Security
Optimization-unstable code
Compilers can be tricky beasts, especially where optimizations are concerned. A recent paper [PDF] from MIT highlighted some of the problems that can be caused by perfectly legitimate—if surprising—optimizations, some that can lead to security vulnerabilities. The problem stems from C language behavior that is undefined by the standard, which allows compiler writers to optimize those statements away.
Andrew McGlashan raised the issue on the debian-security mailing list, expressing some surprise that the topic hadn't already come up. The paper specifically cites tests done on the Debian "Wheezy" (7.0) package repository, which found that 40% of 8500+ C/C++ packages have "optimization-unstable code" (or just "unstable code"). That does not mean that all of those are vulnerabilities, necessarily, but they are uses of undefined behavior—bugs, for the most part.
The unstable code was found using a static analysis tool called STACK that was written by the authors of the paper, Xi Wang, Nickolai Zeldovich, M. Frans Kaashoek, and Armando Solar-Lezama. It is based on the LLVM compiler framework and checks for ten separate undefined behaviors. Since C compilers can assume that undefined behavior is never invoked by a program, the compiler can optimize the undefined behavior away—which is what can lead to vulnerabilities.
So, what kind of undefined behavior are we talking about here? Two of the examples given early in the paper help to answer that. The first is that overflowing a pointer is undefined:
char *buf = ...;
unsigned int len = ...;
if (buf + len < buf) /* overflow check */
...
The compiler can (and often does, depending on the -O setting)
optimize the test away. On some architectures, according to the paper,
that's no great loss as the test doesn't work. But
on other architectures, it does protect against a too
large value of len. Getting rid of the test could lead to
a buffer overflow ... and buffer overflows can often be exploited.
The second example is a null pointer dereference in the Linux kernel:
struct tun_struct *tun = ...;
struct sock *sk = tun->sk;
if (!tun)
return POLLERR;
/* write to address based on tun */
Normally that code would cause a kernel oops if tun is null, but
if page zero is mapped for some reason, the code is basically harmless—as
long as the test remains. Because the compiler sees the dereference
operation, it can conclude that the pointer is always non-null and remove
the test entirely, which turns a fairly innocuous bug into a potential
kernel exploit.
Other undefined behaviors are examined as well. Signed integer overflow, division by zero, and oversized shifts are flagged, for example. In addition, operations like an overlapping memcpy(), use after free()/realloc(), and exceeding array bounds are checked.
The Debian discussion turned toward how to find and fix these kinds of bugs but, of course, they mostly or completely live upstream. As Mark Haase put it:
But Paul Wise noted that there is some ongoing work by Debian and Fedora developers to package static checkers for the distributions. STACK is on the list, he said, but relies on a version of LLVM that is not yet available for Debian. He recommended that interested folks get involved in those efforts and offered a list of links to get started.
There were some who felt the optimizations removing the unstable code were
actually compiler bugs. Miles Fidelman suggested the problem needed to be fixed
"WAY upstream
" in GCC itself: "if gcc's optimizer is opening a
class of security holes - then it's gcc that has to be fixed
". But
Haase was quick to throw cold water on that
idea, noting a GCC bug and an
LLVM blog
post series that pretty clearly show that compiler writers do not see
these kinds of optimizations as bugs. Haase said:
The problem for programmers is a lack of warnings about these kinds of
undefined constructs, Wise said. "Every use of undefined behaviour should
at minimum result in a compiler warning.
" But even doing that is
difficult (and noisy), Wade Richards said:
Joel Rees would like to see the standard
rewritten "to encourage sane behavior in
undefined situations
". Defining "sane" might be somewhat difficult,
of course.
Bernhard R. Link had a different suggestion:
Bugs in our code—many of which lead to security holes—are a never-ending problem, but over time we do at least seem to be getting some tools to assist in finding them. Given that different compilers, optimization levels, and compiler versions will give different behavior for this particular class of bugs makes them even harder to find. STACK seems like a good solution there—thankfully it is open source, unlike some other static analysis tools.
Brief items
Security quotes of the week
Geer: Trends in cyber security
Dan Geer has posted the transcript of his "Trends in cyber security" talk presented to the US National Reconnaissance Office in early November. "The trendline in the number of critical monocultures seems to be rising and many of these are embedded systems both without a remote management interface and long lived. That combination -- long lived and not reachable -- is the trend that must be reversed. Whether to insist that embedded devices self destruct at some age or that remote management of them be a condition of deployment is the question. In either case, the Internet of Things and the appearance of microcontrollers in seemingly every computing device should raise hackles on every neck."
Linux Worm Targeting Hidden Devices
The Symantec blog has a report of a new Linux worm capable of attacking a range of small, Internet-enabled devices in addition to traditional computers. "The worm, Linux.Darlloz, exploits a PHP vulnerability to propagate itself in the wild. The worm utilizes the PHP 'php-cgi' Information Disclosure Vulnerability (CVE-2012-1823), which is an old vulnerability that was patched in May 2012. The attacker recently created the worm based on the Proof of Concept (PoC) code released in late Oct 2013."
Garrett: Subverting security with kexec
Matthew Garrett demonstrates how to use the kexec() system call to change parameters in a running kernel. "The beauty of this approach is that it doesn't rely on any kernel bugs - it's using kernel functionality that was explicitly designed to let you do this kind of thing (ie, run arbitrary code in ring 0). There's not really any way to fix it beyond adding a new system call that has rather tighter restrictions on the binaries that can be loaded. If you're using signed modules but still permit kexec, you're not really adding any additional security."
New vulnerabilities
ganglia-web: cross-site scripting
| Package(s): | ganglia-web | CVE #(s): | CVE-2013-6395 | ||||||||||||
| Created: | December 1, 2013 | Updated: | December 10, 2013 | ||||||||||||
| Description: | From the Mageia advisory: XSS issue in ganglia-web makes it possible to execute JavaScript in victims' browser after tricking the victim into opening a specially crafted URL (CVE-2013-6395). | ||||||||||||||
| Alerts: |
| ||||||||||||||
gimp: code execution
| Package(s): | gimp | CVE #(s): | CVE-2013-1913 CVE-2013-1978 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | December 4, 2013 | Updated: | March 7, 2016 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Red Hat advisory:
A stack-based buffer overflow flaw, a heap-based buffer overflow, and an integer overflow flaw were found in the way GIMP loaded certain X Window System (XWD) image dump files. A remote attacker could provide a specially crafted XWD image file that, when processed, would cause the XWD plug-in to crash or, potentially, execute arbitrary code with the privileges of the user running the GIMP. (CVE-2013-1913, CVE-2013-1978) | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
kernel: privilege escalation
| Package(s): | EC2 kernel | CVE #(s): | CVE-2013-4511 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | December 4, 2013 | Updated: | December 4, 2013 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the CVE entry:
Multiple integer overflows in Alchemy LCD frame-buffer drivers in the Linux kernel before 3.12 allow local users to create a read-write memory mapping for the entirety of kernel memory, and consequently gain privileges, via crafted mmap operations, related to the (1) au1100fb_fb_mmap function in drivers/video/au1100fb.c and the (2) au1200fb_fb_mmap function in drivers/video/au1200fb.c. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
librsvg: denial of service
| Package(s): | librsvg | CVE #(s): | CVE-2013-1881 | ||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | December 1, 2013 | Updated: | October 20, 2015 | ||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the openSUSE advisory: librsvg was updated to fix a denial a XML External Entity Inclusion problem, where files on the system could be imported into the SVG. (CVE-2013-1881) | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||
links2: integer overflow
| Package(s): | links2 | CVE #(s): | CVE-2013-6050 | ||||||||||||||||||||
| Created: | December 1, 2013 | Updated: | December 29, 2014 | ||||||||||||||||||||
| Description: | From the Debian advisory: Mikulas Patocka discovered an integer overflow in the parsing of HTML tables in the Links web browser. This can only be exploited when running Links in graphical mode. | ||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||
mediawiki: multiple vulnerabilities
| Package(s): | mediawiki | CVE #(s): | CVE-2013-4567 CVE-2013-4568 CVE-2013-4572 CVE-2013-4569 CVE-2013-4573 CVE-2012-5394 | ||||||||||||||||||||||||||||||||
| Created: | December 2, 2013 | Updated: | December 18, 2013 | ||||||||||||||||||||||||||||||||
| Description: | From the Fedora advisory:
* Kevin Israel (Wikipedia user PleaseStand) identified and reported two vectors for injecting Javascript in CSS that bypassed MediaWiki's blacklist (CVE-2013-4567, CVE-2013-4568). https://bugzilla.wikimedia.org/show_bug.cgi?id=55332 * Internal review while debugging a site issue discovered that MediaWiki and the CentralNotice extension were incorrectly setting cache headers when a user was autocreated, causing the user's session cookies to be cached, and returned to other users (CVE-2013-4572). https://bugzilla.wikimedia.org/show_bug.cgi?id=53032 Additionally, the following extensions have been updated to fix security issues: * CleanChanges: MediaWiki steward Teles reported that revision-deleted IP's are not correctly hidden when this extension is used (CVE-2013-4569). https://bugzilla.wikimedia.org/show_bug.cgi?id=54294 * ZeroRatedMobileAccess: Tomasz Chlebowski reported an XSS vulnerability (CVE-2013-4573). https://bugzilla.wikimedia.org/show_bug.cgi?id=55991 * CentralAuth: MediaWiki developer Platonides reported a login CSRF in CentralAuth (CVE-2012-5394). https://bugzilla.wikimedia.org/show_bug.cgi?id=40747 | ||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||
mod_nss: access with invalid client certificate
| Package(s): | mod_nss | CVE #(s): | CVE-2013-4566 | ||||||||||||||||||||||||||||||||||||||||
| Created: | December 4, 2013 | Updated: | December 27, 2013 | ||||||||||||||||||||||||||||||||||||||||
| Description: | From the Red Hat advisory:
A flaw was found in the way mod_nss handled the NSSVerifyClient setting for the per-directory context. When configured to not require a client certificate for the initial connection and only require it for a specific directory, mod_nss failed to enforce this requirement and allowed a client to access the directory when no valid client certificate was provided. | ||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||
moodle: multiple vulnerabilities
| Package(s): | moodle | CVE #(s): | CVE-2013-4522 CVE-2013-4523 CVE-2013-4524 CVE-2013-4525 | ||||
| Created: | December 1, 2013 | Updated: | December 4, 2013 | ||||
| Description: | From the Mageia advisory: Some files were being delivered with incorrect headers in Moodle before 2.4.7, meaning they could be cached downstream (CVE-2013-4522). Cross-site scripting in Moodle before 2.4.7 due to JavaScript in messages being executed on some pages (CVE-2013-4523). The file system repository in Moodle before 2.4.7 was allowing access to files beyond the Moodle file area (CVE-2013-4524). Cross-site scripting in Moodle before 2.4. due to JavaScript in question answers being executed on the Quiz Results page (CVE-2013-4525). | ||||||
| Alerts: |
| ||||||
nbd: access restriction bypass
| Package(s): | nbd | CVE #(s): | |||||
| Created: | December 1, 2013 | Updated: | December 4, 2013 | ||||
| Description: | From the Debian advisory: It was discovered that nbd-server, the server for the Network Block Device protocol, did incorrect parsing of the access control lists, allowing access to any hosts with an IP address sharing a prefix with an allowed address. | ||||||
| Alerts: |
| ||||||
openjpeg: multiple vulnerabilities
| Package(s): | openjpeg | CVE #(s): | CVE-2013-1447 CVE-2013-6045 CVE-2013-6052 CVE-2013-6054 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | December 3, 2013 | Updated: | January 5, 2015 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Debian advisory:
Several vulnerabilities have been discovered in OpenJPEG, a JPEG 2000 image library, that may lead to denial of service (CVE-2013-1447) via application crash or high memory consumption, possible code execution through heap buffer overflows (CVE-2013-6045), information disclosure (CVE-2013-6052), or yet another heap buffer overflow that only appears to affect OpenJPEG 1.3 (CVE-2013-6054). | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
pixman: denial of service
| Package(s): | pixman | CVE #(s): | |||||
| Created: | December 4, 2013 | Updated: | December 10, 2013 | ||||
| Description: | From the Ubuntu advisory:
pixman could be made to crash if it opened a specially crafted file. | ||||||
| Alerts: |
| ||||||
quassel: information leak
| Package(s): | quassel | CVE #(s): | CVE-2013-6404 | ||||||||||||
| Created: | December 1, 2013 | Updated: | January 21, 2014 | ||||||||||||
| Description: | From the Mageia advisory: Security vulnerability in Quassel before 0.9.2 through which a manipulated, but properly authenticated client was able to retrieve the backlog of other users on the same core in some cases (CVE-2013-6404). | ||||||||||||||
| Alerts: |
| ||||||||||||||
subversion: two vulnerabilities
| Package(s): | subversion | CVE #(s): | CVE-2013-4505 CVE-2013-4558 | ||||||||||||||||||||||||||||||||||||
| Created: | December 1, 2013 | Updated: | January 1, 2014 | ||||||||||||||||||||||||||||||||||||
| Description: | From the Mageia advisory: mod_dontdothat allows you to block update REPORT requests against certain paths in the repository. It expects the paths in the REPORT request to be absolute URLs. Serf based clients send relative URLs instead of absolute URLs in many cases. As a result these clients are not blocked as configured by mod_dontdothat (CVE-2013-4505). When SVNAutoversioning is enabled via "SVNAutoversioning on", commits can be made by single HTTP requests such as MKCOL and PUT. If Subversion is built with assertions enabled any such requests that have non-canonical URLs, such as URLs with a trailing /, may trigger an assert. An assert will cause the Apache process to abort (CVE-2013-4558). | ||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||
sup-mail: two command injection flaws
| Package(s): | sup-mail | CVE #(s): | CVE-2013-4478 CVE-2013-4479 | ||||
| Created: | December 1, 2013 | Updated: | December 4, 2013 | ||||
| Description: | joernchen of Phenoelit discovered two command injection flaws in Sup, a
console-based email client. An attacker might execute arbitrary command
if the user opens a maliciously crafted email.
From the Debian advisory: CVE-2013-4478: Sup wrongly handled the filename of attachments. CVE-2013-4479: Sup did not sanitize the content-type of attachments. | ||||||
| Alerts: |
| ||||||
Page editor: Jake Edge
Next page:
Kernel development>>