Opened 2 years ago

Closed 2 years ago

#23291 closed defect (fixed)

unintentional undefined behaviore in test-memwipe.c

Reported by: nickm Owned by:
Priority: Medium Milestone: Tor: 0.3.1.x-final
Component: Core Tor/Tor Version:
Severity: Normal Keywords: 028-backport 029-backport 030-backport
Cc: snoek Actual Points:
Parent ID: Points:
Reviewer: Sponsor:


While working on #22839, snoek found a bug in test-memwipe.c:

The last test, test_memwipe, segfaulted. This only happened with Rust built in. It turns out this was caused by the uninitialized buf in check_heap_buffer being smaller than the mem addresses being scanned. I know we're doing some dirty stuff there, but I don't think trying to read past the length of the buffer was intended. At least to me it seems fair enough for the program to segfault. I put in the obvious fix, which might be horribly wrong.

It looks fine to me, so I'm going to give it a bug number and backport it.

Child Tickets

Change History (4)

comment:1 Changed 2 years ago by nickm

Keywords: 028-backport 029-backport 030-backport added
Milestone: Tor: 0.2.9.x-finalTor: 0.3.0.x-final
Status: newneeds_review

I've cherry-picked the patch into a new branch with a changes file, as bug23291_028 in my public repository. I'm merging it to 0.3.1 and forward, but maybe we want to backport it more?

comment:2 Changed 2 years ago by nickm

Milestone: Tor: 0.3.0.x-finalTor: 0.3.1.x-final
Resolution: fixed
Status: needs_reviewclosed

no backport.

comment:3 Changed 2 years ago by nickm

Resolution: fixed
Status: closedreopened

Actually, this now appears to be the likeliest cause of some test-memwipe failures on windows in versions 0.2.8 through 0.3.0.

comment:4 Changed 2 years ago by nickm

Resolution: fixed
Status: reopenedclosed

Backported to 0.2.8 and forward.

Note: See TracTickets for help on using tickets.