Opened 4 years ago

Closed 4 years ago

Last modified 4 years ago

#19032 closed defect (fixed)

Out of bounds write on directory authorities when voting on duplicate ed25519 keys

Reported by: special Owned by:
Priority: Immediate Milestone: Tor: 0.2.7.x-final
Component: Core Tor/Tor Version:
Severity: Critical Keywords: TorCoreTeam201605 regression review-group-1
Cc: nickm, teor Actual Points: 0
Parent ID: Points: 0
Reviewer: Sponsor: SponsorU-can


In dirserv_compute_performance_thresholds, we allocate arrays based on the length of 'routers', a list of routerinfo_t, but loop over the nodelist. The 'routers' list may be shorter when relays were filtered by routers_make_ed_keys_unique, leading to an out-of-bounds write.

This bug was originally introduced in 26e89742, but it doesn't look possible to trigger until routers_make_ed_keys_unique was introduced in 13a31e72.

This needs a backport to 0.2.7, but wasn't in a released version. Fix on

Child Tickets

Change History (7)

comment:1 Changed 4 years ago by special

Status: newneeds_review

See my bug19032-027 branch.

comment:2 Changed 4 years ago by nickm

Keywords: TorCoreTeam201605 regression review-group-1 added

comment:3 Changed 4 years ago by nickm

Status: needs_reviewmerge_ready

lgtm; testing.

comment:4 Changed 4 years ago by nickm

Resolution: fixed
Status: merge_readyclosed

Merged to 0.2.7 and forwards. Thanks!

comment:5 Changed 4 years ago by nickm

Sponsor: SponsorU-can

comment:6 Changed 4 years ago by nickm

Actual Points: 0
Points: 0

comment:7 Changed 4 years ago by teor

I can't seem to replicate this using chutney, which is unfortunate.
Given that this patch fixes this issue on our test authority network, I'm going to call it fixed.

Note: See TracTickets for help on using tickets.