cannam@133: Problem cannam@133: ======= cannam@133: cannam@133: Integer overflow in pointer validation. cannam@133: cannam@133: Discovered by cannam@133: ============= cannam@133: cannam@133: Ben Laurie <ben@links.org> using [American Fuzzy Lop](http://lcamtuf.coredump.cx/afl/) cannam@133: cannam@133: Announced cannam@133: ========= cannam@133: cannam@133: 2015-03-02 cannam@133: cannam@133: CVE cannam@133: === cannam@133: cannam@133: CVE-2015-2310 cannam@133: cannam@133: Impact cannam@133: ====== cannam@133: cannam@133: - Remotely segfault a peer by sending it a malicious message. cannam@133: - Possible exfiltration of memory, depending on application behavior. cannam@133: cannam@133: Fixed in cannam@133: ======== cannam@133: cannam@133: - git commit [f343f0dbd0a2e87f17cd74f14186ed73e3fbdbfa][0] cannam@133: - release 0.5.1.1: cannam@133: - Unix: https://capnproto.org/capnproto-c++-0.5.1.1.tar.gz cannam@133: - Windows: https://capnproto.org/capnproto-c++-win32-0.5.1.1.zip cannam@133: - release 0.4.1.1: cannam@133: - Unix: https://capnproto.org/capnproto-c++-0.4.1.1.tar.gz cannam@133: - release 0.6 (future) cannam@133: cannam@133: [0]: https://github.com/sandstorm-io/capnproto/commit/f343f0dbd0a2e87f17cd74f14186ed73e3fbdbfa cannam@133: cannam@133: Details cannam@133: ======= cannam@133: cannam@133: *The following text contains speculation about the exploitability of this cannam@133: bug. This is provided for informational purposes, but as such speculation is cannam@133: often shown to be wrong, you should not rely on the accuracy of this cannam@133: section for the safety of your service. Please update your library.* cannam@133: cannam@133: A specially-crafted pointer could escape bounds checking by triggering an cannam@133: integer overflow in the check. This causes the message to appear as if it cannam@133: contains an extremely long list (over 2^32 bytes), stretching far beyond the cannam@133: memory actually allocated to the message. If the application reads that list, cannam@133: it will likely segfault, but if it manages to avoid a segfault (e.g. because cannam@133: it has mapped a very large contiguous block of memory following the message, cannam@133: or because it only reads some parts of the list and not others), it could end cannam@133: up treating arbitrary parts of memory as input. If the application happens to cannam@133: pass that data back to the user in some way, this problem could lead to cannam@133: exfiltration of secrets. cannam@133: cannam@133: The pointer is transitively read-only, therefore it is believed that this cannam@133: vulnerability on its own CANNOT lead to memory corruption nor code execution. cannam@133: cannam@133: This vulnerability is NOT a Sandstorm sandbox breakout. A Sandstorm app's cannam@133: Cap'n Proto communications pass through a supervisor process which performs a cannam@133: deep copy of the structure. As the supervisor has a very small heap, this cannam@133: will always lead to a segfault, which has the effect of killing the app, but cannam@133: does not affect any other app or the system at large. If somehow the copy cannam@133: succeeds, the copied message will no longer contain an invalid pointer and cannam@133: so will not harm its eventual destination, and the supervisor itself has no cannam@133: secrets to steal. These mitigations are by design. cannam@133: cannam@133: Preventative measures cannam@133: ===================== cannam@133: cannam@133: In order to gain confidence that this is a one-off bug rather than endemic, cannam@133: and to help prevent new bugs from being added, we have taken / will take the cannam@133: following preventative measures going forward: cannam@133: cannam@133: 1. A fuzz test of each pointer type has been added to the standard unit test cannam@133: suite. This test was confirmed to find the vulnerability in question. cannam@133: 2. We will additionally add fuzz testing with American Fuzzy Lop to our cannam@133: extended test suite. AFL was used to find the original vulnerability. Our cannam@133: current tests with AFL show only one other (less-critical) vulnerability cannam@133: which will be reported separately ([2015-03-02-2][2]). cannam@133: 3. In parallel, we will extend our use of template metaprogramming for cannam@133: compile-time unit analysis (kj::Quantity in kj/units.h) to also cover cannam@133: overflow detection (by tracking the maximum size of an integer value across cannam@133: arithmetic expressions and raising an error when it overflows). Preliminary cannam@133: work with this approach successfully detected the vulnerability reported cannam@133: here as well as one other vulnerability ([2015-03-02-1][3]). cannam@133: [See the blog post][4] for more details. cannam@133: 4. We will continue to require that all tests (including the new fuzz test) run cannam@133: cleanly under Valgrind before each release. cannam@133: 5. We will commission a professional security review before any 1.0 release. cannam@133: Until that time, we continue to recommend against using Cap'n Proto to cannam@133: interpret data from potentially-malicious sources. cannam@133: cannam@133: I am pleased that measures 1, 2, and 3 all detected this bug, suggesting that cannam@133: they have a high probability of catching any similar bugs. cannam@133: cannam@133: [1]: https://github.com/sandstorm-io/capnproto/tree/master/security-advisories/2015-03-02-0-all-cpu-amplification.md cannam@133: [2]: https://github.com/sandstorm-io/capnproto/tree/master/security-advisories/2015-03-02-1-c++-integer-underflow.md cannam@133: [3]: https://capnproto.org/news/2015-03-02-security-advisory-and-integer-overflow-protection.html