Opened 7 months ago

Closed 7 months ago

#33619 closed defect (fixed)

Resolve TROVE-2020-004

Reported by: nickm Owned by:
Priority: Medium Milestone: Tor: 0.4.1.x-final
Component: Core Tor/Tor Version:
Severity: Normal Keywords: 041-backport 042-backport 043-backport
Cc: Actual Points: 1
Parent ID: Points:
Reviewer: Sponsor:

Description (last modified by nickm)

This is a remotely triggerable memory leak on relays and clients, found by tobias pulls.

The issue is that when circpad_setup_machine_on_circ() is reached with an inconsistent internal configuration, it fails to free an object that is replaced. It logs a bug warning, but that isn't enough.

Tobias Pulls found that this code was actually reachable, though, and results in a memory leak.

Child Tickets

Change History (1)

comment:1 Changed 7 months ago by nickm

Actual Points: 1
Description: modified (diff)
Keywords: 041-backport 042-backport 043-backport added
Milestone: Tor: 0.4.4.x-finalTor: 0.4.1.x-final
Resolution: fixed
Status: newclosed

We fix this in 78bcfc1280b322ba57a10a116457616eeb742ab6, with a fix that avoids the memory leak and prevents us from spamming the logs. It does not fix the underlying issue where the code that wasn't supposed to be reachable is actually reached.

This is a "medium" severity issue, and is also tracked as CVE-2020-10593.

This fix has been merged to all supported affected releases (0.4.1.x and later).

Note: See TracTickets for help on using tickets.