[tor-bugs] #24082 [Core Tor/Tor]: uninitialized value in networkstatus_parse_vote_from_string() via fuzz_consensus.c

Tor Bug Tracker & Wiki blackhole at torproject.org
Mon Oct 30 20:37:55 UTC 2017 

#24082: uninitialized value in networkstatus_parse_vote_from_string() via
fuzz_consensus.c
------------------------------+--------------------------------
     Reporter:  catalyst      |      Owner:  (none)
         Type:  defect        |     Status:  new
     Priority:  Medium        |  Milestone:  Tor: 0.3.3.x-final
    Component:  Core Tor/Tor  |    Version:
     Severity:  Normal        |   Keywords:
Actual Points:                |  Parent ID:
       Points:                |   Reviewer:
      Sponsor:                |
------------------------------+--------------------------------
 Brian Carpenter (Geeknik Labs) reported this MemorySanitizer warning
 (clang-6.0.0-trunk) via HackerOne report_id 276253:

 {{{
 ==27381==WARNING: MemorySanitizer: use-of-uninitialized-value
     #0 0x555dedc903dc in networkstatus_parse_vote_from_string
 /root/tor/src/or/routerparse.c:3533:7
     #1 0x555ded737b33 in fuzz_main
 /root/tor/src/test/fuzz/fuzz_consensus.c:66:8
     #2 0x555ded736fc0 in main
 /root/tor/src/test/fuzz/fuzzing_common.c:179:3
     #3 0x7f0d938633f0 in __libc_start_main /build/glibc-
 mXZSwJ/glibc-2.24/csu/../csu/libc-start.c:291
     #4 0x555ded6c4a19 in _start (/root/tor/src/test/fuzz/fuzz-
 consensus+0x71a19)

   Uninitialized value was created by a heap allocation
     #0 0x555ded6ed77d in __interceptor_malloc (/root/tor/src/test/fuzz
 /fuzz-consensus+0x9a77d)
     #1 0x555dedf94f27 in tor_malloc_ /root/tor/src/common/util.c:150:12
     #2 0x555ded7373aa in global_init
 /root/tor/src/test/fuzz/fuzzing_common.c:110:18
     #3 0x555ded73689a in main
 /root/tor/src/test/fuzz/fuzzing_common.c:140:3
     #4 0x7f0d938633f0 in __libc_start_main /build/glibc-
 mXZSwJ/glibc-2.24/csu/../csu/libc-start.c:291

 SUMMARY: MemorySanitizer: use-of-uninitialized-value
 /root/tor/src/or/routerparse.c:3533:7 in
 networkstatus_parse_vote_from_string
 Exiting
 }}}

 By code inspection this appears to be an actual uninitialized value that's
 specific to the fuzzing support framework.

 `global_init()` allocates `mock_options` using `tor_malloc()` rather than
 `tor_malloc_zero()`, so it's entirely uninitialized, and nothing else I
 see initializes it afterward. `networkstatus_parse_vote_from_string()`
 then retrieves it using `get_options()->TestingTorNetwork` (and doesn't
 check any other fields).

 I think we should fix this to reduce the noise produced by static
 analyzers and sanitizers.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/24082>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list