Opened 4 weeks ago

Closed 6 hours ago

Last modified 6 hours ago

#29168 closed defect (fixed)

Fix TROVE-2019-001 (KIST can write above outbuf highwater mark)

Reported by: nickm Owned by: dgoulet
Priority: Very High Milestone: Tor: 0.4.0.x-final
Component: Core Tor/Tor Version:
Severity: Normal Keywords: security, trove, regression, 040-must
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description (last modified by nickm)

From the fix in be84ed1a64ed7ce810bd3924fa96c2588b491ef5:

    KIST works by computing how much should be allowed to write to the kernel for
    a given socket, and then it writes that amount to the outbuf.
    
    The problem is that it could be possible that the outbuf already has lots of
    data in it from a previous scheduling round (because the kernel is full/busy
    and Tor was not able to flush the outbuf yet). KIST ignores that the outbuf
    has been filling (is above its "highwater") and writes more anyway. The end
    result is that the outbuf length would exceed INT_MAX, hence causing an
    assertion error and a corresponding "Bug()" message to get printed to the
    logs.
    
    This commit makes it for KIST to take into account the outbuf length when
    computing the available space.

Child Tickets

Change History (11)

comment:1 Changed 13 days ago by nickm

Keywords: security trove regression added

comment:2 Changed 9 days ago by nickm

Priority: MediumVery High

comment:3 Changed 30 hours ago by nickm

Keywords: 040-must added

Marking tickets as 040-must based on triage with dgoulet.

comment:4 Changed 29 hours ago by nickm

Status: newneeds_review

comment:5 Changed 29 hours ago by nickm

(the patch is on the network team security encrypted ML)

comment:6 Changed 29 hours ago by nickm

Owner: set to dgoulet
Status: needs_reviewassigned

comment:7 Changed 29 hours ago by nickm

Status: assignedneeds_review

comment:8 Changed 29 hours ago by dgoulet

Status: needs_reviewassigned

comment:9 Changed 29 hours ago by dgoulet

Status: assignedneeds_review

comment:10 Changed 6 hours ago by nickm

Description: modified (diff)
Resolution: fixed
Status: needs_reviewclosed
Summary: Fix TROVE-2019-001Fix TROVE-2019-001 (KIST can write above outbuf highwater mark)

comment:11 Changed 6 hours ago by nickm

For what it's worth, we've only been able to actually make this crash occur in a pretty nonstandard testing environment, and only then against clients. But it's entirely possible that there's some way to exploit this in the wild that we're missing. Out of caution, we're giving this issue medium severity, and putting out patches: better safe than sorry.

Note: See TracTickets for help on using tickets.