[tor-bugs] #8844 [- Select a component]: Buffer overflow in get_freelist

Tor Bug Tracker & Wiki blackhole at torproject.org
Wed May 8 11:27:19 UTC 2013 

#8844: Buffer overflow in get_freelist
----------------------------------+-----------------------------------------
 Reporter:  eugenis               |          Owner:                     
     Type:  defect                |         Status:  new                
 Priority:  major                 |      Milestone:                     
Component:  - Select a component  |        Version:  Tor: 0.2.4.12-alpha
 Keywords:                        |         Parent:                     
   Points:                        |   Actualpoints:                     
----------------------------------+-----------------------------------------
 get_freelist() walks the global freelist looking for an matching slot, and
 then falls off the end.
 freelist uses a (0, ...) record to mark the end of the list, but
 get_freelist() never checks for it.


 ERROR: AddressSanitizer: global-buffer-overflow on address 0x7f4883a23238
 at pc 0x7f4882eaaf48 bp 0x7fff9aa39c30 sp 0x7fff9aa39c28
 READ of size 8 at 0x7f4883a23238 thread T0
     #0 0x7f4882eaaf47 in get_freelist  src/or/buffers.c:151
     #1 0x7f4882eaa5a0 in chunk_new_with_alloc_size
 src/or/buffers.c:189:14
     #2 0x7f4882e86d85 in buf_add_chunk_with_capacity
 src/or/buffers.c:602:13
     #3 0x7f4882e8df20 in write_to_buf  src/or/buffers.c:949
     #4 0x7f488298357c in test_buffers  src/test/test.c:738
     #5 0x7f488294048e in legacy_test_helper  src/test/test.c:1971
     #6 0x7f4882e69bac in testcase_run_bare_  src/ext/tinytest.c:89
     #7 0x7f4882e685a8 in testcase_run_one  src/ext/tinytest.c:224
     #8 0x7f4882e6c953 in tinytest_main  src/ext/tinytest.c:347
     #9 0x7f4882941be2 in main  src/test/test.c:2118
     #10 0x7f4880e7076c (/lib/x86_64-linux-gnu/libc.so.6+0x2176c)
     #11 0x7f488293f4dc ( src/test/test+0x1434dc)
 0x7f4883a23238 is located 0 bytes to the right of global variable
 'freelists' from 'src/or/buffers.c' (0x7f4883a23120) of size 280


 FYI, to reproduce this report, build Tor with clang 3.2 (or newer)
 CC=/code/llvm/build/bin/clang \
 CXX=/code/llvm/build/bin/clang++ \
 CFLAGS="-fsanitize=address -g -O0" \
 LDFLAGS=-fsanitize=address \
   ./configure
   make
   src/test/test

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/8844>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list