cannam@147: Problem cannam@147: ======= cannam@147: cannam@147: Integer overflow in pointer validation. cannam@147: cannam@147: Discovered by cannam@147: ============= cannam@147: cannam@147: Ben Laurie <ben@links.org> using [American Fuzzy Lop](http://lcamtuf.coredump.cx/afl/) cannam@147: cannam@147: Announced cannam@147: ========= cannam@147: cannam@147: 2015-03-02 cannam@147: cannam@147: CVE cannam@147: === cannam@147: cannam@147: CVE-2015-2310 cannam@147: cannam@147: Impact cannam@147: ====== cannam@147: cannam@147: - Remotely segfault a peer by sending it a malicious message. cannam@147: - Possible exfiltration of memory, depending on application behavior. cannam@147: cannam@147: Fixed in cannam@147: ======== cannam@147: cannam@147: - git commit [f343f0dbd0a2e87f17cd74f14186ed73e3fbdbfa][0] cannam@147: - release 0.5.1.1: cannam@147: - Unix: https://capnproto.org/capnproto-c++-0.5.1.1.tar.gz cannam@147: - Windows: https://capnproto.org/capnproto-c++-win32-0.5.1.1.zip cannam@147: - release 0.4.1.1: cannam@147: - Unix: https://capnproto.org/capnproto-c++-0.4.1.1.tar.gz cannam@147: - release 0.6 (future) cannam@147: cannam@147: [0]: https://github.com/sandstorm-io/capnproto/commit/f343f0dbd0a2e87f17cd74f14186ed73e3fbdbfa cannam@147: cannam@147: Details cannam@147: ======= cannam@147: cannam@147: *The following text contains speculation about the exploitability of this cannam@147: bug. This is provided for informational purposes, but as such speculation is cannam@147: often shown to be wrong, you should not rely on the accuracy of this cannam@147: section for the safety of your service. Please update your library.* cannam@147: cannam@147: A specially-crafted pointer could escape bounds checking by triggering an cannam@147: integer overflow in the check. This causes the message to appear as if it cannam@147: contains an extremely long list (over 2^32 bytes), stretching far beyond the cannam@147: memory actually allocated to the message. If the application reads that list, cannam@147: it will likely segfault, but if it manages to avoid a segfault (e.g. because cannam@147: it has mapped a very large contiguous block of memory following the message, cannam@147: or because it only reads some parts of the list and not others), it could end cannam@147: up treating arbitrary parts of memory as input. If the application happens to cannam@147: pass that data back to the user in some way, this problem could lead to cannam@147: exfiltration of secrets. cannam@147: cannam@147: The pointer is transitively read-only, therefore it is believed that this cannam@147: vulnerability on its own CANNOT lead to memory corruption nor code execution. cannam@147: cannam@147: This vulnerability is NOT a Sandstorm sandbox breakout. A Sandstorm app's cannam@147: Cap'n Proto communications pass through a supervisor process which performs a cannam@147: deep copy of the structure. As the supervisor has a very small heap, this cannam@147: will always lead to a segfault, which has the effect of killing the app, but cannam@147: does not affect any other app or the system at large. If somehow the copy cannam@147: succeeds, the copied message will no longer contain an invalid pointer and cannam@147: so will not harm its eventual destination, and the supervisor itself has no cannam@147: secrets to steal. These mitigations are by design. cannam@147: cannam@147: Preventative measures cannam@147: ===================== cannam@147: cannam@147: In order to gain confidence that this is a one-off bug rather than endemic, cannam@147: and to help prevent new bugs from being added, we have taken / will take the cannam@147: following preventative measures going forward: cannam@147: cannam@147: 1. A fuzz test of each pointer type has been added to the standard unit test cannam@147: suite. This test was confirmed to find the vulnerability in question. cannam@147: 2. We will additionally add fuzz testing with American Fuzzy Lop to our cannam@147: extended test suite. AFL was used to find the original vulnerability. Our cannam@147: current tests with AFL show only one other (less-critical) vulnerability cannam@147: which will be reported separately ([2015-03-02-2][2]). cannam@147: 3. In parallel, we will extend our use of template metaprogramming for cannam@147: compile-time unit analysis (kj::Quantity in kj/units.h) to also cover cannam@147: overflow detection (by tracking the maximum size of an integer value across cannam@147: arithmetic expressions and raising an error when it overflows). Preliminary cannam@147: work with this approach successfully detected the vulnerability reported cannam@147: here as well as one other vulnerability ([2015-03-02-1][3]). cannam@147: [See the blog post][4] for more details. cannam@147: 4. We will continue to require that all tests (including the new fuzz test) run cannam@147: cleanly under Valgrind before each release. cannam@147: 5. We will commission a professional security review before any 1.0 release. cannam@147: Until that time, we continue to recommend against using Cap'n Proto to cannam@147: interpret data from potentially-malicious sources. cannam@147: cannam@147: I am pleased that measures 1, 2, and 3 all detected this bug, suggesting that cannam@147: they have a high probability of catching any similar bugs. cannam@147: cannam@147: [1]: https://github.com/sandstorm-io/capnproto/tree/master/security-advisories/2015-03-02-0-all-cpu-amplification.md cannam@147: [2]: https://github.com/sandstorm-io/capnproto/tree/master/security-advisories/2015-03-02-1-c++-integer-underflow.md cannam@147: [3]: https://capnproto.org/news/2015-03-02-security-advisory-and-integer-overflow-protection.html