Crypt::SysRandom::XS Heap Buffer Overflow Vulnerability in Perl

A heap buffer overflow vulnerability has been identified in Crypt::SysRandom::XS versions prior to 0.010 for Perl. The issue arises in the XS function random_bytes(), which fails to validate that the length parameter is non-negative. When a negative value is supplied, it causes an integer wraparound, leading to a zero-byte allocation. This allows for a subsequent call to the chosen random function to pass the original negative value, converted to a large unsigned value, resulting in writes beyond the allocated buffer. Such memory corruption can cause the application to crash, creating a denial-of-service condition. While the length argument is usually hardcoded, applications that accept untrusted input may be vulnerable.

Impact

Exploitation of this vulnerability leads to heap memory corruption, causing the application to crash and creating a denial-of-service condition.

Reproduction

To reproduce this vulnerability, call the random_bytes() function with a negative length parameter. The function will allocate a buffer of zero bytes and then attempt to write random data using the negative value, which is converted to a large unsigned integer. This results in a buffer overflow, corrupting heap memory.

Remediation

Users are advised to update to Crypt::SysRandom::XS version 0.010 or later, where this vulnerability has been addressed.