October 2016 - tor-commits - lists.torproject.org

[tor/master] Merge branch 'maint-0.2.8'
by nickm＠torproject.org 17 Oct '16

17 Oct '16

commit 1a7488106326d2327fc24f32b13979b7029b813b Merge: eae0c00 1df1143 Author: Nick Mathewson <nickm(a)torproject.org> Date: Mon Oct 17 14:51:45 2016 -0400 Merge branch 'maint-0.2.8' changes/buf-sentinel | 11 +++++++++++ src/or/buffers.c | 40 ++++++++++++++++++++++++++++++++-------- 2 files changed, 43 insertions(+), 8 deletions(-)

1 0

[tor/master] Add a one-word sentinel value of 0x0 at the end of each buf_t chunk
by nickm＠torproject.org 17 Oct '16

17 Oct '16

commit 3cea86eb2fbb65949673eb4ba8ebb695c87a57ce Author: Nick Mathewson <nickm(a)torproject.org> Date: Fri Oct 14 09:38:12 2016 -0400 Add a one-word sentinel value of 0x0 at the end of each buf_t chunk This helps protect against bugs where any part of a buf_t's memory is passed to a function that expects a NUL-terminated input. It also closes TROVE-2016-10-001 (aka bug 20384). --- changes/buf-sentinel | 11 +++++++++++ src/or/buffers.c | 40 ++++++++++++++++++++++++++++++++-------- 2 files changed, 43 insertions(+), 8 deletions(-) diff --git a/changes/buf-sentinel b/changes/buf-sentinel new file mode 100644 index 0000000..7c5b829 --- /dev/null +++ b/changes/buf-sentinel @@ -0,0 +1,11 @@ + o Major features (security fixes): + + - Prevent a class of security bugs caused by treating the contents + of a buffer chunk as if they were a NUL-terminated string. At + least one such bug seems to be present in all currently used + versions of Tor, and would allow an attacker to remotely crash + most Tor instances, especially those compiled with extra compiler + hardening. With this defense in place, such bugs can't crash Tor, + though we should still fix them as they occur. Closes ticket 20384 + (TROVE-2016-10-001). + diff --git a/src/or/buffers.c b/src/or/buffers.c index be99744..74aebcc 100644 --- a/src/or/buffers.c +++ b/src/or/buffers.c @@ -69,12 +69,33 @@ static int parse_socks_client(const uint8_t *data, size_t datalen, #define CHUNK_HEADER_LEN STRUCT_OFFSET(chunk_t, mem[0]) +/* We leave this many NUL bytes at the end of the buffer. */ +#define SENTINEL_LEN 4 + +/* Header size plus NUL bytes at the end */ +#define CHUNK_OVERHEAD (CHUNK_HEADER_LEN + SENTINEL_LEN) + /** Return the number of bytes needed to allocate a chunk to hold * memlen bytes. */ -#define CHUNK_ALLOC_SIZE(memlen) (CHUNK_HEADER_LEN + (memlen)) +#define CHUNK_ALLOC_SIZE(memlen) (CHUNK_OVERHEAD + (memlen)) /** Return the number of usable bytes in a chunk allocated with * malloc(memlen). */ -#define CHUNK_SIZE_WITH_ALLOC(memlen) ((memlen) - CHUNK_HEADER_LEN) +#define CHUNK_SIZE_WITH_ALLOC(memlen) ((memlen) - CHUNK_OVERHEAD) + +#define DEBUG_SENTINEL + +#ifdef DEBUG_SENTINEL +#define DBG_S(s) s +#else +#define DBG_S(s) (void)0 +#endif + +#define CHUNK_SET_SENTINEL(chunk, alloclen) do { \ + uint8_t *a = (uint8_t*) &(chunk)->mem[(chunk)->memlen]; \ + DBG_S(uint8_t *b = &((uint8_t*)(chunk))[(alloclen)-SENTINEL_LEN]); \ + DBG_S(tor_assert(a == b)); \ + memset(a,0,SENTINEL_LEN); \ + } while (0) /** Return the next character in chunk onto which data can be appended. * If the chunk is full, this might be off the end of chunk->mem. */ @@ -131,6 +152,7 @@ chunk_new_with_alloc_size(size_t alloc) ch->memlen = CHUNK_SIZE_WITH_ALLOC(alloc); total_bytes_allocated_in_chunks += alloc; ch->data = &ch->mem[0]; + CHUNK_SET_SENTINEL(ch, alloc); return ch; } @@ -140,18 +162,20 @@ static INLINE chunk_t * chunk_grow(chunk_t *chunk, size_t sz) { off_t offset; - size_t memlen_orig = chunk->memlen; + const size_t memlen_orig = chunk->memlen; + const size_t orig_alloc = CHUNK_ALLOC_SIZE(memlen_orig); + const size_t new_alloc = CHUNK_ALLOC_SIZE(sz); tor_assert(sz > chunk->memlen); offset = chunk->data - chunk->mem; - chunk = tor_realloc(chunk, CHUNK_ALLOC_SIZE(sz)); + chunk = tor_realloc(chunk, new_alloc); chunk->memlen = sz; chunk->data = chunk->mem + offset; #ifdef DEBUG_CHUNK_ALLOC - tor_assert(chunk->DBG_alloc == CHUNK_ALLOC_SIZE(memlen_orig)); - chunk->DBG_alloc = CHUNK_ALLOC_SIZE(sz); + tor_assert(chunk->DBG_alloc == orig_alloc); + chunk->DBG_alloc = new_alloc; #endif - total_bytes_allocated_in_chunks += - CHUNK_ALLOC_SIZE(sz) - CHUNK_ALLOC_SIZE(memlen_orig); + total_bytes_allocated_in_chunks += new_alloc - orig_alloc; + CHUNK_SET_SENTINEL(chunk, new_alloc); return chunk; }

1 0

[tor/master] Merge branch 'maint-0.2.8'
by nickm＠torproject.org 17 Oct '16

17 Oct '16

commit 3b6f924e507d15fc7290649738048db9c79ec70d Merge: 52b2b2c 0fa3811 Author: Nick Mathewson <nickm(a)torproject.org> Date: Mon Oct 17 14:57:44 2016 -0400 Merge branch 'maint-0.2.8' ("ours" merge to avoid taking version bump)

1 0

[tor/release-0.2.8] Merge branch 'maint-0.2.8' into release-0.2.8
by nickm＠torproject.org 17 Oct '16

17 Oct '16

commit 4d1e39b21b961c574a8832d2698c66dc0f9614fa Merge: d579528 1df1143 Author: Nick Mathewson <nickm(a)torproject.org> Date: Mon Oct 17 14:51:29 2016 -0400 Merge branch 'maint-0.2.8' into release-0.2.8 changes/buf-sentinel | 11 +++++++++++ src/or/buffers.c | 40 ++++++++++++++++++++++++++++++++-------- 2 files changed, 43 insertions(+), 8 deletions(-)

1 0

[tor/release-0.2.8] Merge branch 'buf_sentinel_026_v2' into maint-0.2.8
by nickm＠torproject.org 17 Oct '16

17 Oct '16

commit 1df114330e6c11865f0283772395ef02359ba5a0 Merge: ab98c43 3cea86e Author: Nick Mathewson <nickm(a)torproject.org> Date: Mon Oct 17 14:51:06 2016 -0400 Merge branch 'buf_sentinel_026_v2' into maint-0.2.8 changes/buf-sentinel | 11 +++++++++++ src/or/buffers.c | 40 ++++++++++++++++++++++++++++++++-------- 2 files changed, 43 insertions(+), 8 deletions(-)

1 0

[tor/master] Fold 20384 into changelog
by nickm＠torproject.org 17 Oct '16

17 Oct '16

commit 52b2b2c82f304629eb1128ed46fdd6edeba7eb67 Author: Nick Mathewson <nickm(a)torproject.org> Date: Mon Oct 17 14:55:05 2016 -0400 Fold 20384 into changelog --- ChangeLog | 30 +++++++++++++++++++++++------- changes/buf-sentinel | 11 ----------- 2 files changed, 23 insertions(+), 18 deletions(-) diff --git a/ChangeLog b/ChangeLog index 5bf4ebd..aa9aace 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,11 +1,27 @@ Changes in version 0.2.9.4-alpha - 2016-10-17 - Tor 0.2.9.4-alpha adds numerous small features and fix-ups to previous - versions of Tor, including the implementation of a feature to future- - proof the Tor ecosystem against protocol changes, some bug fixes - necessary for Tor Browser to use unix domain sockets correctly, and - several portability improvements. We anticipate that this will be the - last alpha in the Tor 0.2.9 series, and that the next release will be - a release candidate. + Tor 0.2.9.4-alpha fixes a security hole in previous versions of Tor + that would allow a remote attacker to crash a Tor client, hidden + service, relay, or authority. All Tor users should upgrade to this + version, or to 0.2.8.9. Patches will be released for older versions + of Tor. + + Tor 0.2.9.4-alpha also adds numerous small features and fix-ups to + previous versions of Tor, including the implementation of a feature to + future- proof the Tor ecosystem against protocol changes, some bug + fixes necessary for Tor Browser to use unix domain sockets correctly, + and several portability improvements. We anticipate that this will be + the last alpha in the Tor 0.2.9 series, and that the next release will + be a release candidate. + + o Major features (security fixes): + - Prevent a class of security bugs caused by treating the contents + of a buffer chunk as if they were a NUL-terminated string. At + least one such bug seems to be present in all currently used + versions of Tor, and would allow an attacker to remotely crash + most Tor instances, especially those compiled with extra compiler + hardening. With this defense in place, such bugs can't crash Tor, + though we should still fix them as they occur. Closes ticket + 20384 (TROVE-2016-10-001). o Major features (subprotocol versions): - Tor directory authorities now vote on a set of recommended diff --git a/changes/buf-sentinel b/changes/buf-sentinel deleted file mode 100644 index 7c5b829..0000000 --- a/changes/buf-sentinel +++ /dev/null @@ -1,11 +0,0 @@ - o Major features (security fixes): - - - Prevent a class of security bugs caused by treating the contents - of a buffer chunk as if they were a NUL-terminated string. At - least one such bug seems to be present in all currently used - versions of Tor, and would allow an attacker to remotely crash - most Tor instances, especially those compiled with extra compiler - hardening. With this defense in place, such bugs can't crash Tor, - though we should still fix them as they occur. Closes ticket 20384 - (TROVE-2016-10-001). -

1 0

[tor/master] bump to 0.2.8.9
by nickm＠torproject.org 17 Oct '16

17 Oct '16

commit 0fa3811c787ed4d80f395bbf464271d3cbb2852e Author: Nick Mathewson <nickm(a)torproject.org> Date: Mon Oct 17 14:57:26 2016 -0400 bump to 0.2.8.9 --- configure.ac | 2 +- contrib/win32build/tor-mingw.nsi.in | 2 +- src/win32/orconfig.h | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/configure.ac b/configure.ac index 3c80e71..37827d6 100644 --- a/configure.ac +++ b/configure.ac @@ -4,7 +4,7 @@ dnl Copyright (c) 2007-2015, The Tor Project, Inc. dnl See LICENSE for licensing information AC_PREREQ([2.63]) -AC_INIT([tor],[0.2.8.8-dev]) +AC_INIT([tor],[0.2.8.9]) AC_CONFIG_SRCDIR([src/or/main.c]) AC_CONFIG_MACRO_DIR([m4]) diff --git a/contrib/win32build/tor-mingw.nsi.in b/contrib/win32build/tor-mingw.nsi.in index 25998d4..59cb381 100644 --- a/contrib/win32build/tor-mingw.nsi.in +++ b/contrib/win32build/tor-mingw.nsi.in @@ -8,7 +8,7 @@ !include "LogicLib.nsh" !include "FileFunc.nsh" !insertmacro GetParameters -!define VERSION "0.2.8.8-dev" +!define VERSION "0.2.8.9" !define INSTALLER "tor-${VERSION}-win32.exe" !define WEBSITE "https://www.torproject.org/" !define LICENSE "LICENSE" diff --git a/src/win32/orconfig.h b/src/win32/orconfig.h index 56def12..2b98d1c 100644 --- a/src/win32/orconfig.h +++ b/src/win32/orconfig.h @@ -229,7 +229,7 @@ #define USING_TWOS_COMPLEMENT /* Version number of package */ -#define VERSION "0.2.8.8-dev" +#define VERSION "0.2.8.9"

1 0

[tor/release-0.2.8] Merge branch 'maint-0.2.8' into release-0.2.8
by nickm＠torproject.org 17 Oct '16

17 Oct '16

commit 3e920a3468f5c99bff6a3045133f001a1871d0fe Merge: 4d1e39b 0fa3811 Author: Nick Mathewson <nickm(a)torproject.org> Date: Mon Oct 17 14:57:33 2016 -0400 Merge branch 'maint-0.2.8' into release-0.2.8 configure.ac | 2 +- contrib/win32build/tor-mingw.nsi.in | 2 +- src/win32/orconfig.h | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-)

1 0

[tor/master] release-notes for 0.2.8.9
by nickm＠torproject.org 17 Oct '16

17 Oct '16

commit 8b0755c9bb296ae210e83b88e099d52e40b6f2aa Author: Nick Mathewson <nickm(a)torproject.org> Date: Mon Oct 17 15:00:58 2016 -0400 release-notes for 0.2.8.9 --- ReleaseNotes | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/ReleaseNotes b/ReleaseNotes index 5361787..af61a4d 100644 --- a/ReleaseNotes +++ b/ReleaseNotes @@ -2,6 +2,28 @@ This document summarizes new features and bugfixes in each stable release of Tor. If you want to see more detailed descriptions of the changes in each development snapshot, see the ChangeLog file. +Changes in version 0.2.8.9 - 2016-10-17 + Tor 0.2.8.9 backports a fix for a security hole in previous versions + of Tor that would allow a remote attacker to crash a Tor client, + hidden service, relay, or authority. All Tor users should upgrade to + this version, or to 0.2.9.4-alpha. Patches will be released for older + versions of Tor. + + o Major features (security fixes, also in 0.2.9.4-alpha): + - Prevent a class of security bugs caused by treating the contents + of a buffer chunk as if they were a NUL-terminated string. At + least one such bug seems to be present in all currently used + versions of Tor, and would allow an attacker to remotely crash + most Tor instances, especially those compiled with extra compiler + hardening. With this defense in place, such bugs can't crash Tor, + though we should still fix them as they occur. Closes ticket + 20384 (TROVE-2016-10-001). + + o Minor features (geoip): + - Update geoip and geoip6 to the October 4 2016 Maxmind GeoLite2 + Country database. + + Changes in version 0.2.8.8 - 2016-09-23 Tor 0.2.8.8 fixes two crash bugs present in previous versions of the 0.2.8.x series. Relays running 0.2.8.x should upgrade, as should users

1 0

[tor/release-0.2.8] bump to 0.2.8.9
by nickm＠torproject.org 17 Oct '16

17 Oct '16

commit 0fa3811c787ed4d80f395bbf464271d3cbb2852e Author: Nick Mathewson <nickm(a)torproject.org> Date: Mon Oct 17 14:57:26 2016 -0400 bump to 0.2.8.9 --- configure.ac | 2 +- contrib/win32build/tor-mingw.nsi.in | 2 +- src/win32/orconfig.h | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/configure.ac b/configure.ac index 3c80e71..37827d6 100644 --- a/configure.ac +++ b/configure.ac @@ -4,7 +4,7 @@ dnl Copyright (c) 2007-2015, The Tor Project, Inc. dnl See LICENSE for licensing information AC_PREREQ([2.63]) -AC_INIT([tor],[0.2.8.8-dev]) +AC_INIT([tor],[0.2.8.9]) AC_CONFIG_SRCDIR([src/or/main.c]) AC_CONFIG_MACRO_DIR([m4]) diff --git a/contrib/win32build/tor-mingw.nsi.in b/contrib/win32build/tor-mingw.nsi.in index 25998d4..59cb381 100644 --- a/contrib/win32build/tor-mingw.nsi.in +++ b/contrib/win32build/tor-mingw.nsi.in @@ -8,7 +8,7 @@ !include "LogicLib.nsh" !include "FileFunc.nsh" !insertmacro GetParameters -!define VERSION "0.2.8.8-dev" +!define VERSION "0.2.8.9" !define INSTALLER "tor-${VERSION}-win32.exe" !define WEBSITE "https://www.torproject.org/" !define LICENSE "LICENSE" diff --git a/src/win32/orconfig.h b/src/win32/orconfig.h index 56def12..2b98d1c 100644 --- a/src/win32/orconfig.h +++ b/src/win32/orconfig.h @@ -229,7 +229,7 @@ #define USING_TWOS_COMPLEMENT /* Version number of package */ -#define VERSION "0.2.8.8-dev" +#define VERSION "0.2.8.9"

1 0