Security Audit of libcap

X41 performed a source code audit of libcap, a library for getting and setting POSIX.1e (formerly POSIX 6) draft 15 capabilities, with natively supported languages of C/C++ and Go, sponsored once again by the Open Source Technology Improvement Fund. The report is being released now that the development team addressed the identified issues.

Full report of the security audit:
https://www.x41-dsec.de/static/reports/X41-libcap-Code-Review-2023-OSTIF-Final-Report.pdf

Audit Results

A total of two vulnerabilities were discovered during the audit by X41, one was rated as medium severity, and one as low. Additionally, three issues without a direct security impact were identified.

The medium severity issue is related to an integer overflow on 32bit systems, where the size of size_t is 4 byte. If the input string old passed to _libcap_strdup() is close to 4GB the addition will overflow and len be smaller than expected, which leads to a heap overflow.

__attribute__((visibility ("hidden"))) char *_libcap_strdup(const char *old)
{
  struct _cap_alloc_s *header;
  char *raw_data;
  size_t len;

[...]

  len = strlen(old) + 1 + 2*sizeof(__u32);
  if (len < sizeof(struct _cap_alloc_s)) {
	len = sizeof(struct _cap_alloc_s);
  }
  if ((len & 0xffffffff) != len) {
	_cap_debug("len is too long for libcap to manage");
	errno = EINVAL;
	return NULL;
  }

  raw_data = calloc(1, len);

[...]

  strcpy(raw_data, old);
  return raw_data;
}

The low severity issue is related to a memory leak in __real_pthread_create() related to error handling, which will cause allocated memory to not be released. This might result in DoS scenarios.

In terms of dynamic testing, the testing team developed several fuzz testing harnesses. Fuzz testing is, in general, essential for the overall security of the libcap project, especially since it is implemented in C, which is often prone to memory corruption vulnerabilities. For the purpose of this test, code coverage driven fuzzing using AFL++ in combination with address space sanitizers (such as ASAN) has been performed. Even though no new issues were identified using the developed harnesses, it is highly recommended to incorporate the developed harnesses into the libcap project and to make fuzzing a fixed part of the libcap, either using AFL++ or libFuzzer, resulting in better testing coverage.

libcap’s announcement of the release can be found here:
https://git.kernel.org/pub/scm/libs/libcap/libcap.git/

OSTIF’s announcement can be found at:
https://ostif.org/our-audit-of-libcap-is-complete/

CVEs
To be registered yet

If you are interested in working with us on such projects in the future, remote or in-office, have a look at our jobs page!