neptards
/
capnproto
forked from mirror/capnproto
Code Issues Pull Requests Projects Releases Wiki Activity
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
u3-0.9.1
master
release-0.9.1
harris/suspendable-http-requests
revert-1318-doc-improvements
fix-uninitialized-kind
release-0.9.0
blog-0.9
defer-soon
harris/tmp
maybe-ref-null-on-move
release-0.8.0
read-cancelation
fix-ci
optimize-websocket-pump
gateway-tag
debug-stuff
debug-corrupt-taskset
retain-stack-trace-in-disconnect-exception
bhoerner/blockedpumpto-cancel
fix-tail-call-cancel-race
fix-dpi-bugs
kenton/fix-websocket-rpc-cancellation
jlee/encoding-doc-clarification
harris/add-vagrant-win10
no-ninja
peer-identity
complete-cmake
release-tests2
release-tests
debug-canceler
fix-byte-stream-path-shortening-WIP
jlee/two-party-test-fix
harris/try-get-uncaught-exception
http-over-capnp-premature-websocket-termination
harris/expose-atomic-refcount
kenton/fix-889
some-wip-hacks
http-over-capnp
url-encode-dotdot
async-io-refactor
harris/http-error-hook
async-io-refactor-old3
release-0.7.0
fix-sendStream
streaming
bsd-make-compat
fix-http-body-delimiting
skip-qemu-failure
fix-const-array-disposer
fix-http-client-adapter
fix-http-client-adapter-cancelation
harris/replace-tee-try-catches
debug-event-use-after-free
rpc-scratch-space
harris/disallow-refcounted-copy
harris/expose-http-connection-headers-count
promise-tuple
harris/read-all-bytes-safely
synchronous-gzip
harris/add-percent-decode-url-flag
release-0.6.1
http-body-cancellation
harris/fix-percent-encoding-restringification-regression
harris/round-trip-eq-sign-in-url-query
full-bodied-gets
harris/fix-relative-url-parse-bug
permissive-http-headers
release-0.6.0
tweaks
release-0.5.3
tls
detect-amplification-better
afl
source-info
release-0.5.2
release-0.5.1
release-0.4.1
overflow-safe
release-0.5.0
gh-pages
release-0.4.0
release-0.3.0
release-0.2.1
v0.1.0
v0.2.0
v0.2.1
v0.3.0
v0.4.0
v0.4.1
v0.4.1.1
v0.4.1.2
v0.5.0
v0.5.1
v0.5.1.1
v0.5.1.2
v0.5.2
v0.5.3
v0.5.3.1
v0.6.0
v0.6.1
v0.7.0
v0.8.0
v0.9.0
v0.9.1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'master'
${ noResults }
capnproto/security-advisories/2015-03-02-0-c++-integer-ov...

103 lines
4.4 KiB
Markdown
Raw Permalink Blame History

Problem
=======
Integer overflow in pointer validation.
Discovered by
=============
Ben Laurie <ben@links.org> using [American Fuzzy Lop](http://lcamtuf.coredump.cx/afl/)
Announced
=========
2015-03-02
CVE
===
CVE-2015-2310
Impact
======
- Remotely segfault a peer by sending it a malicious message.
- Possible exfiltration of memory, depending on application behavior.
Fixed in
========
- git commit [f343f0dbd0a2e87f17cd74f14186ed73e3fbdbfa][0]
- release 0.5.1.1:
- Unix: https://capnproto.org/capnproto-c++-0.5.1.1.tar.gz
- Windows: https://capnproto.org/capnproto-c++-win32-0.5.1.1.zip
- release 0.4.1.1:
- Unix: https://capnproto.org/capnproto-c++-0.4.1.1.tar.gz
- release 0.6 (future)
[0]: https://github.com/sandstorm-io/capnproto/commit/f343f0dbd0a2e87f17cd74f14186ed73e3fbdbfa
Details
=======
*The following text contains speculation about the exploitability of this
bug. This is provided for informational purposes, but as such speculation is
often shown to be wrong, you should not rely on the accuracy of this
section for the safety of your service. Please update your library.*
A specially-crafted pointer could escape bounds checking by triggering an
integer overflow in the check. This causes the message to appear as if it
contains an extremely long list (over 2^32 bytes), stretching far beyond the
memory actually allocated to the message. If the application reads that list,
it will likely segfault, but if it manages to avoid a segfault (e.g. because
it has mapped a very large contiguous block of memory following the message,
or because it only reads some parts of the list and not others), it could end
up treating arbitrary parts of memory as input. If the application happens to
pass that data back to the user in some way, this problem could lead to
exfiltration of secrets.
The pointer is transitively read-only, therefore it is believed that this
vulnerability on its own CANNOT lead to memory corruption nor code execution.
This vulnerability is NOT a Sandstorm sandbox breakout. A Sandstorm app's
Cap'n Proto communications pass through a supervisor process which performs a
deep copy of the structure. As the supervisor has a very small heap, this
will always lead to a segfault, which has the effect of killing the app, but
does not affect any other app or the system at large. If somehow the copy
succeeds, the copied message will no longer contain an invalid pointer and
so will not harm its eventual destination, and the supervisor itself has no
secrets to steal. These mitigations are by design.
Preventative measures
=====================
In order to gain confidence that this is a one-off bug rather than endemic,
and to help prevent new bugs from being added, we have taken / will take the
following preventative measures going forward:
1. A fuzz test of each pointer type has been added to the standard unit test
suite. This test was confirmed to find the vulnerability in question.
2. We will additionally add fuzz testing with American Fuzzy Lop to our
extended test suite. AFL was used to find the original vulnerability. Our
current tests with AFL show only one other (less-critical) vulnerability
which will be reported separately ([2015-03-02-2][2]).
3. In parallel, we will extend our use of template metaprogramming for
compile-time unit analysis (kj::Quantity in kj/units.h) to also cover
overflow detection (by tracking the maximum size of an integer value across
arithmetic expressions and raising an error when it overflows). Preliminary
work with this approach successfully detected the vulnerability reported
here as well as one other vulnerability ([2015-03-02-1][3]).
[See the blog post][4] for more details.
4. We will continue to require that all tests (including the new fuzz test) run
cleanly under Valgrind before each release.
5. We will commission a professional security review before any 1.0 release.
Until that time, we continue to recommend against using Cap'n Proto to
interpret data from potentially-malicious sources.
I am pleased that measures 1, 2, and 3 all detected this bug, suggesting that
they have a high probability of catching any similar bugs.
[1]: https://github.com/sandstorm-io/capnproto/tree/master/security-advisories/2015-03-02-0-all-cpu-amplification.md
[2]: https://github.com/sandstorm-io/capnproto/tree/master/security-advisories/2015-03-02-1-c++-integer-underflow.md
[3]: https://capnproto.org/news/2015-03-02-security-advisory-and-integer-overflow-protection.html
Reference in New Issue View Git Blame Copy Permalink