cannam@48: Problem cannam@48: ======= cannam@48: cannam@48: Integer overflow in pointer validation. cannam@48: cannam@48: Discovered by cannam@48: ============= cannam@48: cannam@48: Ben Laurie <ben@links.org> using [American Fuzzy Lop](http://lcamtuf.coredump.cx/afl/) cannam@48: cannam@48: Announced cannam@48: ========= cannam@48: cannam@48: 2015-03-02 cannam@48: cannam@48: CVE cannam@48: === cannam@48: cannam@48: CVE-2015-2310 cannam@48: cannam@48: Impact cannam@48: ====== cannam@48: cannam@48: - Remotely segfault a peer by sending it a malicious message. cannam@48: - Possible exfiltration of memory, depending on application behavior. cannam@48: cannam@48: Fixed in cannam@48: ======== cannam@48: cannam@48: - git commit [f343f0dbd0a2e87f17cd74f14186ed73e3fbdbfa][0] cannam@48: - release 0.5.1.1: cannam@48: - Unix: https://capnproto.org/capnproto-c++-0.5.1.1.tar.gz cannam@48: - Windows: https://capnproto.org/capnproto-c++-win32-0.5.1.1.zip cannam@48: - release 0.4.1.1: cannam@48: - Unix: https://capnproto.org/capnproto-c++-0.4.1.1.tar.gz cannam@48: - release 0.6 (future) cannam@48: cannam@48: [0]: https://github.com/sandstorm-io/capnproto/commit/f343f0dbd0a2e87f17cd74f14186ed73e3fbdbfa cannam@48: cannam@48: Details cannam@48: ======= cannam@48: cannam@48: *The following text contains speculation about the exploitability of this cannam@48: bug. This is provided for informational purposes, but as such speculation is cannam@48: often shown to be wrong, you should not rely on the accuracy of this cannam@48: section for the safety of your service. Please update your library.* cannam@48: cannam@48: A specially-crafted pointer could escape bounds checking by triggering an cannam@48: integer overflow in the check. This causes the message to appear as if it cannam@48: contains an extremely long list (over 2^32 bytes), stretching far beyond the cannam@48: memory actually allocated to the message. If the application reads that list, cannam@48: it will likely segfault, but if it manages to avoid a segfault (e.g. because cannam@48: it has mapped a very large contiguous block of memory following the message, cannam@48: or because it only reads some parts of the list and not others), it could end cannam@48: up treating arbitrary parts of memory as input. If the application happens to cannam@48: pass that data back to the user in some way, this problem could lead to cannam@48: exfiltration of secrets. cannam@48: cannam@48: The pointer is transitively read-only, therefore it is believed that this cannam@48: vulnerability on its own CANNOT lead to memory corruption nor code execution. cannam@48: cannam@48: This vulnerability is NOT a Sandstorm sandbox breakout. A Sandstorm app's cannam@48: Cap'n Proto communications pass through a supervisor process which performs a cannam@48: deep copy of the structure. As the supervisor has a very small heap, this cannam@48: will always lead to a segfault, which has the effect of killing the app, but cannam@48: does not affect any other app or the system at large. If somehow the copy cannam@48: succeeds, the copied message will no longer contain an invalid pointer and cannam@48: so will not harm its eventual destination, and the supervisor itself has no cannam@48: secrets to steal. These mitigations are by design. cannam@48: cannam@48: Preventative measures cannam@48: ===================== cannam@48: cannam@48: In order to gain confidence that this is a one-off bug rather than endemic, cannam@48: and to help prevent new bugs from being added, we have taken / will take the cannam@48: following preventative measures going forward: cannam@48: cannam@48: 1. A fuzz test of each pointer type has been added to the standard unit test cannam@48: suite. This test was confirmed to find the vulnerability in question. cannam@48: 2. We will additionally add fuzz testing with American Fuzzy Lop to our cannam@48: extended test suite. AFL was used to find the original vulnerability. Our cannam@48: current tests with AFL show only one other (less-critical) vulnerability cannam@48: which will be reported separately ([2015-03-02-2][2]). cannam@48: 3. In parallel, we will extend our use of template metaprogramming for cannam@48: compile-time unit analysis (kj::Quantity in kj/units.h) to also cover cannam@48: overflow detection (by tracking the maximum size of an integer value across cannam@48: arithmetic expressions and raising an error when it overflows). Preliminary cannam@48: work with this approach successfully detected the vulnerability reported cannam@48: here as well as one other vulnerability ([2015-03-02-1][3]). cannam@48: [See the blog post][4] for more details. cannam@48: 4. We will continue to require that all tests (including the new fuzz test) run cannam@48: cleanly under Valgrind before each release. cannam@48: 5. We will commission a professional security review before any 1.0 release. cannam@48: Until that time, we continue to recommend against using Cap'n Proto to cannam@48: interpret data from potentially-malicious sources. cannam@48: cannam@48: I am pleased that measures 1, 2, and 3 all detected this bug, suggesting that cannam@48: they have a high probability of catching any similar bugs. cannam@48: cannam@48: [1]: https://github.com/sandstorm-io/capnproto/tree/master/security-advisories/2015-03-02-0-all-cpu-amplification.md cannam@48: [2]: https://github.com/sandstorm-io/capnproto/tree/master/security-advisories/2015-03-02-1-c++-integer-underflow.md cannam@48: [3]: https://capnproto.org/news/2015-03-02-security-advisory-and-integer-overflow-protection.html