[tor-bugs] #19657 [Applications/Tor Browser]: ASan detects heap buffer overflow in Tor Browser 6.5a1 Hardened
Tor Bug Tracker & Wiki
blackhole at torproject.org
Sun Jul 10 00:11:16 UTC 2016
#19657: ASan detects heap buffer overflow in Tor Browser 6.5a1 Hardened
------------------------------------------+----------------------
Reporter: cypherpunks | Owner: tbb-team
Type: defect | Status: new
Priority: High | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Major | Keywords:
Actual Points: | Parent ID:
Points: | Reviewer:
Sponsor: |
------------------------------------------+----------------------
Tor Browser 6.5a1 Hardened reliably triggers ASan when visiting
https://www.facebook.com/messages/ with the message:
{{{
==5786==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x7fff8d268000 at pc 0x7ffff6ef8d65 bp 0x7fff8a7563f0 sp 0x7fff8a755b98
READ of size 9437184 at 0x7fff8d268000 thread T70 (DOM Worker)
}}}
I have also (once) seen a stack buffer underflow, again on the DOM Worker
thread, using the same repro case:
{{{
==5689==ERROR: AddressSanitizer: stack-buffer-underflow on address
0x7fff919db9a0 at pc 0x7ffff6ef8d65 bp 0x7fff9838d3f0 sp 0x7fff9838cb98
READ of size 9437184 at 0x7fff919db9a0 thread T69 (DOM Worker)
}}}
I have attached a symbolized backtrace for the heap overflow case and a
partial (sorry!) backtrace of the underflow case.
This may be related to #19515, but the crash looks different enough (DOM
Worker thread vs Compositor thread) to warrant a new report.
Steps to reproduce:
1. Have Tor Browser 6.5a1 Hardened installed, low security level
2. Navigate to https://www.facebook.com/messages/ (you will need a
Facebook login for this)
3. Wait a few seconds
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/19657>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list