Opened 4 years ago

Closed 3 years ago

#19150 closed defect (fixed)

Pointer overflow in memarea_alloc()

Reported by: asn Owned by: nickm
Priority: Medium Milestone: Tor: 0.2.8.x-final
Component: Core Tor/Tor Version: Tor: 0.2.1.10-alpha
Severity: Normal Keywords: 027-backport tor-bug-bounty
Cc: Actual Points: .4
Parent ID: Points: .1
Reviewer: Sponsor:

Description

There is a pointer overflow in memarea_alloc():

  if (chunk->next_mem+sz > chunk->U_MEM+chunk->mem_size) {

It does not seem to be RCE exploitable, since in all places in routerparse.c where memareas are used, we restrict the input size to 128kb or so (through MAX_LINE_LENGTH and MAX_UNPARSED_OBJECT_SIZE).

However, we should still fix this to plug any DoS threats and for future code correctness.

The bug was found by Guido Vranken through the hackerone bug bounty program.

Child Tickets

Change History (7)

comment:1 Changed 4 years ago by nickm

Keywords: 027-backport added
Milestone: Tor: 0.2.9.x-finalTor: 0.2.8.x-final
Status: newneeds_revision

First attempt at a fix in memarea_overflow_027. It probably isn't right.

comment:2 Changed 3 years ago by nickm

Status: needs_revisionneeds_review

comment:3 Changed 3 years ago by asn

Did an initial review of Nick's branch. Found some issues which have been addressed. I like the current version.

comment:4 Changed 3 years ago by nickm

Actual Points: .4
Keywords: TorCoreTeam201605 removed
Owner: set to nickm
Points: .1
Status: needs_reviewaccepted

memarea_overflow_027_squashed has the squashed version, which I'm merging to 0.2.8 and forward. Possible backport to 0.2.7

comment:5 Changed 3 years ago by nickm

Milestone: Tor: 0.2.8.x-finalTor: 0.2.7.x-final
Status: acceptedneeds_review

comment:6 Changed 3 years ago by asn

Keywords: tor-bug-bounty added

comment:7 Changed 3 years ago by nickm

Milestone: Tor: 0.2.7.x-finalTor: 0.2.8.x-final
Resolution: fixed
Status: needs_reviewclosed

Decision is "no backport" because it isn't triggerable.

Note: See TracTickets for help on using tickets.