The Cloudbleed Story:
'Cloudbleed': what a metaphor in a name, or is it the other way round?
https://www.forbes.com/sites/thomasbrewster/2017/02/24/google-just-discovered-a-massive-web-leak-and-you-might-want-to-change-all-your-passwords/#1848cf543ca3
...which refers to the finder of the bug, Tavis Ormandy, and this blog post:
https://bugs.chromium.org/p/project-zero/issues/detail?id=1139
And Cloudflare's announcement, which includes many technical details worth reading:
https://blog.cloudflare.com/incident-report-on-memory-leak-caused-by-cloudflare-parser-bug/
... which lays out the root cause (sigh)
/* generated code */
if ( ++p == pe )
goto _test_eof;
The root cause of the bug was that reaching the end of a buffer was checked using the equality operator and a pointer was able to step past the end of the buffer. This is known as a buffer overrun. Had the check been done using >= instead of == jumping over the buffer end would have been caught.
Incidentals:
What is Google Project Zero? And why does it exist? Pretty fascinating, actually:Project Zero is the name of a team of security analysts employed by Google tasked with finding zero-day vulnerabilities. It was announced on 15 July 2014. [wikipedia] https://en.wikipedia.org/wiki/Project_Zero_(Google)
The Wikipedia summary is definitely worth a read.
And the Project Zero blog:
https://googleprojectzero.blogspot.com/
#cloudbleed #cloudflare #GoogleProjectZero
