[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-bugs] #18089 [Tor]: Tor compiled with --enable-expensive-hardening leads to runtime errors (null pointer passing)
#18089: Tor compiled with --enable-expensive-hardening leads to runtime errors
(null pointer passing)
----------------------------------------+----------------------------------
Reporter: gk | Owner:
Type: defect | Status: needs_review
Priority: Medium | Milestone: Tor:
Component: Tor | 0.2.8.x-final
Severity: Critical | Version: Tor: 0.2.3.25
Keywords: 027-backport, 026-backport | Resolution:
Parent ID: | Actual Points:
Sponsor: | Points:
----------------------------------------+----------------------------------
Changes (by teor):
* status: new => needs_review
* keywords: => 027-backport, 026-backport
* version: Tor: 0.2.7.6 => Tor: 0.2.3.25
* milestone: => Tor: 0.2.8.x-final
Comment:
memwipe() calls OPENSSL_cleanse() and memset() on a NULL pointer.
OPENSSL_cleanse() calls memchr() on a NULL pointer.
The impact of this bug depends on the exact semantics of the two system
calls when passed a NULL pointer, and likely differs on different
platforms. You'd think it wouldn't have any impact if the size argument
was zero, but as far as I can determine, tor never passes a 0 size to
memwipe().
However, plentry of Tor functions pass a NULL pointer to memwipe(). The
unit tests are full of them.
Please see my branch bug18089-v2 at https://github.com/teor2345/tor.git
It's based on maint-0.2.6.
It changes memwipe to do nothing if passed a NULL pointer, and asserts
that size is non-zero and not a likely underflow.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/18089#comment:3>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs