[tor-bugs] #18089 [Tor]: Tor compiled with --enable-expensive-hardening leads to runtime errors (null pointer passing)
Tor Bug Tracker & Wiki
blackhole at torproject.org
Tue Jan 19 00:29:03 UTC 2016
#18089: Tor compiled with --enable-expensive-hardening leads to runtime errors
(null pointer passing)
----------------------------------------+----------------------------------
Reporter: gk | Owner:
Type: defect | Status: needs_review
Priority: Medium | Milestone: Tor:
Component: Tor | 0.2.8.x-final
Severity: Critical | Version: Tor: 0.2.3.25
Keywords: 027-backport, 026-backport | Resolution:
Parent ID: | Actual Points:
Sponsor: | Points:
----------------------------------------+----------------------------------
Changes (by teor):
* status: new => needs_review
* keywords: => 027-backport, 026-backport
* version: Tor: 0.2.7.6 => Tor: 0.2.3.25
* milestone: => Tor: 0.2.8.x-final
Comment:
memwipe() calls OPENSSL_cleanse() and memset() on a NULL pointer.
OPENSSL_cleanse() calls memchr() on a NULL pointer.
The impact of this bug depends on the exact semantics of the two system
calls when passed a NULL pointer, and likely differs on different
platforms. You'd think it wouldn't have any impact if the size argument
was zero, but as far as I can determine, tor never passes a 0 size to
memwipe().
However, plentry of Tor functions pass a NULL pointer to memwipe(). The
unit tests are full of them.
Please see my branch bug18089-v2 at https://github.com/teor2345/tor.git
It's based on maint-0.2.6.
It changes memwipe to do nothing if passed a NULL pointer, and asserts
that size is non-zero and not a likely underflow.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/18089#comment:3>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list