smartlist functions contain bogus overflow checks

added component::core tor/tor priority::high resolution::fixed status::closed tor-client type::defect labels

Looks like there are other scary overflow (not-quite-)checks, too.

Trac:
Summary: smartlist_ensure_capacity contains bogus overflow check to smartlist functions contain bogus overflow checks

I could give this a shot, unless someone else has already started.

It might take me a while, though, since I'd go through everything line by line.

Trac:
Username: mansour

aren't we good here because we ensure that we're using 2s complement?

Replying to Sebastian:

aren't we good here because we ensure that we're using 2s complement?

If the assert had been within the while loop, perhaps.

For example, if the variable size == INT_MAX/2+1, and sl->capacity == size+1. The variable higher is assigned a negative off the bat; gets doubled; underflows; and the loop breaks. Then the assert passes essentially by accident.

But that's just this particular instance.

Trac:
Username: mansour

Trac:
Username: mansour
Cc: N/A to mansourmoufid@gmail.com

Fortunately, I think the only overflow check to worry about is smartlist_ensure_capacity; everything else calls that when it wants to grow the smartlist.

Replying to nickm:

Fortunately, I think the only overflow check to worry about is smartlist_ensure_capacity; everything else calls that when it wants to grow the smartlist.

I've attached a quick fix for this function. Tests fine but it needs review.

The idea is to just use INT_MAX in case of potential overflow.

Trac:
Username: mansour

0001-Prevent-integer-overflows-in-smartlist_ensure_capaci.patch

Trac:
Username: mansour

Removing the milestone, because 0.2.1.x-final has been released long ago. (Also marking that milestone as closed.)

Trac:
Milestone: Tor: 0.2.1.x-final to N/A

Putting the milestone back in. I thought it was a milestone for the stable release. Marking the milestone as open again. Ooops. :)

Trac:
Milestone: N/A to Tor: 0.2.1.x-final

Looking at the patch, I think it's just going to overflow again. Sure, it caps sl->capacity at INT_MAX, but look at the tor_realloc() call: it reallocates the buffer to be equal to sizeof(void*)*sl->capacity. So on a 32-bit system, that'll be ((size_t)4)*INT_MAX , which isn't a sensible thing to say.

Have a look at branch "bug4230" in my public repository; does that look okay to you?

Trac:
Status: new to needs_review

Replying to nickm:

Have a look at branch "bug4230" in my public repository; does that look okay to you?

There is a TAB character in your commit message.

Replying to rransom:

Replying to nickm:

Have a look at branch "bug4230" in my public repository; does that look okay to you?

There is a TAB character in your commit message.

Other than that, looks ok?

Replying to nickm:

Replying to rransom:

Replying to nickm:

Have a look at branch "bug4230" in my public repository; does that look okay to you?

There is a TAB character in your commit message.

Other than that, looks ok?

Yes.

ok; pushed an updated version. I'd appreciate a look from whoever else has time before I merge; this kind of stuff has a way of getting tricky.

In a x86-64 system, SIZEOF_SIZE_T == SIZEOF_INT and MAX_CAPACITY becomes (int) (UINT_MAX / 8) == 2^29, and MAX_CAPACITY/2 == 2^27.

If you pass a size bigger than 2^29 or INT_MAX/4, it will get in the if (PREDICT_UNLIKELY(size > MAX_CAPACITY/2)) { and hit the tor_assert(size <= MAX_CAPACITY);.

I'm not sure if this is in the function's threat model, since you have to pass an enormous size and it would in any case probably OOM from the realloc(), but even the original overflow of this ticket needed a huge size.

In a x86-64 system, SIZEOF_SIZE_T == SIZEOF_INT and MAX_CAPACITY becomes (int) (UINT_MAX / 8) == 2^29^, and MAX_CAPACITY/2 == 2^27^.

If you pass a size bigger than 2^29^ or INT_MAX/4, it will get in the if (PREDICT_UNLIKELY(size > MAX_CAPACITY/2)) { and hit the tor_assert(size <= MAX_CAPACITY);.

I'm not sure if this is in the function's threat model, since you have to pass an enormous size and it would in any case probably OOM from the realloc(), but even the original overflow of this ticket needed a huge size.

Replying to asn:

In a x86-64 system, SIZEOF_SIZE_T == SIZEOF_INT and MAX_CAPACITY becomes (int) (UINT_MAX / 8) == 2^29^, and MAX_CAPACITY/2 == 2^27^.

Actually, on most X86_64 systems, SIZEOF_SIZE_T is 8 an SIZEOF_INT is 4. But it's allowable for them to be the same depending on the weirdness of the API, so let's go with it.

In this case, UINT_MAX/8 is actually not 2^29^ . It's 536870911, which is 2^29^ -1. So MAX_CAPACITY/2 will be 2^27^ - 1.

(The -1s aren't relevant to your argument, I think. But just in case.)

If you pass a size bigger than 2^29^ or INT_MAX/4, it will get in the if (PREDICT_UNLIKELY(size > MAX_CAPACITY/2)) { and hit the tor_assert(size <= MAX_CAPACITY);.

Yup. We have to hit that point. Our response to OOM is a tor_assert() failure throughout the rest of the code. We literally cannot allocate an array of more than MAX_CAPACITY elements in this case: to do so, we would need to pass a value larger than SIZE_MAX as an argument to tor_realloc, which is impossible, since SIZE_MAX is the largest SIZE_T value there can be.

I'm not sure if this is in the function's threat model, since you have to pass an enormous size and it would in any case probably OOM from the realloc(), but even the original overflow of this ticket needed a huge size.

Fix looks plausible to me. (But I'm not an expert on this level of stuff.)

I suggest we should merge it in at 022, and then tell weasel about it so he can decide whether he wants to put it into his 021 debs.

Merged; sending mail to weasel

Trac:
Status: needs_review to closed
Resolution: N/A to fixed

Trac:
Keywords: N/A deleted, tor-client added

Trac:
Component: Tor Client to Tor

Milestone Tor: 0.2.1.x-final deleted

Trac:
Milestone: Tor: 0.2.1.x-final to N/A

closed

mentioned in issue #4899 (closed)

moved to tpo/core/tor#4230 (closed)

smartlist functions contain bogus overflow checks

Child items ...

Activity