Crypt::URandom Heap Buffer Overflow Vulnerability in Perl

A heap buffer overflow vulnerability has been identified in the Crypt::URandom module for Perl, specifically in versions 0.41 prior to 0.55. The issue arises in the XS function crypt_urandom_getrandom(), where the length parameter is not properly validated. This lack of validation allows for negative values to be supplied, causing an integer wraparound that results in a zero-byte allocation. When the subsequent call to getrandom() is made with the original negative value, it is implicitly converted to a large unsigned value, typically SIZE_MAX. This can lead to writes beyond the allocated buffer, causing heap memory corruption and crashing the application, creating a denial-of-service condition. While the length argument is usually hardcoded by the caller, applications that pass untrusted input to this parameter may be vulnerable.

Impact

Exploitation of this vulnerability causes heap memory corruption, leading to an application crash and denial-of-service condition.

Reproduction

The vulnerability can be reproduced by calling the crypt_urandom_getrandom() function with a negative length parameter. This can be done by supplying a value of -1, which will cause the function to allocate zero bytes and then attempt to read a large number of bytes into the buffer, overwriting adjacent memory and corrupting the heap.

Remediation

Users can upgrade to Crypt::URandom version 0.55 or later, where this vulnerability has been fixed.