[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-bugs] #18296 [Tor]: Potential integer overflow and memory corruption in smartlist_heapify

Subject: [tor-bugs] #18296 [Tor]: Potential integer overflow and memory corruption in smartlist_heapify
From: "Tor Bug Tracker & Wiki" <blackhole@xxxxxxxxxxxxxx>
Date: Wed, 10 Feb 2016 10:21:56 -0000
Auto-submitted: auto-generated
Delivered-to: archiver@xxxxxxxx
Delivery-date: Wed, 10 Feb 2016 05:22:05 -0500
List-archive: <http://lists.torproject.org/pipermail/tor-bugs/>
List-help: <mailto:tor-bugs-request@lists.torproject.org?subject=help>
List-id: "auto: Tor bug tracker status mails" <tor-bugs.lists.torproject.org>
List-post: <mailto:tor-bugs@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=unsubscribe>
Reply-to: tor-assistants@xxxxxxxxxxxxxx
Sender: "tor-bugs" <tor-bugs-bounces@xxxxxxxxxxxxxxxxxxxx>

#18296: Potential integer overflow and memory corruption in smartlist_heapify
-----------------------------+-----------------
     Reporter:  cypherpunks  |      Owner:
         Type:  defect       |     Status:  new
     Priority:  Medium       |  Milestone:
    Component:  Tor          |    Version:
     Severity:  Normal       |   Keywords:
Actual Points:               |  Parent ID:
       Points:               |    Sponsor:
-----------------------------+-----------------
 The LEFT_CHILD/RIGHT_CHILD macros used in container.c::smartlist_heapify()
 can overflow.

 This can potentially result in using a negative array index in the
 smartlist memory block and writing to some out of bounds memory location.

 This is probably not currently exploitable, given the limited usage of
 smartlist_heapify. The places where it is used look hard to control for an
 attacker and the amount of memory required would likely be too much for
 Tor to be able to allocate.

 Tor should be built with ftrapv. Ticket 17983 looks like a bad idea.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/18296>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Follow-Ups:
- Re: [tor-bugs] #18296 [Tor]: Potential integer overflow and memory corruption in smartlist_heapify
  - From: Tor Bug Tracker & Wiki
- Re: [tor-bugs] #18296 [Tor]: Potential integer overflow and memory corruption in smartlist_heapify
  - From: Tor Bug Tracker & Wiki
- Re: [tor-bugs] #18296 [Tor]: Potential integer overflow and memory corruption in smartlist_heapify
  - From: Tor Bug Tracker & Wiki
- Re: [tor-bugs] #18296 [Tor]: Potential integer overflow and memory corruption in smartlist_heapify
  - From: Tor Bug Tracker & Wiki
- Re: [tor-bugs] #18296 [Tor]: Potential integer overflow and memory corruption in smartlist_heapify
  - From: Tor Bug Tracker & Wiki
- Re: [tor-bugs] #18296 [Tor]: Potential integer overflow and memory corruption in smartlist_heapify
  - From: Tor Bug Tracker & Wiki
- Re: [tor-bugs] #18296 [Tor]: Potential integer overflow and memory corruption in smartlist_heapify
  - From: Tor Bug Tracker & Wiki
- Re: [tor-bugs] #18296 [Tor]: Potential integer overflow and memory corruption in smartlist_heapify
  - From: Tor Bug Tracker & Wiki
- Re: [tor-bugs] #18296 [Tor]: Potential integer overflow and memory corruption in smartlist_heapify
  - From: Tor Bug Tracker & Wiki
- Re: [tor-bugs] #18296 [Tor]: Potential integer overflow and memory corruption in smartlist_heapify
  - From: Tor Bug Tracker & Wiki
- Re: [tor-bugs] #18296 [Tor]: Potential integer overflow and memory corruption in smartlist_heapify
  - From: Tor Bug Tracker & Wiki
- Re: [tor-bugs] #18296 [Tor]: Potential integer overflow and memory corruption in smartlist_heapify
  - From: Tor Bug Tracker & Wiki
- Re: [tor-bugs] #18296 [Tor]: Potential integer overflow and memory corruption in smartlist_heapify
  - From: Tor Bug Tracker & Wiki
- Re: [tor-bugs] #18296 [Tor]: Potential integer overflow and memory corruption in smartlist_heapify
  - From: Tor Bug Tracker & Wiki
- Re: [tor-bugs] #18296 [Tor]: Potential integer overflow and memory corruption in smartlist_heapify
  - From: Tor Bug Tracker & Wiki
- Re: [tor-bugs] #18296 [Tor]: Potential integer overflow and memory corruption in smartlist_heapify
  - From: Tor Bug Tracker & Wiki

Prev by Author: Re: [tor-bugs] #16558 [Tor]: Dir auths should vote about Invalid like they do about BadExit
Next by Author: Re: [tor-bugs] #17983 [Tor]: Build tor with -fwrapv by default
Previous by thread: Re: [tor-bugs] #2698 [Tor]: Tor static build issues with libevent
Next by thread: Re: [tor-bugs] #18296 [Tor]: Potential integer overflow and memory corruption in smartlist_heapify
Index(es):
- Author
- Thread