[tor-bugs] #27741 [Core Tor/Tor]: too many arguments in rust protover_compute_vote()

Tor Bug Tracker & Wiki blackhole at torproject.org
Mon Sep 17 06:46:52 UTC 2018


#27741: too many arguments in rust protover_compute_vote()
-----------------------------------------------+---------------------------
 Reporter:  cyberpunks                         |          Owner:  (none)
     Type:  defect                             |         Status:  new
 Priority:  Medium                             |      Milestone:  Tor:
                                               |  0.3.5.x-final
Component:  Core Tor/Tor                       |        Version:  Tor:
                                               |  0.3.3.6
 Severity:  Normal                             |     Resolution:
 Keywords:  035-must, protover, memory-safety  |  Actual Points:
Parent ID:                                     |         Points:
 Reviewer:                                     |        Sponsor:
-----------------------------------------------+---------------------------
Changes (by teor):

 * keywords:   => 035-must, protover, memory-safety
 * milestone:   => Tor: 0.3.5.x-final


Comment:

 There is no consensus method 29:
 https://gitweb.torproject.org/torspec.git/tree/dir-spec.txt#n2877
 https://github.com/torproject/tor/blob/master/src/feature/dirauth/dirvote.h#L78

 Instead, we decided to unconditionally reject relay descriptors, votes,
 and consensuses containing long protocol names.

 It looks like we merged an old version of the Rust fix. It is possible
 that we updated the C fix to unconditionally reject bad documents, but
 never updated the Rust fix to match.

 > The C code never added this 3rd argument and only calls it with 2, which
 can't be safe.

 In most calling conventions, Rust will read a register for the 3rd
 argument, but C hasn't initialised that register. Then the arbitrary (or
 uninitialised) value read from the register will be interpreted as a
 boolean.

 This could cause a crash due to a register poison exception on some
 platforms. But on x86_64, I *think* will will just result in an arbitrary
 choice between validated and unvalidated.

 We should fix this issue in 0.3.5, and backport.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/27741#comment:1>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list