mirror
/
capnproto
mirror of https://github.com/capnproto/capnproto.git
Code Releases Activity
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
v2
felix/110324-include-move
master
kenton/3ph
kenton/3ph-part4-cap-embargoes
kenton/3ph-part3-basic-3ph
harris/try-to-fix-obscure-trace-promise-uaf
maizatskyi/2024-06-07-async-read-api
maizatskyi/2024-05-16-async-write
kenton/fix-isolated-websocket-disconnect
kenton/refactor-rpc
release-1.0.2
maizatskyi/2024-05-24-ubsan
maizatskyi/2024-05-17-constexpr-kjb
maizatskyi/2024-05-20-split
maizatskyi/2024-05-14-tidy
maizatskyi/2024-05-13-single
jsnell/compression-stream-flush-option
maizatskyi/2024-04-23-kj-api
maizatskyi/2024-04-16-membrane-rc
jsnell/kjexception-detail
maizatskyi/2024-03-15-pin-ptr
maizatskyi/2024-03-19-disable-old-refcount
maizatskyi/2024-03-18-regenerate
maizatskyi/2024-01-30-pin
kenton/concurrency-limit-uaf
kenton/concurrency-limiter-add-debug
felix/bazel-capability-cleanup
revert-1885-milan/ws-compress-pref
jsnell/copy-on-write-rc
is-anyone-listening
kenton/debug-message-reader
release-1.0.1.1
fix-48230
revert/ae82277
harris/coroutine-conversion-web-socket
felix/bzl-lib-headers
maizatskyi/2023-09-08-fix-lazy-output-stream
harris/revert-small-array
maizatskyi/2023-09-06-coro-tls
maizatskyi/2023-09-07-coroutine-promise-node
harris/coroutine-conversion-http-entity-body-writer
release-1.0.1
maizatskyi/2023-08-31-exclusive-join
maizatskyi/2023-09-06-coreturn-coawait
maizatskyi/2023-07-31-kj-shared2
maizatskyi/2023-09-05-vector-insert
harris/coroutinify-http
harris/co-exclusive-join
maizatskyi/2023-06-27-kj-shared
release-1.0.0
harris/maybe-coroutine
harris/fix-web-socket-application-error-handling
harris/kj-if-maybe-no-raw-pointer
release-0.10.4
kenton/optimize-gettype
harris/readiness-tracking
maizatskyi/2023-05-02-clang-16-fixes
harris/implement-async-environments-with-arenas-fixes
felix/brotlify-exp
harris/implement-async-environments-with-arenas
harris/http-over-capnp-starttls
harris/implement-async-environments-3
harris/implement-async-environments-2
srs
byte-stream-explicit-end
guard-canceled-http-read
fix-sendForPipeline-UAF
harris/temporary-for-release
maizatskyi/2023-01-13-generated_capnp_fix
release-0.10.3
release-0.5.4
release-0.9.2
release-0.8.1
release-0.7.1
buffered-rpc
harris/maybe-maybe-map-reduce
harris/implement-async-environments
no-file-ids
fix-release-mingw
release-0.10.2
release-0.10.1
release-0.10.0
disallow-io-destructors
fix-musl
release-0.9.1
revert-1318-doc-improvements
fix-uninitialized-kind
release-0.9.0
blog-0.9
defer-soon
fix-release-build
harris/tmp
maybe-ref-null-on-move
release-0.8.0
read-cancelation
environment
optimize-websocket-pump
gateway-tag
debug-stuff
debug-corrupt-taskset
retain-stack-trace-in-disconnect-exception
bhoerner/blockedpumpto-cancel
fix-tail-call-cancel-race
fix-dpi-bugs
kenton/fix-websocket-rpc-cancellation
jlee/encoding-doc-clarification
harris/add-vagrant-win10
no-ninja
peer-identity
complete-cmake
release-tests2
release-tests
debug-canceler
fix-byte-stream-path-shortening-WIP
jlee/two-party-test-fix
harris/try-get-uncaught-exception
http-over-capnp-premature-websocket-termination
harris/expose-atomic-refcount
kenton/fix-889
some-wip-hacks
http-over-capnp
url-encode-dotdot
async-io-refactor
harris/http-error-hook
async-io-refactor-old3
release-0.7.0
fix-sendStream
streaming
bsd-make-compat
fix-http-body-delimiting
skip-qemu-failure
fix-const-array-disposer
fix-http-client-adapter
fix-http-client-adapter-cancelation
harris/replace-tee-try-catches
debug-event-use-after-free
rpc-scratch-space
harris/disallow-refcounted-copy
harris/expose-http-connection-headers-count
promise-tuple
harris/read-all-bytes-safely
synchronous-gzip
harris/add-percent-decode-url-flag
release-0.6.1
http-body-cancellation
harris/fix-percent-encoding-restringification-regression
harris/round-trip-eq-sign-in-url-query
full-bodied-gets
harris/fix-relative-url-parse-bug
permissive-http-headers
release-0.6.0
tweaks
release-0.5.3
tls
detect-amplification-better
afl
source-info
release-0.5.2
release-0.5.1
release-0.4.1
overflow-safe
release-0.5.0
gh-pages
release-0.4.0
release-0.3.0
release-0.2.1
v0.1.0
v0.10.0
v0.10.1
v0.10.2
v0.10.3
v0.10.4
v0.2.0
v0.2.1
v0.3.0
v0.4.0
v0.4.1
v0.4.1.1
v0.4.1.2
v0.5.0
v0.5.1
v0.5.1.1
v0.5.1.2
v0.5.2
v0.5.3
v0.5.3.1
v0.5.4
v0.6.0
v0.6.1
v0.7.0
v0.7.1
v0.8.0
v0.8.1
v0.9.0
v0.9.1
v0.9.2
v1.0.0
v1.0.1
v1.0.1.1
v1.0.2
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'master'
${ noResults }
capnproto/security-advisories/2015-03-02-2-all-cpu-amplif...

75 lines
2.6 KiB
Markdown
Raw Permalink Blame History

Problem
=======
CPU usage amplification attack.
Discovered by
=============
Ben Laurie <ben@links.org> using [American Fuzzy Lop](http://lcamtuf.coredump.cx/afl/)
Announced
=========
2015-03-02
CVE
===
CVE-2015-2312
Impact
======
- Remotely cause a peer to use excessive CPU time and other resources to
process a very small message, possibly enabling a DoS attack.
Fixed in
========
- git commit [104870608fde3c698483fdef6b97f093fc15685d][0]
- release 0.5.1.1:
- Unix: https://capnproto.org/capnproto-c++-0.5.1.1.tar.gz
- Windows: https://capnproto.org/capnproto-c++-win32-0.5.1.1.zip
- release 0.4.1.1:
- Unix: https://capnproto.org/capnproto-c++-0.4.1.1.tar.gz
- release 0.6 (future)
[0]: https://github.com/capnproto/capnproto/commit/104870608fde3c698483fdef6b97f093fc15685d
Details
=======
The Cap'n Proto list pointer format allows encoding a list whose elements are
claimed each to have a size of zero. Such a list could claim to have up to
2^29-1 elements while only taking 8 or 16 bytes on the wire. The receiving
application may expect, say, a list of structs. A zero-size struct is a
perfectly legal (and, in fact, canonical) encoding for a struct whose fields
are all set to their default values. Therefore, the application may notice
nothing wrong and proceed to iterate through and handle each element in the
list, potentially taking a lot of time and resources to do so.
Note that this kind of vulnerability is very common in other systems. Any
system which accepts compressed input can allow an attacker to deliver an
arbitrarily large uncompressed message using very little compressed bandwidth.
Applications should do their own validation to ensure that lists and blobs
inside a message have reasonable size. However, Cap'n Proto takes the
philosophy that any security mistake that is likely to be common in
naively-written application code is in fact a bug in Cap'n Proto -- we should
provide defenses so that the application developer doesn't have to.
To fix the problem, this change institutes the policy that, for the purpose of
the "message traversal limit", a list of zero-sized elements will be counted as
if each element were instead one word wide. The message traversal limit is an
existing anti-amplification measure implemented by Cap'n Proto; see:
https://capnproto.org/encoding.html#amplification-attack
Preventative measures
=====================
This problem was discovered through fuzz testing using American Fuzzy Lop,
which identified the problem as a "hang", although in fact the test case just
took a very long time to complete. We are incorporating testing with AFL into
our release process going forward.
View Git Blame Copy Permalink