[tor-bugs] #27741 [Core Tor/Tor]: too many arguments in rust protover_compute_vote()
Tor Bug Tracker & Wiki
blackhole at torproject.org
Mon Sep 17 06:46:52 UTC 2018
#27741: too many arguments in rust protover_compute_vote()
-----------------------------------------------+---------------------------
Reporter: cyberpunks | Owner: (none)
Type: defect | Status: new
Priority: Medium | Milestone: Tor:
| 0.3.5.x-final
Component: Core Tor/Tor | Version: Tor:
| 0.3.3.6
Severity: Normal | Resolution:
Keywords: 035-must, protover, memory-safety | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
-----------------------------------------------+---------------------------
Changes (by teor):
* keywords: => 035-must, protover, memory-safety
* milestone: => Tor: 0.3.5.x-final
Comment:
There is no consensus method 29:
https://gitweb.torproject.org/torspec.git/tree/dir-spec.txt#n2877
https://github.com/torproject/tor/blob/master/src/feature/dirauth/dirvote.h#L78
Instead, we decided to unconditionally reject relay descriptors, votes,
and consensuses containing long protocol names.
It looks like we merged an old version of the Rust fix. It is possible
that we updated the C fix to unconditionally reject bad documents, but
never updated the Rust fix to match.
> The C code never added this 3rd argument and only calls it with 2, which
can't be safe.
In most calling conventions, Rust will read a register for the 3rd
argument, but C hasn't initialised that register. Then the arbitrary (or
uninitialised) value read from the register will be interpreted as a
boolean.
This could cause a crash due to a register poison exception on some
platforms. But on x86_64, I *think* will will just result in an arbitrary
choice between validated and unvalidated.
We should fix this issue in 0.3.5, and backport.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/27741#comment:1>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list