RUS - CERT Computer Emergency Response Team - Zuständig für die Rechner- und Netzwerksicherheit an der Universität Stuttgart
kontakt sitemap impressum e-mail-abo
home
aktuelle_meldungen
rus-cert-advisories
cve
ticker_abo
top_5
rss
betriebssysteme
themen
dienste
projekte
archive
jobs
Universität Stuttgart
Rechenzentrum
 
 
   

RUS-CERT Advisory 2002-08:02

Flaw in calloc and similar routines

Integer overflow can occur during the computation of the memory region size by calloc and similar functions. As a result, the function returns a buffer which is too small, possibly resulting in a subsequent buffer overflow.

Who Should Read This Document

This advisory is targeted at C, C++ and Ada compiler implementors and programmers.

Systems Affected

  • C run-time libraries:
    • GNU libc 2.2.5
    • dietlibc CVS as of 2002-08-01 (see below for corrected releases)
    • Microsoft Visual C++ 4.0
    • Microsoft Visual C++ 6.0
    • HP-UX 11 before the correction date (see below)
  • Language-specific allocators:
    • GNU C++ Compiler (GCC 2.95, 3.0, 3.1.1)
    • GNU Ada Compiler (GNAT 3.14p, GCC 3.1.1)
    • Microsoft Visual C++ 6.0 (C++ new allocator)
  • Other libraries:
    • libgcrypt 1.1.10 (GNU Crypto Library)

Systems Not Affected

According to vendor reports, the following products are not vulnerable:
  • C run-time libraries:
    • dietlibc 0.19 and CVS after 2002-08-05
    • GNU libc 2.3.x and CVS after 2002-08-08
    • HP-UX 11.x in the following versions:
      • HP-UX B.11.00 with patch PHCO_28425
      • HP-UX B.11.04 with patch PHCO_29190
      • HP-UX B.11.11 with patch PHCO_28427
      • HP-UX B.11.23
      (This information is based on HP's security bulletin HPSBUX0401-310, as released on 2004-01-13.)
  • Other libraries:
    • libgcrypt CVS after 2002-12-09

Attack Requirements And Impact

Attack requirements and impact depend on the application using these interfaces. No generic classification is possible.

Description

Many memory allocation interfaces exhibit the same erratic behavior as the xdr_array Sun RPC function which has been documented in an ISS security advisory (CAN-2002-0391).

All these interfaces process two arguments, the storage size of the element type, and the number of elements. (The element type size is sometimes not specified explicitly, as in the case of operator new in C++) To compute the size of the memory area which is needed, both numbers are multiplied. If the result cannot be represented in a machine word, it can happen that the allocation routine returns a pointer to a memory area which is too short (instead of signalling an error condition using the appropriate mechanism defined by the programming language). As a result, the application might write beyond the end of the allocated buffer, resulting in a heap-based buffer overflow. The defect discovered in the xdr_array function mentioned above shows that errors in this class do have security implications.

Typical code fragments which might lead to vulnerable applications are listed below.

  • C: pointer = calloc(sizeof(element_t), count);
  • C++: pointer = new ElementType[count];
  • Ada: Array_Access := new Element_Type (1 .. Count);

How To Detect The Defect

In the calloc case, the source code should be examined. Constructs like size = count * element_size; without any overflow checks are problematic (and, similarly, expressions like size *= nelems).

In the C++ and Ada cases, the compiler can emit inline machine code instructions to calculate the total size. A small test program like the following can be compiled: 

typedef struct {
  char data[0x10];
} DATA10;

void allocate(unsigned size) 
{
  DATA10 *x = new DATA10[size];
}

After that, the generated machine code has to be examined for overflow checking. In the Ada case, the following procedure can be used: 

procedure Test (Size : Positive) is

   subtype Data10 is String (1 .. 16#0000_0010#);
   type Data10_Array is array (Positive range <>) of Data10;

   type Pointer is access Data10_Array;

   V : Pointer;

begin
   V := new Data10_Array (1 .. Size);
end;

For both languages, the size might be computed using a library routine. In this case, the source code of the library routine has to be examined.

Countermeasures

  • Apply a patch from your vendor, or upgrade to a non-vulnerable version.

Although in most cases, the present overflows can be detected after they occurred because only unsigned types are involved, programmers should be aware that overflow checking in C is not straightforward (see RUS-CERT Advisory 2002-08:01).

About RUS-CERT

RUS-CERT is the Computer Emergency Response Team located at the Computing Center (RUS) of the University of Stuttgart, Germany.

Revision History

This document was published on 2002-08-05.

libgcrypt was found to be affected on 2002-12-07.

HP-UX released a security advisory on 2004-01-14; the affected system list has been updated accordingly.

   
2004-01-14
Copyright © 2010 RUS-CERT, Universität Stuttgart
Die Universität Stuttgart übernimmt keinerlei Haftung für den Inhalt dieser Seite.