Opened 2 years ago

Closed 2 years ago

Last modified 4 months ago

#15823 closed defect (fixed)

Out-of-bounds read in INTRODUCE2 with client authorization

Reported by: special Owned by:
Priority: Medium Milestone: Tor: 0.2.4.x-final
Component: Core Tor/Tor Version:
Severity: Normal Keywords: tor-hs, 025-backport, 026-backport, 2016-bug-retrospective
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

An authorized hidden service client can cause an out-of-bounds read on a service with authorization enabled, of at most 15 bytes off the end of a malloc'd segment. The client must have a valid authorization cookie. There is no disclosure of uninitialized memory, except in an info-level log message, but there is a small chance of a crash.

In rend_check_authorization, the descriptor_cookie from the INTRODUCE2 cell is assumed to be REND_DESC_COOKIE_LEN bytes. This is checked earlier when the auth_type is 1 or 2, but not for any other non-zero auth_type.

There is a warning about unknown auth types in rend_service_validate_intro_late, but no error.

Child Tickets

Change History (7)

comment:1 Changed 2 years ago by special

  • Status changed from new to needs_review

Minimal fix:

https://github.com/special/tor/compare/bug15823

I haven't actually reproduced this case to test it so far.

I think we should also reject INTRODUCE2 cells with an unknown auth_type, instead of assuming we understand how to use them, but that would be a separate patch.

comment:2 Changed 2 years ago by nickm

  • Keywords 025-backport 026-backport added

comment:3 Changed 2 years ago by dgoulet

lgtm! Good catch.

comment:4 Changed 2 years ago by nickm

  • Milestone changed from Tor: 0.2.7.x-final to Tor: 0.2.6.x-final

I've made a bug15823_025 branch to cherry-pick this back to 0.2.5, and merged that forward to master. Marking for possible backport.

comment:5 Changed 2 years ago by nickm

  • Resolution set to fixed
  • Status changed from needs_review to closed

Merged to 0.2.5 and 0.2.6.

comment:6 Changed 13 months ago by nickm

  • Keywords 2016-bug-retrospective added

Mark more tickets for bug retrospective based on hand-review of changelogs from 0.2.5 onwards.

comment:7 Changed 4 months ago by nickm

  • Milestone changed from Tor: 0.2.6.x-final to Tor: 0.2.4.x-final
  • Severity set to Normal

Backported to 0.2.4

Note: See TracTickets for help on using tickets.