[tor-bugs] #24400 [Core Tor/Tor]: Seccomp filter incorrectly tries to act on strings, allowing sandbox bypass
Tor Bug Tracker & Wiki
blackhole at torproject.org
Mon Dec 4 11:13:33 UTC 2017
#24400: Seccomp filter incorrectly tries to act on strings, allowing sandbox bypass
--------------------------+------------------------------------
Reporter: Sebastian | Owner: (none)
Type: defect | Status: new
Priority: Medium | Milestone: Tor: 0.3.3.x-final
Component: Core Tor/Tor | Version:
Severity: Major | Resolution:
Keywords: sandbox | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
--------------------------+------------------------------------
Comment (by cypherpunks):
In case it's necessary, another PoC showing that `.rodata`, not just the
heap, can be written to:
{{{
$ cat rodata.c
#include <unistd.h>
#include <string.h>
#include <sys/mman.h>
void main(void)
{
static const unsigned char rodata[4096] = { 0 };
long page_base = ((long)rodata / 4097) * 4096;
mprotect((void *)page_base, 1, PROT_READ|PROT_WRITE);
strcpy((void *)page_base, "Hello, world!\n");
write(1, rodata, 4096);
}
$ gcc rodata.c
$ ./a.out
Hello, world!
}}}
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/24400#comment:5>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list