Flaw in realloc allows reading unknown memory
#69
Comments
|
Also note that I use Arch Linux and test failed in this line Line 1133 in 7d0c4dd |
|
Thanks for filing an issue! I can reproduce the segfault. Looking into it. |
|
Fix incoming. |
…location When reallocating, if we allocate new space, we need to copy the old allocation's bytes into the new space. There are `old_size` number of bytes in the old allocation, but we were accidentally copying `new_size` number of bytes, which could lead to copying bytes into the realloc'd space from past the chunk that we're bump allocating out of, from unknown memory. If an attacker can cause `realloc`s, and can read the `realoc`ed data back, this could allow them to read things from other regions of memory that they shouldn't be able to. For example, if some crypto keys happened to live in memory right after a chunk we were bump allocating out of, this could allow the attacker to read the crypto keys. Beyond just fixing the bug and adding a regression test, I've also taken two additional steps: 1. While we were already running the testsuite under `valgrind` in CI, because `valgrind` exits with the same code that the program did, if there are invalid reads/writes that happen not to trigger a segfault, the program can still exit OK and we will be none the wiser. I've enabled the `--error-exitcode=1` flag for `valgrind` in CI so that tests eagerly fail in these scenarios. 2. I've written a quickcheck test to exercise `realloc`. Without the bug fix in this patch, this quickcheck immediately triggers invalid reads when run under `valgrind`. We didn't previously have quickchecks that exercised `realloc` beacuse `realloc` isn't publicly exposed directly, and instead can only be indirectly called. This new quickcheck test exercises `realloc` via `bumpalo::collections::Vec::resize` and `bumpalo::collections::Vec::shrink_to_fit` calls. Fixes #69
…location When reallocating, if we allocate new space, we need to copy the old allocation's bytes into the new space. There are `old_size` number of bytes in the old allocation, but we were accidentally copying `new_size` number of bytes, which could lead to copying bytes into the realloc'd space from past the chunk that we're bump allocating out of, from unknown memory. If an attacker can cause `realloc`s, and can read the `realoc`ed data back, this could allow them to read things from other regions of memory that they shouldn't be able to. For example, if some crypto keys happened to live in memory right after a chunk we were bump allocating out of, this could allow the attacker to read the crypto keys. Beyond just fixing the bug and adding a regression test, I've also taken two additional steps: 1. While we were already running the testsuite under `valgrind` in CI, because `valgrind` exits with the same code that the program did, if there are invalid reads/writes that happen not to trigger a segfault, the program can still exit OK and we will be none the wiser. I've enabled the `--error-exitcode=1` flag for `valgrind` in CI so that tests eagerly fail in these scenarios. 2. I've written a quickcheck test to exercise `realloc`. Without the bug fix in this patch, this quickcheck immediately triggers invalid reads when run under `valgrind`. We didn't previously have quickchecks that exercised `realloc` beacuse `realloc` isn't publicly exposed directly, and instead can only be indirectly called. This new quickcheck test exercises `realloc` via `bumpalo::collections::Vec::resize` and `bumpalo::collections::Vec::shrink_to_fit` calls. Fixes #69
|
Thanks again for filing this issue! It turns out that this is a sec bug, so I've filed this advisory: rustsec/advisory-db#251 I've also just published 3.2.1 with the fix. See the CHANGELOG.md and pull request that fixes this bug for a few more details. |
fitzgen
changed the title
realloc allows reading unknown memory
|
My understanding is that the code shouldn't read from the allocated buffer past |
|
@fitzgen : 3.2.1 isn't showing up in github releases or tags. Did it not actually get published yet? |
I guess I forgot to do a git tag, but the crates.io release is here: https://crates.io/crates/bumpalo/3.2.1 I'll tag it now.
It would copy invalid memory into the newly allocated block. But yes, this alone is not sufficient to pull off a whole attack because it would also require some None the less, better safe than sorry, hence the advisory. |
I'm very confused and don't know what is wrong
when I run this code in unit test with
cargo testit failed with SIGSEGVHere is my test code
https://github.com/Riey/bumpalo/tree/unit-test-failed
but when I run same code in
main.rsthen it successThe text was updated successfully, but these errors were encountered: