[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #21278 [Core Tor/Tor]: Avoid signed integer underflow when comparing versions (Fix TROVE-2017-001) (was: Fix TROVE-2017-001)

Subject: Re: [tor-bugs] #21278 [Core Tor/Tor]: Avoid signed integer underflow when comparing versions (Fix TROVE-2017-001) (was: Fix TROVE-2017-001)
From: "Tor Bug Tracker & Wiki" <blackhole@xxxxxxxxxxxxxx>
Date: Mon, 13 Feb 2017 19:14:30 -0000
Auto-submitted: auto-generated
Delivered-to: archiver@xxxxxxxx
Delivery-date: Mon, 13 Feb 2017 14:14:39 -0500
In-reply-to: <045.5dd33e67f27439bd6b289ce7246d7331@torproject.org>
List-archive: <http://lists.torproject.org/pipermail/tor-bugs/>
List-help: <mailto:tor-bugs-request@lists.torproject.org?subject=help>
List-id: "auto: Tor bug tracker status mails" <tor-bugs.lists.torproject.org>
List-post: <mailto:tor-bugs@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=unsubscribe>
References: <045.5dd33e67f27439bd6b289ce7246d7331@torproject.org>
Reply-to: no-reply@xxxxxxxxxxxxxx, tor-assistants@xxxxxxxxxxxxxx
Sender: "tor-bugs" <tor-bugs-bounces@xxxxxxxxxxxxxxxxxxxx>

#21278: Avoid signed integer underflow when comparing versions (Fix TROVE-2017-001)
--------------------------+------------------------------------
 Reporter:  nickm         |          Owner:  nickm
     Type:  defect        |         Status:  needs_review
 Priority:  Medium        |      Milestone:  Tor: 0.3.0.x-final
Component:  Core Tor/Tor  |        Version:
 Severity:  Normal        |     Resolution:
 Keywords:  029-backport  |  Actual Points:
Parent ID:                |         Points:
 Reviewer:                |        Sponsor:
--------------------------+------------------------------------
Changes (by nickm):

 * status:  assigned => needs_review


Comment:

 The problem here is that nothing in our spec unambiguously prevents the
 components of versions being negative, and so the `if ((i = (a-b))) return
 i;` pattern we use in `tor_version_compare()` potentially underflows.

 This is bad when we may have -ftrapv or ubsan enabled: both of those turn
 signed underflow into a crash.  (And it's still undefined behavior in any
 case, which we should really try to prevent.)

 My branch `bug21278_024_v2` tries to fix this, with two approaches:
    * `tor_version_compare()` now uses unsigned arithmetic to produce the
 same results while avoiding undefined behavior.  This should mean -- if I
 coded it right -- that we don't have any visible behavior differences form
 before (except "not crashing").
    * `dirserv_get_status_impl()` now rejects incoming descriptors with
 negative versions, while leaving voting unchanged.  Changes to this
 function operate at a single authority, and don't require a change in the
 consensus method number.

 ---

 Additionally, I found two more cases where we use the `if ((i = (a-b)))
 return i;` pattern to implement a comparison function.  I believe that
 they are both safe, but somebody should look them over.  The fixes for
 those are in my `bug21278_024_v2_extra` branch, on top of my
 `bug21278_024_v2` branch.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/21278#comment:3>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Prev by Author: Re: [tor-bugs] #21441 [Internal Services/Tor Sysadmin Team]: Please update karsten's new PGP subkey
Next by Author: Re: [tor-bugs] #21489 [- Select a component]: reject request tor ip?
Previous by thread: Re: [tor-bugs] #10281 [Applications/Tor Browser]: Investigate usage of alternate memory allocators and memory hardening options
Next by thread: [tor-bugs] #21447 [Core Tor/Tor]: Rename 'make fuzz'
Index(es):
- Author
- Thread