[tor-bugs] #24733 [Core Tor/Tor]: Loading ifc.ifc_buf using the new tor_free() causes undefined behaviour on x86_64 macOS
Tor Bug Tracker & Wiki
blackhole at torproject.org
Sun Dec 24 11:31:11 UTC 2017
#24733: Loading ifc.ifc_buf using the new tor_free() causes undefined behaviour on
x86_64 macOS
-------------------------+-------------------------------------------------
Reporter: teor | Owner: teor
Type: defect | Status: assigned
Priority: Medium | Milestone: Tor: 0.3.3.x-final
Component: Core | Version:
Tor/Tor | Keywords: address-sanitizer, unexpected-
Severity: Normal | consequences
Actual Points: | Parent ID:
Points: 0.1 | Reviewer:
Sponsor: |
Sponsor8-can |
-------------------------+-------------------------------------------------
On macOS x86+64, the new tor_free() from #24337 loads ifc.ifc_buf, which
leads to undefined behaviour. ifc.ifc_buf is a `char *` which should be
aligned to a multiple 8 bytes, but it is always aligned at 8-bytes (ifc on
the stack) plus 4 bytes (ifc_len and pragma pack(4)).
This bug was caused by #24337, which has been merged to master (0.3.3.0
-alpha-dev), and Apple's 32/64 bit kernel data structure compatibility
code.
It was discovered using our unit tests and clang's address sanitizer.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/24733>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list