: cannam@62: Impact cannam@62: ====== cannam@62: cannam@62: - Remotely segfault a peer by sending it a malicious message. cannam@62: - Possible exfiltration of memory, depending on application behavior. cannam@62: - If the application performs a sequence of operations that "probably" no cannam@62: application does (see below), possible memory corruption / code execution. cannam@62: cannam@62: Fixed in cannam@62: ======== cannam@62: cannam@62: - git commit [26bcceda72372211063d62aab7e45665faa83633][0] cannam@62: - release 0.5.1.1: cannam@62: - Unix: https://capnproto.org/capnproto-c++-0.5.1.1.tar.gz cannam@62: - Windows: https://capnproto.org/capnproto-c++-win32-0.5.1.1.zip cannam@62: - release 0.4.1.1: cannam@62: - Unix: https://capnproto.org/capnproto-c++-0.4.1.1.tar.gz cannam@62: - release 0.6 (future) cannam@62: cannam@62: [0]: https://github.com/sandstorm-io/capnproto/commit/26bcceda72372211063d62aab7e45665faa83633 cannam@62: cannam@62: Details cannam@62: ======= cannam@62: cannam@62: *The following text contains speculation about the exploitability of this cannam@62: bug. This is provided for informational purposes, but as such speculation is cannam@62: often shown to be wrong, you should not rely on the accuracy of this cannam@62: section for the safety of your service. Please update your library.* cannam@62: cannam@62: A `Text` pointer, when non-null, must point to a NUL-terminated string, meaning cannam@62: it must have a size of at least 1. Under most circumstances, Cap'n Proto will cannam@62: reject zero-size text objects. However, if an application performs the cannam@62: following sequence, they may hit a code path that was missing a check: cannam@62: cannam@62: 1. Receive a message containing a `Text` value, but do not actually look at cannam@62: that value. cannam@62: 2. Copy the message into a `MessageBuilder`. cannam@62: 3. Call the `get()` method for the `Text` value within the `MessageBuilder`, cannam@62: obtaining a `Text::Builder` for the *copy*. cannam@62: cannam@62: In this case, the `Text::Builder` will appear to point at a string with size cannam@62: 2^32-1, starting at a location within the Cap'n Proto message. cannam@62: cannam@62: The `Text::Builder` is writable. If the application decided to overwrite the cannam@62: text in-place, it could overwrite arbitrary memory in the next 4GB of virtual cannam@62: address space. However, there are several reasons to believe this is unusual: cannam@62: cannam@62: - Usually, when an application `get()`s a text field, it only intends to cannam@62: read it. Overwriting the text in-place is unusual. cannam@62: - Calling `set()` on the field -- the usual way to overwrite text -- will cannam@62: create an all-new text object and harmlessly discard the old, invalid cannam@62: pointer. cannam@62: cannam@62: Note that even if an application does overwrite the text, it would still be cannam@62: hard for the attacker to exploit this for code execution unless the attacker cannam@62: also controls the data that the application writes into the field. cannam@62: cannam@62: This vulnerability is somewhat more likely to allow exfiltration of memory. cannam@62: However, this requires the app to additionally echo the text back to the cannam@62: attacker. To do this without segfaulting, the app would either need to attempt cannam@62: to read only a subset of the text, or would need to have 2^32 contiguous bytes cannam@62: of virtual memory mapped into its address space. cannam@62: cannam@62: A related problem, also fixed in this change, occurs when a `Text` value cannam@62: has non-zero size but lacks a NUL terminator. Again, if an application cannam@62: performs the series of operations described above, the NUL terminator check cannam@62: may be bypassed. If the app then passes the string to an API that assumes cannam@62: NUL-terminated strings, the contents of memory after the text blob may be cannam@62: interpreted as being part of the string, up to the next zero-valued byte. cannam@62: This again could lead to exfiltration of data, this time without the high cannam@62: chance of segfault, although only up to the next zero-valued byte, which cannam@62: are typically quite common. cannam@62: cannam@62: Preventative measures cannam@62: ===================== cannam@62: cannam@62: This problem was discovered through preventative measures implemented after cannam@62: the security problem discussed in the [previous advisory][1]. Specifically, this cannam@62: problem was found by using template metaprogramming to implement integer cannam@62: bounds analysis in order to effectively "prove" that there are no integer cannam@62: overflows in the core pointer validation code (capnp/layout.c++). cannam@62: Tentatively, I believe that this analysis exhaustively covers this file. cannam@62: The instrumentation has not been merged into master yet as it requires some cannam@62: cleanup, but [check the Cap'n Proto blog for an in-depth discussion][2]. cannam@62: cannam@62: This problem is also caught by capnp/fuzz-test.c++, which *has* been cannam@62: merged into master but likely doesn't have as broad coverage. cannam@62: cannam@62: [1]: https://github.com/sandstorm-io/capnproto/tree/master/security-advisories/2015-03-02-0-c++-integer-overflow.md cannam@62: [2]: https://capnproto.org/news/2015-03-02-security-advisory-and-integer-overflow-protection.html