Opened 13 months ago
Closed 9 months ago
#31001 closed defect (fixed)
Undefined behavior in tor_vasprintf()
| Reported by: | asn | Owned by: | nickm |
|---|---|---|---|
| Priority: | Medium | Milestone: | Tor: 0.4.0.x-final |
| Component: | Core Tor/Tor | Version: | |
| Severity: | Normal | Keywords: | hackerone, bug-bounty, security-low, unlikely-crash, 029-backport, 035-backport, 040-backport, 041-backport, dgoulet-merge, consider-backport-after-0421 |
| Cc: | Actual Points: | .1 | |
| Parent ID: | Points: | 0.5 | |
| Reviewer: | catalyst | Sponsor: |
Description
Overflowing a signed integer in C is an undefined behaviour. It is possible to trigger this undefined behaviour in tor_asprintf on Windows or systems lacking vasprintf. On these systems, eiter _vscprintf or vsnprintf is called to retrieve the required amount of bytes to hold the string. These functions can return INT_MAX. The easiest way to recreate this is the use of a specially crafted configuration file, e.g. containing the line: FirewallPorts AAAAA<in total 2147483610 As> This line triggers the needed tor_asprintf call which eventually leads to an INT_MAX return value from _vscprintf or vsnprintf. The needed byte for \0 is added to the result, triggering the overflow and therefore the undefined behaviour. Casting the value to size_t before addition fixes the behaviour.
Child Tickets
Change History (12)
comment:1 Changed 13 months ago by
| Status: | new → needs_review |
|---|
comment:2 Changed 13 months ago by
| Keywords: | security-low unlikely-crash 029-backport 035-backport 040-backport 041-backport added |
|---|---|
| Points: | → 0.5 |
| Status: | needs_review → needs_revision |
This patch makes sense to me, and it passes CI.
I'm marking it as security-low, because most common compilers don't aggressively optimise signed overflow in this context.
(If they did, this code could introduce some nasty bugs in tor.)
So the negative value will be converted to size_t by adding SIZE_T_MAX.
On 32-bit systems, that's the correct value, on 64-bit systems, that's UINT64_MAX - INT32_MIN, which will fail to malloc and crash.
Fortunately, most of Tor's parsers have document size limits that are much lower than 2GB.
But we still need to backport this fix to compact.c in 0.2.9, and then merge forward.
comment:3 Changed 12 months ago by
| Owner: | set to nickm |
|---|---|
| Status: | needs_revision → accepted |
I'll do the backport
comment:4 follow-up: 6 Changed 12 months ago by
| Actual Points: | → .1 |
|---|---|
| Status: | accepted → needs_review |
I have two branches here: bug31001_029 for maint-0.2.9, and bug31001_035 for maint-0.3.5 and later.
PR for 0.2.9: https://github.com/torproject/tor/pull/1178
PR for 0.3.5: https://github.com/torproject/tor/pull/1179
PR for master (for CI purposes): https://github.com/torproject/tor/pull/1180
comment:5 Changed 12 months ago by
| Reviewer: | → catalyst |
|---|
comment:6 Changed 12 months ago by
| Status: | needs_review → merge_ready |
|---|
Replying to nickm:
I have two branches here: bug31001_029 for maint-0.2.9, and bug31001_035 for maint-0.3.5 and later.
PR for 0.2.9: https://github.com/torproject/tor/pull/1178
PR for 0.3.5: https://github.com/torproject/tor/pull/1179
PR for master (for CI purposes): https://github.com/torproject/tor/pull/1180
Thanks! These look good to me.
comment:7 Changed 12 months ago by
| Keywords: | dgoulet-merge added |
|---|
Please merge to 0.4.0 and forward, and mark for backport?
comment:8 Changed 12 months ago by
| Milestone: | Tor: 0.4.1.x-final → Tor: 0.4.0.x-final |
|---|
Merged in 041 and forward! Moving to 040 for backport.
comment:9 Changed 11 months ago by
| Keywords: | consider-backport-after-0416 added |
|---|
This PR was merged after 0.4.1.4, so we will test it until 0.4.1.6 is released, then merge.
comment:10 Changed 11 months ago by
| Keywords: | 041-must removed |
|---|
comment:11 Changed 11 months ago by
| Keywords: | consider-backport-after-0421 added; consider-backport-after-0416 removed |
|---|
0.4.1.5 was stable, so these get backported after the next alpha
comment:12 Changed 9 months ago by
| Resolution: | → fixed |
|---|---|
| Status: | merge_ready → closed |
Bug found by Tobias Stoeckmann.
Patch by Tobias can be found here: https://github.com/torproject/tor/pull/1144