Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bug30040 035 #926

Merged
merged 2 commits into from Aug 12, 2019
Merged

Bug30040 035 #926

merged 2 commits into from Aug 12, 2019

Conversation

Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
4 participants
@asn-d6 @coveralls @torproject-pusher @stoeckmann
@asn-d6
Copy link
Member

@asn-d6 asn-d6 commented Apr 10, 2019

No description provided.

stoeckmann and others added 2 commits Apr 10, 2019
@stoeckmann @asn-d6
Prevent double free on huge files with 32 bit.
9ce0bdd 
The function compat_getdelim_ is used for tor_getline if tor is compiled
on a system that lacks getline and getdelim. These systems should be
very rare, considering that getdelim is POSIX.

If this system is further a 32 bit architecture, it is possible to
trigger a double free with huge files.

If bufsiz has been already increased to 2 GB, the next chunk would
be 4 GB in size, which wraps around to 0 due to 32 bit limitations.

A realloc(*buf, 0) could be imagined as "free(*buf); return malloc(0);"
which therefore could return NULL. The code in question considers
that an error, but will keep the value of *buf pointing to already
freed memory.

The caller of tor_getline() would free the pointer again, therefore
leading to a double free.

This code can only be triggered in dirserv_read_measured_bandwidths
with a huge measured bandwith list file on a system that actually
allows to reach 2 GB of space through realloc.

It is not possible to trigger this on Linux with glibc or other major
*BSD systems even on unit tests, because these systems cannot reach
so much memory due to memory fragmentation.

This patch is effectively based on the penetration test report of
cure53 for curl available at https://cure53.de/pentest-report_curl.pdf
and explained under section "CRL-01-007 Double-free in aprintf() via
unsafe size_t multiplication (Medium)".
@asn-d6
Add changes file for #30040.
2cdc6b2
@coveralls
Copy link

@coveralls coveralls commented Apr 10, 2019

Pull Request Test Coverage Report for Build 4671

  • 0 of 1 (0.0%) changed or added relevant line in 1 file are covered.
  • No unchanged relevant lines lost coverage.
  • Overall coverage remained the same at 60.321%
Changes Missing Coverage Covered Lines Changed/Added Lines %
src/ext/getdelim.c 0 1 0.0%
Totals Coverage Status
Change from base Build 4665: 0.0%
Covered Lines: 42870
Relevant Lines: 71070
💛 - Coveralls

@torproject-pusher torproject-pusher merged commit 2cdc6b2 into torproject:maint-0.3.5 Aug 12, 2019
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment