Opened 7 years ago

Closed 7 years ago

#8844 closed defect (fixed)

Buffer overflow in get_freelist

Reported by: eugenis Owned by: nickm
Priority: High Milestone: Tor: 0.2.4.x-final
Component: Core Tor/Tor Version: Tor:
Severity: Keywords: 023-backport tor-relay
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:


get_freelist() walks the global freelist looking for an matching slot, and then falls off the end.
freelist uses a (0, ...) record to mark the end of the list, but get_freelist() never checks for it.

ERROR: AddressSanitizer: global-buffer-overflow on address 0x7f4883a23238 at pc 0x7f4882eaaf48 bp 0x7fff9aa39c30 sp 0x7fff9aa39c28
READ of size 8 at 0x7f4883a23238 thread T0

#0 0x7f4882eaaf47 in get_freelist src/or/buffers.c:151
#1 0x7f4882eaa5a0 in chunk_new_with_alloc_size src/or/buffers.c:189:14
#2 0x7f4882e86d85 in buf_add_chunk_with_capacity src/or/buffers.c:602:13
#3 0x7f4882e8df20 in write_to_buf src/or/buffers.c:949
#4 0x7f488298357c in test_buffers src/test/test.c:738
#5 0x7f488294048e in legacy_test_helper src/test/test.c:1971
#6 0x7f4882e69bac in testcase_run_bare_ src/ext/tinytest.c:89
#7 0x7f4882e685a8 in testcase_run_one src/ext/tinytest.c:224
#8 0x7f4882e6c953 in tinytest_main src/ext/tinytest.c:347
#9 0x7f4882941be2 in main src/test/test.c:2118
#10 0x7f4880e7076c (/lib/x86_64-linux-gnu/
#11 0x7f488293f4dc ( src/test/test+0x1434dc)

0x7f4883a23238 is located 0 bytes to the right of global variable 'freelists' from 'src/or/buffers.c' (0x7f4883a23120) of size 280

FYI, to reproduce this report, build Tor with clang 3.2 (or newer)
CC=/code/llvm/build/bin/clang \
CXX=/code/llvm/build/bin/clang++ \
CFLAGS="-fsanitize=address -g -O0" \
LDFLAGS=-fsanitize=address \


Child Tickets

Change History (5)

comment:1 Changed 7 years ago by nickm

Component: - Select a componentTor
Keywords: 023-backport tor-relay added
Milestone: Tor: 0.2.4.x-final
Owner: set to nickm
Status: newaccepted

comment:2 Changed 7 years ago by nickm

Status: acceptedneeds_review

There's a fix in branch "bug8844" in my public repository at . It's against the maint-0.2.3 branch, and should merge forward cleanly.

comment:3 in reply to:  2 Changed 7 years ago by asn

Replying to nickm:

There's a fix in branch "bug8844" in my public repository at . It's against the maint-0.2.3 branch, and should merge forward cleanly.

Fix looks good to me. I didn't find any other places in buffers.c iterating freelists in a weird way either.

Maybe we should mention 'eugenis' in the changes file too? Is there a nice way of adding a unit test to validate this fix?

comment:4 Changed 7 years ago by nickm

Tweaked in branch "bug8844_v2".

comment:5 Changed 7 years ago by nickm

Resolution: fixed
Status: needs_reviewclosed

Merged into 0.2.3 and later.

Note: See TracTickets for help on using tickets.