mirror
/
capnproto
mirror of https://github.com/capnproto/capnproto.git
Code Releases Activity
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
v2
felix/110324-include-move
master
kenton/3ph
kenton/3ph-part4-cap-embargoes
kenton/3ph-part3-basic-3ph
harris/try-to-fix-obscure-trace-promise-uaf
maizatskyi/2024-06-07-async-read-api
maizatskyi/2024-05-16-async-write
kenton/fix-isolated-websocket-disconnect
kenton/refactor-rpc
release-1.0.2
maizatskyi/2024-05-24-ubsan
maizatskyi/2024-05-17-constexpr-kjb
maizatskyi/2024-05-20-split
maizatskyi/2024-05-14-tidy
maizatskyi/2024-05-13-single
jsnell/compression-stream-flush-option
maizatskyi/2024-04-23-kj-api
maizatskyi/2024-04-16-membrane-rc
jsnell/kjexception-detail
maizatskyi/2024-03-15-pin-ptr
maizatskyi/2024-03-19-disable-old-refcount
maizatskyi/2024-03-18-regenerate
maizatskyi/2024-01-30-pin
kenton/concurrency-limit-uaf
kenton/concurrency-limiter-add-debug
felix/bazel-capability-cleanup
revert-1885-milan/ws-compress-pref
jsnell/copy-on-write-rc
is-anyone-listening
kenton/debug-message-reader
release-1.0.1.1
fix-48230
revert/ae82277
harris/coroutine-conversion-web-socket
felix/bzl-lib-headers
maizatskyi/2023-09-08-fix-lazy-output-stream
harris/revert-small-array
maizatskyi/2023-09-06-coro-tls
maizatskyi/2023-09-07-coroutine-promise-node
harris/coroutine-conversion-http-entity-body-writer
release-1.0.1
maizatskyi/2023-08-31-exclusive-join
maizatskyi/2023-09-06-coreturn-coawait
maizatskyi/2023-07-31-kj-shared2
maizatskyi/2023-09-05-vector-insert
harris/coroutinify-http
harris/co-exclusive-join
maizatskyi/2023-06-27-kj-shared
release-1.0.0
harris/maybe-coroutine
harris/fix-web-socket-application-error-handling
harris/kj-if-maybe-no-raw-pointer
release-0.10.4
kenton/optimize-gettype
harris/readiness-tracking
maizatskyi/2023-05-02-clang-16-fixes
harris/implement-async-environments-with-arenas-fixes
felix/brotlify-exp
harris/implement-async-environments-with-arenas
harris/http-over-capnp-starttls
harris/implement-async-environments-3
harris/implement-async-environments-2
srs
byte-stream-explicit-end
guard-canceled-http-read
fix-sendForPipeline-UAF
harris/temporary-for-release
maizatskyi/2023-01-13-generated_capnp_fix
release-0.10.3
release-0.5.4
release-0.9.2
release-0.8.1
release-0.7.1
buffered-rpc
harris/maybe-maybe-map-reduce
harris/implement-async-environments
no-file-ids
fix-release-mingw
release-0.10.2
release-0.10.1
release-0.10.0
disallow-io-destructors
fix-musl
release-0.9.1
revert-1318-doc-improvements
fix-uninitialized-kind
release-0.9.0
blog-0.9
defer-soon
fix-release-build
harris/tmp
maybe-ref-null-on-move
release-0.8.0
read-cancelation
environment
optimize-websocket-pump
gateway-tag
debug-stuff
debug-corrupt-taskset
retain-stack-trace-in-disconnect-exception
bhoerner/blockedpumpto-cancel
fix-tail-call-cancel-race
fix-dpi-bugs
kenton/fix-websocket-rpc-cancellation
jlee/encoding-doc-clarification
harris/add-vagrant-win10
no-ninja
peer-identity
complete-cmake
release-tests2
release-tests
debug-canceler
fix-byte-stream-path-shortening-WIP
jlee/two-party-test-fix
harris/try-get-uncaught-exception
http-over-capnp-premature-websocket-termination
harris/expose-atomic-refcount
kenton/fix-889
some-wip-hacks
http-over-capnp
url-encode-dotdot
async-io-refactor
harris/http-error-hook
async-io-refactor-old3
release-0.7.0
fix-sendStream
streaming
bsd-make-compat
fix-http-body-delimiting
skip-qemu-failure
fix-const-array-disposer
fix-http-client-adapter
fix-http-client-adapter-cancelation
harris/replace-tee-try-catches
debug-event-use-after-free
rpc-scratch-space
harris/disallow-refcounted-copy
harris/expose-http-connection-headers-count
promise-tuple
harris/read-all-bytes-safely
synchronous-gzip
harris/add-percent-decode-url-flag
release-0.6.1
http-body-cancellation
harris/fix-percent-encoding-restringification-regression
harris/round-trip-eq-sign-in-url-query
full-bodied-gets
harris/fix-relative-url-parse-bug
permissive-http-headers
release-0.6.0
tweaks
release-0.5.3
tls
detect-amplification-better
afl
source-info
release-0.5.2
release-0.5.1
release-0.4.1
overflow-safe
release-0.5.0
gh-pages
release-0.4.0
release-0.3.0
release-0.2.1
v0.1.0
v0.10.0
v0.10.1
v0.10.2
v0.10.3
v0.10.4
v0.2.0
v0.2.1
v0.3.0
v0.4.0
v0.4.1
v0.4.1.1
v0.4.1.2
v0.5.0
v0.5.1
v0.5.1.1
v0.5.1.2
v0.5.2
v0.5.3
v0.5.3.1
v0.5.4
v0.6.0
v0.6.1
v0.7.0
v0.7.1
v0.8.0
v0.8.1
v0.9.0
v0.9.1
v0.9.2
v1.0.0
v1.0.1
v1.0.1.1
v1.0.2
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'master'
${ noResults }
capnproto/security-advisories/2022-11-30-0-pointer-list-b...

128 lines
4.9 KiB
Markdown
Raw Permalink Blame History

Problem
=======
Out-of-bounds read due to logic error handling list-of-list.
Discovered by
=============
David Renshaw <dwrenshaw@gmail.com>, the maintainer of Cap'n Proto's Rust
implementation, which is affected by the same bug. David discovered this bug
while running his own fuzzer.
Announced
=========
2022-11-30
CVE
===
CVE-2022-46149
Impact
======
- Remotely segfault a peer by sending it a malicious message, if the victim
performs certain actions on a list-of-pointer type.
- Possible exfiltration of memory, if the victim performs additional certain
actions on a list-of-pointer type.
- To be vulnerable, an application must perform a specific sequence of actions,
described below. At present, **we are not aware of any vulnerable
application**, but we advise updating regardless.
Fixed in
========
Unfortunately, the bug is present in inlined code, therefore the fix will
require rebuilding dependent applications.
C++ fix:
- git commit [25d34c67863fd960af34fc4f82a7ca3362ee74b9][0]
- release 0.11 (future)
- release 0.10.3:
- Unix: https://capnproto.org/capnproto-c++-0.10.3.tar.gz
- Windows: https://capnproto.org/capnproto-c++-win32-0.10.3.zip
- release 0.9.2:
- Unix: https://capnproto.org/capnproto-c++-0.9.2.tar.gz
- Windows: https://capnproto.org/capnproto-c++-win32-0.9.2.zip
- release 0.8.1:
- Unix: https://capnproto.org/capnproto-c++-0.8.1.tar.gz
- Windows: https://capnproto.org/capnproto-c++-win32-0.8.1.zip
- release 0.7.1:
- Unix: https://capnproto.org/capnproto-c++-0.7.1.tar.gz
- Windows: https://capnproto.org/capnproto-c++-win32-0.7.1.zip
Rust fix:
- `capnp` crate version `0.15.2`, `0.14.11`, or `0.13.7`.
[0]: https://github.com/capnproto/capnproto/commit/25d34c67863fd960af34fc4f82a7ca3362ee74b9
Details
=======
A specially-crafted pointer could escape bounds checking by exploiting
inconsistent handling of pointers when a list-of-structs is downgraded to a
list-of-pointers.
For an in-depth explanation of how this bug works, see [David Renshaw's
blog post][1]. This details below focus only on determining whether an
application is vulnerable.
In order to be vulnerable, an application must have certain properties.
First, the application must accept messages with a schema in which a field has
list-of-pointer type. This includes `List(Text)`, `List(Data)`,
`List(List(T))`, or `List(C)` where `C` is an interface type. In the following
discussion, we will assume this field is named `foo`.
Second, the application must accept a message of this schema from a malicious
source, where the attacker can maliciously encode the pointer representing the
field `foo`.
Third, the application must call `getFoo()` to obtain a `List<T>::Reader` for
the field, and then use it in one of the following two ways:
1. Pass it as the parameter to another message's `setFoo()`, thus copying the
field into a new message. Note that copying the parent struct as a whole
will *not* trigger the bug; the bug only occurs if the specific field `foo`
is get/set on its own.
2. Convert it into `AnyList::Reader`, and then attempt to access it through
that. This is much less likely; very few apps use the `AnyList` API.
The dynamic API equivalents of these actions (`capnp/dynamic.h`) are also
affected.
If the application does these steps, the attacker may be able to cause the
Cap'n Proto implementation to read beyond the end of the message. This could
induce a segmentation fault. Or, worse, data that happened to be in memory
immediately after the message might be returned as if it were part of the
message. In the latter case, if the application then forwards that data back
to the attacker or sends it to another third party, this could result in
exfiltration of secrets.
Any exfiltration of data would have the following limitations:
* The attacker could exfiltrate no more than 512 KiB of memory immediately
following the message buffer.
* The attacker chooses in advance how far past the end of the message to
read.
* The attacker's message itself must be larger than the exfiltrated data.
Note that a sufficiently large message buffer will likely be allocated
using mmap() in which case the attack will likely segfault.
* The attack can only work if the 8 bytes immediately following the
exfiltrated data contains a valid in-bounds Cap'n Proto pointer. The
easiest way to achieve this is if the pointer is null, i.e. 8 bytes of zero.
* The attacker must specify exactly how much data to exfiltrate, so must
guess exactly where such a valid pointer will exist.
* If the exfiltrated data is not followed by a valid pointer, the attack
will throw an exception. If an application has chosen to ignore exceptions
(e.g. by compiling with `-fno-exceptions` and not registering an
alternative exception callback) then the attack may be able to proceed
anyway.
[1]: https://dwrensha.github.io/capnproto-rust/2022/11/30/out_of_bounds_memory_access_bug.html
View Git Blame Copy Permalink