bug#19565: Emacs vulnerable to endless-data attack (minor)

unofficial mirror of bug-gnu-emacs@gnu.org 
 help / color / mirror / code / Atom feed

From: Stefan Kangas <stefan@marxist.se>
To: Lars Ingebrigtsen <larsi@gnus.org>
Cc: 19565@debbugs.gnu.org
Subject: bug#19565: Emacs vulnerable to endless-data attack (minor)
Date: Sun, 6 Oct 2019 05:13:27 +0200	[thread overview]
Message-ID: <CADwFkmnhZzczftBeTPhDYt3Nctw7eonUyfHD1EsRYSjX2h2yXw@mail.gmail.com> (raw)
In-Reply-To: <A95hYv6eiwhN4ZlplHCcmBnPjnFHgrKiNiO1xKjhUqg@local>

Kelly Dean <kelly@prtime.org> writes:

> A few days ago I speculated, but now I confirmed. It's technically considered a vulnerability, but in Emacs's case it's a minor problem; exploiting it would be more a prank than a real attack.
>
> To demo locally for archive metadata:
> echo -en 'HTTP/1.1 200 OK\r\n\r\n' > header
> cat header /dev/urandom | nc -l -p 80
>
> Then in Emacs:
> (setq package-archives '(("foo" . "http://127.0.0.1/")))
> M-x list-packages
>
> Watch Emacs's memory usage grow and grow...
>
> If you set some arbitrary limit on the size of archive-contents, then
> theoretically you break some legitimate ginormous elpa. And if you're getting
> garbage, you wouldn't know it until you've downloaded more garbage than the
> limit. The right way to fix it is to include the size of archive-contents in
> another file that can legitimately be constrained to a specified small maximum
> size, sign that file, and in the client, abort the archive-contents download if
> you get more data than you're supposed to.
>
> The timestamp file that I proposed for fixing the metadata replay vuln (bug
> #19479) would be a suitable place to record the size; then no additional file
> (and signature) is needed just to solve endless-metadata. For the corresponding
> endless-data vuln for packages instead of metadata, I already put sizes in the
> package records in my patch for the package replay vuln.
>
> Don't forget you need to set a maximum size not only on the timestamp file, but also on the signature file, or they would be vulnerable too. E.g. just hardcode 1kB.

I think this affects more than just package.el.  AFAICT, anywhere we
use the url library, an endless data attack can get Emacs to fill up
all available memory (wasting also bandwidth resources, of course).

Lars, perhaps we could add code to handle this in with-fetched-url?

For example, a new keyword argument :max-size, which would make it
stop after having reached that many bytes.  IMO, it would be even
better if this was set to some arbitrarily chosen high value by
default, like 256 MiB or something, so that this protection is on
unless explicitly turned off with nil.

Best regards,
Stefan Kangas

next prev parent reply	other threads:[~2019-10-06  3:13 UTC|newest]

Thread overview: 14+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2015-01-11 11:12 bug#19565: Emacs vulnerable to endless-data attack (minor) Kelly Dean
2015-01-11 18:33 ` Richard Stallman
2015-01-11 21:18 ` Kelly Dean
2019-10-06  3:13 ` Stefan Kangas [this message]
2019-10-06 17:32   ` Eli Zaretskii
2019-10-07  1:51     ` Lars Ingebrigtsen
2019-10-07 12:50       ` Stefan Kangas
2019-10-07 16:13       ` Eli Zaretskii
2019-10-08 16:27         ` Lars Ingebrigtsen
2019-10-08 16:47           ` Eli Zaretskii
2019-10-08 16:50           ` Stefan Kangas
2019-10-08 17:22             ` Eli Zaretskii
2019-10-08 17:38               ` Stefan Kangas
2019-10-08 18:02                 ` Eli Zaretskii

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

  List information: https://www.gnu.org/software/emacs/

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=CADwFkmnhZzczftBeTPhDYt3Nctw7eonUyfHD1EsRYSjX2h2yXw@mail.gmail.com \
    --to=stefan@marxist.se \
    --cc=19565@debbugs.gnu.org \
    --cc=larsi@gnus.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/emacs.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).