[tor-bugs] #22490 [Core Tor/Tor]: Stop using GeoIP country after buf has gone out of scope
Tor Bug Tracker & Wiki
blackhole at torproject.org
Mon Jun 5 15:06:27 UTC 2017
#22490: Stop using GeoIP country after buf has gone out of scope
-------------------------------------------------+-------------------------
Reporter: teor | Owner:
Type: defect | Status:
| merge_ready
Priority: Medium | Milestone: Tor:
| 0.3.1.x-final
Component: Core Tor/Tor | Version:
Severity: Normal | Resolution:
Keywords: memory-safety 024-backport | Actual Points: 0
025-backport 026-backport 027-backport |
028-backport 029-backport 030-backport |
Parent ID: | Points: 0.2
Reviewer: | Sponsor:
-------------------------------------------------+-------------------------
Changes (by teor):
* status: needs_review => merge_ready
Comment:
This fix looks good, and I think it should be backported to 0.2.4.
I also don't think it needs a new release, because we're not actually
overwriting country with the geoip_add_entry() stack. But we get within 6
bytes of overwriting it.
If the IPv6 addresses were both short, then the geoip_add_entry() stack
could overwrite `country`, and leak pointer values: it allocates 3
pointers on the stack (24 bytes on x86_64, 12 bytes on i386).
But the shortest line is 32 characters (did we have shorter lines in
earlier files?), which means that the earliest country could start is at
buf+30.
Ah, but wait: pointers must be aligned on word boundaries, and we've added
a call to geoip_add_entry() to the stack, as well as any registers we've
saved, and any stack smashing protection, any any other compiler
bookkeeping.
But I haven't been able to reproduce it locally using clang, macOS,
x86_64, and my diagnostic branch `assert-country` with the command
`src/or/tor DisableNetwork 1 GeoIPv6File src/config/geoip6`, even with two
2-character IPv6 addresses.
So I think this could trigger in rare circumstances, but common configs
are safe.
But remember those weird countries we were getting in some relay
descriptors?
Did we ever track that down?
This could be it.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/22490#comment:5>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list