neptards
/
capnproto
forked from mirror/capnproto
Code Issues Pull Requests Projects Releases Wiki Activity
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
u3-0.9.1
master
release-0.9.1
harris/suspendable-http-requests
revert-1318-doc-improvements
fix-uninitialized-kind
release-0.9.0
blog-0.9
defer-soon
harris/tmp
maybe-ref-null-on-move
release-0.8.0
read-cancelation
fix-ci
optimize-websocket-pump
gateway-tag
debug-stuff
debug-corrupt-taskset
retain-stack-trace-in-disconnect-exception
bhoerner/blockedpumpto-cancel
fix-tail-call-cancel-race
fix-dpi-bugs
kenton/fix-websocket-rpc-cancellation
jlee/encoding-doc-clarification
harris/add-vagrant-win10
no-ninja
peer-identity
complete-cmake
release-tests2
release-tests
debug-canceler
fix-byte-stream-path-shortening-WIP
jlee/two-party-test-fix
harris/try-get-uncaught-exception
http-over-capnp-premature-websocket-termination
harris/expose-atomic-refcount
kenton/fix-889
some-wip-hacks
http-over-capnp
url-encode-dotdot
async-io-refactor
harris/http-error-hook
async-io-refactor-old3
release-0.7.0
fix-sendStream
streaming
bsd-make-compat
fix-http-body-delimiting
skip-qemu-failure
fix-const-array-disposer
fix-http-client-adapter
fix-http-client-adapter-cancelation
harris/replace-tee-try-catches
debug-event-use-after-free
rpc-scratch-space
harris/disallow-refcounted-copy
harris/expose-http-connection-headers-count
promise-tuple
harris/read-all-bytes-safely
synchronous-gzip
harris/add-percent-decode-url-flag
release-0.6.1
http-body-cancellation
harris/fix-percent-encoding-restringification-regression
harris/round-trip-eq-sign-in-url-query
full-bodied-gets
harris/fix-relative-url-parse-bug
permissive-http-headers
release-0.6.0
tweaks
release-0.5.3
tls
detect-amplification-better
afl
source-info
release-0.5.2
release-0.5.1
release-0.4.1
overflow-safe
release-0.5.0
gh-pages
release-0.4.0
release-0.3.0
release-0.2.1
v0.1.0
v0.2.0
v0.2.1
v0.3.0
v0.4.0
v0.4.1
v0.4.1.1
v0.4.1.2
v0.5.0
v0.5.1
v0.5.1.1
v0.5.1.2
v0.5.2
v0.5.3
v0.5.3.1
v0.6.0
v0.6.1
v0.7.0
v0.8.0
v0.9.0
v0.9.1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'master'
${ noResults }
capnproto/security-advisories/2017-04-17-0-apple-clang-el...

148 lines
6.3 KiB
Markdown
Raw Permalink Blame History

Problem
=======
Some bounds checks are elided by Apple's compiler and possibly others, leading
to a possible attack especially in 32-bit builds.
Although triggered by a compiler optimization, this is a bug in Cap'n Proto,
not the compiler.
Discovered by
=============
Kenton Varda <kenton@cloudflare.com> <kenton@sandstorm.io>
Announced
=========
2017-04-17
CVE
===
CVE-2017-7892
Impact
======
- Remotely segfault a 32-bit application by sending it a malicious message.
- Exfiltration of memory from such applications **might** be possible, but our
current analysis indicates that other checks would cause any such attempt to
fail (see below).
- At present I've only reproduced the problem on Mac OS using Apple's
compiler. Other compilers and platforms do not seem to apply the problematic
optimization.
Fixed in
========
- git commit [52bc956459a5e83d7c31be95763ff6399e064ae4][0]
- release 0.5.3.1:
- Unix: https://capnproto.org/capnproto-c++-0.5.3.1.tar.gz
- Windows: https://capnproto.org/capnproto-c++-win32-0.5.3.1.zip
- release 0.6 (future)
[0]: https://github.com/sandstorm-io/capnproto/commit/52bc956459a5e83d7c31be95763ff6399e064ae4
Details
=======
*The following text contains speculation about the exploitability of this
bug. This is provided for informational purposes, but as such speculation is
often shown to be wrong, you should not rely on the accuracy of this
section for the safety of your service. Please update your library.*
During regular testing in preparation for a release, it was discovered that
when Cap'n Proto is built using the current version of Apple's Clang compiler
in 32-bit mode with optimizations enabled, it is vulnerable to attack via
specially-crafted malicious input, causing the application to read from an
invalid memory location and crash.
Specifically, a malicious message could contain a [far pointer][1] pointing
outside of the message. Cap'n Proto messages are broken into segments of
continuous memory. A far pointer points from one segment into another,
indicating both the segment number and an offset within that segment. If a
malicious far pointer contained an offset large enough to overflow the pointer
arithmetic (wrapping around to the beginning of memory), then it would escape
bounds checking, in part because the compiler would elide half of the bounds
check as an optimization.
That is, the code looked like (simplification):
word* target = segmentStart + farPointer.offset;
if (target < segmentStart || target >= segmentEnd) {
throwBoundsError();
}
doSomething(*target);
To most observers, this code would appear to be correct. However, as it turns
out, pointer arithmetic that overflows is undefined behavior under the C
standard. As a result, the compiler is allowed to assume that the addition on
the first line never overflows. Since `farPointer.offset` is an unsigned
number, the compiler is able to conclude that `target < segmentStart` always
evaluates false. Thus, the compiler removes this part of the check.
Unfortunately, in the case of overflow, this is exactly the part of the check
that we need.
Based on both fuzz testing and logical analysis, I believe that the far pointer
bounds check is the only check affected by this optimization. If true, then it
is not possible to exfiltrate memory through this vulnerability: the target of
a far pointer is always expected to be another pointer, which in turn points to
the final object. That second pointer will go through its own bounds checking,
which will fail (unless it somehow happens to point back into the message
bounds, in which case no harm is done).
I believe this bug does not affect any common 64-bit platform because the
maximum offset expressible by a far pointer is 2^32 bytes. In order to trigger
the bug in a 64-bit address space, the message location would have to begin
with 0xFFFFFFFF (allocated in the uppermost 4GB of address space) and the
target would have to begin with 0x00000000 (allocated in the lowermost 4GB of
address space). Typically, on 64-bit architectures, the upper half of the
address space is reserved for the OS kernel, thus a message could not possibly
be located there.
I was not able to reproduce this bug on other platforms, perhaps because the
compiler optimization is not applied by other compilers. On Linux, I tested GCC
4.9, 5.4, and 6.3, as well as Clang 3.6, 3.8, and 4.0. None were affected.
Nevertheless, the compiler behavior is technically allowed, thus it should be
assumed that it can happen on other platforms as well.
The specific compiler version which was observed to be affected is:
$ clang++ --version
Apple LLVM version 8.1.0 (clang-802.0.41)
Target: x86_64-apple-darwin16.5.0
Thread model: posix
InstalledDir: /Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin
(Note: Despite being Clang-based, Apple's compiler version numbers have no
apparent relationship to Clang version numbers.)
[1]: https://capnproto.org/encoding.html#inter-segment-pointers
Preventative measures
=====================
The problem was caught by running Cap'n Proto's standard fuzz tests in this
configuration. These tests are part of the Cap'n Proto test suite which runs
when you invoke `make check`, which Cap'n Proto's installation instructions
suggest to all users.
However, these fuzz tests were introduced after the 0.5.x release branch,
hence are not currently present in release versions of Cap'n Proto, only in
git. A 0.6 release will come soon, fixing this.
The bugfix commit forces the compiler to perform all checks by casting the
relevant pointers to `uintptr_t`. According to the standard, unsigned integers
implement modulo arithmetic, rather than leaving overflow undefined, thus the
compiler cannot make the assumptions that lead to eliding the check. This
change has been shown to fix the problem in practice. However, this quick fix
does not technically avoid undefined behavior, as the code still computes
pointers that point to invalid locations before they are checked. A
technically-correct solution has been implemented in the next commit,
[2ca8e41140ebc618b8fb314b393b0a507568cf21][2]. However, as this required more
extensive refactoring, it is not appropriate for cherry-picking, and will
only land in versions 0.6 and up.
[2]: https://github.com/sandstorm-io/capnproto/commit/2ca8e41140ebc618b8fb314b393b0a507568cf21
Reference in New Issue View Git Blame Copy Permalink