[tor-bugs] #23512 [Core Tor/Tor]: Bandwidth stats watermark can be induced using OOM killer
Tor Bug Tracker & Wiki
blackhole at torproject.org
Wed Oct 25 01:58:53 UTC 2017
#23512: Bandwidth stats watermark can be induced using OOM killer
-------------------------------------------------+-------------------------
Reporter: asn | Owner: (none)
Type: defect | Status: new
Priority: Medium | Milestone: Tor:
| 0.3.3.x-final
Component: Core Tor/Tor | Version:
Severity: Normal | Resolution:
Keywords: tor-bug-bounty, congestion-attack, | Actual Points:
research, watermark, tor-stats, guard- |
discovery-stats |
Parent ID: | Points:
Reviewer: | Sponsor:
| SponsorQ
-------------------------------------------------+-------------------------
Comment (by arma):
Mike: I talked to Jaym about this topic at PETS. I think at the time I was
under the impression that we are incrementing the *write* counter, that
is, the outbound connection, even though we never actually push the bytes
out to the network because we kill the outbuf in the oom killer.
So I had thought that the bug was "we say that we wrote out the bytes even
though we didn't", which allows an attacker to queue up a bunch of bytes
for us to outbuf, and generate an artificially large signal.
If that is the issue (which contradicts asn's summary above I think), then
there would be a second piece to the fix, since if we only decremented the
write count to stop including the bytes we didn't actually write, then we
would have an asymmetry between the (still much higher) read count and the
(now corrected) write count. So the second part of the fix would be to
decrement the read count by the corresponding amount too, so things match
up.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/23512#comment:6>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list