Re: [tor-bugs] #31001 [Core Tor/Tor]: Undefined behavior in tor_vasprintf()

2019-10-22 Thread Tor Bug Tracker & Wiki 
#31001: Undefined behavior in tor_vasprintf()
-+-
 Reporter:  asn  |  Owner:  nickm
 Type:  defect   | Status:  closed
 Priority:  Medium   |  Milestone:  Tor:
 |  0.4.0.x-final
Component:  Core Tor/Tor |Version:
 Severity:  Normal   | Resolution:  fixed
 Keywords:  hackerone, bug-bounty, security- |  Actual Points:  .1
  low, unlikely-crash, 029-backport, |
  035-backport, 040-backport, 041-backport,  |
  dgoulet-merge, consider-backport-after-0421|
Parent ID:   | Points:  0.5
 Reviewer:  catalyst |Sponsor:
-+-
Changes (by teor):

 * status:  merge_ready => closed
 * resolution:   => fixed


Comment:

 Merged to 0.2.9 and later.
 Merged #32106, #31807, #31001, #23818, #12399, and #31372 together.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #31001 [Core Tor/Tor]: Undefined behavior in tor_vasprintf()

2019-08-19 Thread Tor Bug Tracker & Wiki 
#31001: Undefined behavior in tor_vasprintf()
-+-
 Reporter:  asn  |  Owner:  nickm
 Type:  defect   | Status:
 |  merge_ready
 Priority:  Medium   |  Milestone:  Tor:
 |  0.4.0.x-final
Component:  Core Tor/Tor |Version:
 Severity:  Normal   | Resolution:
 Keywords:  consider-backport-after-0416 |  Actual Points:  .1
  hackerone bug-bounty security-low unlikely-|
  crash 029-backport 035-backport 040-backport   |
  041-backport dgoulet-merge |
Parent ID:   | Points:  0.5
 Reviewer:  catalyst |Sponsor:
-+-
Changes (by nickm):

 * keywords:
 consider-backport-after-0416 041-must hackerone bug-bounty security-
 low unlikely-crash 029-backport 035-backport 040-backport 041-backport
 dgoulet-merge
 =>
 consider-backport-after-0416 hackerone bug-bounty security-low
 unlikely-crash 029-backport 035-backport 040-backport 041-backport
 dgoulet-merge


--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #31001 [Core Tor/Tor]: Undefined behavior in tor_vasprintf()

2019-08-07 Thread Tor Bug Tracker & Wiki 
#31001: Undefined behavior in tor_vasprintf()
-+-
 Reporter:  asn  |  Owner:  nickm
 Type:  defect   | Status:
 |  merge_ready
 Priority:  Medium   |  Milestone:  Tor:
 |  0.4.0.x-final
Component:  Core Tor/Tor |Version:
 Severity:  Normal   | Resolution:
 Keywords:  consider-backport-after-0416 |  Actual Points:  .1
  041-must hackerone bug-bounty security-low |
  unlikely-crash 029-backport 035-backport   |
  040-backport 041-backport dgoulet-merge|
Parent ID:   | Points:  0.5
 Reviewer:  catalyst |Sponsor:
-+-
Changes (by teor):

 * keywords:
 041-must hackerone bug-bounty security-low unlikely-crash 029-backport
 035-backport 040-backport 041-backport dgoulet-merge
 =>
 consider-backport-after-0416 041-must hackerone bug-bounty security-
 low unlikely-crash 029-backport 035-backport 040-backport 041-backport
 dgoulet-merge


Comment:

 This PR was merged after 0.4.1.4, so we will test it until 0.4.1.6 is
 released, then merge.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #31001 [Core Tor/Tor]: Undefined behavior in tor_vasprintf()

2019-07-29 Thread Tor Bug Tracker & Wiki 
#31001: Undefined behavior in tor_vasprintf()
-+-
 Reporter:  asn  |  Owner:  nickm
 Type:  defect   | Status:
 |  merge_ready
 Priority:  Medium   |  Milestone:  Tor:
 |  0.4.0.x-final
Component:  Core Tor/Tor |Version:
 Severity:  Normal   | Resolution:
 Keywords:  041-must hackerone bug-bounty|  Actual Points:  .1
  security-low unlikely-crash 029-backport   |
  035-backport 040-backport 041-backport |
  dgoulet-merge  |
Parent ID:   | Points:  0.5
 Reviewer:  catalyst |Sponsor:
-+-
Changes (by dgoulet):

 * milestone:  Tor: 0.4.1.x-final => Tor: 0.4.0.x-final


Comment:

 Merged in 041 and forward! Moving to 040 for backport.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #31001 [Core Tor/Tor]: Undefined behavior in tor_vasprintf()

2019-07-29 Thread Tor Bug Tracker & Wiki 
#31001: Undefined behavior in tor_vasprintf()
-+-
 Reporter:  asn  |  Owner:  nickm
 Type:  defect   | Status:
 |  merge_ready
 Priority:  Medium   |  Milestone:  Tor:
 |  0.4.1.x-final
Component:  Core Tor/Tor |Version:
 Severity:  Normal   | Resolution:
 Keywords:  041-must hackerone bug-bounty|  Actual Points:  .1
  security-low unlikely-crash 029-backport   |
  035-backport 040-backport 041-backport |
  dgoulet-merge  |
Parent ID:   | Points:  0.5
 Reviewer:  catalyst |Sponsor:
-+-
Changes (by nickm):

 * keywords:
 041-must hackerone bug-bounty security-low unlikely-crash 029-backport
 035-backport 040-backport 041-backport
 =>
 041-must hackerone bug-bounty security-low unlikely-crash 029-backport
 035-backport 040-backport 041-backport dgoulet-merge


Comment:

 Please merge to 0.4.0 and forward, and mark for backport?

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #31001 [Core Tor/Tor]: Undefined behavior in tor_vasprintf()

2019-07-25 Thread Tor Bug Tracker & Wiki 
#31001: Undefined behavior in tor_vasprintf()
-+-
 Reporter:  asn  |  Owner:  nickm
 Type:  defect   | Status:
 |  merge_ready
 Priority:  Medium   |  Milestone:  Tor:
 |  0.4.1.x-final
Component:  Core Tor/Tor |Version:
 Severity:  Normal   | Resolution:
 Keywords:  041-must hackerone bug-bounty|  Actual Points:  .1
  security-low unlikely-crash 029-backport   |
  035-backport 040-backport 041-backport |
Parent ID:   | Points:  0.5
 Reviewer:  catalyst |Sponsor:
-+-
Changes (by catalyst):

 * status:  needs_review => merge_ready


Comment:

 Replying to [comment:4 nickm]:
 > I have two branches here: bug31001_029 for maint-0.2.9, and bug31001_035
 for maint-0.3.5 and later.
 >
 > PR for 0.2.9: https://github.com/torproject/tor/pull/1178
 > PR for 0.3.5: https://github.com/torproject/tor/pull/1179
 > PR for master (for CI purposes):
 https://github.com/torproject/tor/pull/1180
 Thanks! These look good to me.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #31001 [Core Tor/Tor]: Undefined behavior in tor_vasprintf()

2019-07-22 Thread Tor Bug Tracker & Wiki 
#31001: Undefined behavior in tor_vasprintf()
-+-
 Reporter:  asn  |  Owner:  nickm
 Type:  defect   | Status:
 |  needs_review
 Priority:  Medium   |  Milestone:  Tor:
 |  0.4.1.x-final
Component:  Core Tor/Tor |Version:
 Severity:  Normal   | Resolution:
 Keywords:  041-must hackerone bug-bounty|  Actual Points:  .1
  security-low unlikely-crash 029-backport   |
  035-backport 040-backport 041-backport |
Parent ID:   | Points:  0.5
 Reviewer:  catalyst |Sponsor:
-+-
Changes (by dgoulet):

 * reviewer:   => catalyst


--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #31001 [Core Tor/Tor]: Undefined behavior in tor_vasprintf()

2019-07-19 Thread Tor Bug Tracker & Wiki 
#31001: Undefined behavior in tor_vasprintf()
-+-
 Reporter:  asn  |  Owner:  nickm
 Type:  defect   | Status:
 |  needs_review
 Priority:  Medium   |  Milestone:  Tor:
 |  0.4.1.x-final
Component:  Core Tor/Tor |Version:
 Severity:  Normal   | Resolution:
 Keywords:  041-must hackerone bug-bounty|  Actual Points:  .1
  security-low unlikely-crash 029-backport   |
  035-backport 040-backport 041-backport |
Parent ID:   | Points:  0.5
 Reviewer:   |Sponsor:
-+-
Changes (by nickm):

 * status:  accepted => needs_review
 * actualpoints:   => .1


Comment:

 I have two branches here: bug31001_029 for maint-0.2.9, and bug31001_035
 for maint-0.3.5 and later.

 PR for 0.2.9: https://github.com/torproject/tor/pull/1178
 PR for 0.3.5: https://github.com/torproject/tor/pull/1179
 PR for master (for CI purposes):
 https://github.com/torproject/tor/pull/1180

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #31001 [Core Tor/Tor]: Undefined behavior in tor_vasprintf()

2019-07-08 Thread Tor Bug Tracker & Wiki 
#31001: Undefined behavior in tor_vasprintf()
-+-
 Reporter:  asn  |  Owner:  nickm
 Type:  defect   | Status:
 |  accepted
 Priority:  Medium   |  Milestone:  Tor:
 |  0.4.1.x-final
Component:  Core Tor/Tor |Version:
 Severity:  Normal   | Resolution:
 Keywords:  041-must hackerone bug-bounty|  Actual Points:
  security-low unlikely-crash 029-backport   |
  035-backport 040-backport 041-backport |
Parent ID:   | Points:  0.5
 Reviewer:   |Sponsor:
-+-
Changes (by nickm):

 * owner:  (none) => nickm
 * status:  needs_revision => accepted


Comment:

 I'll do the backport

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #31001 [Core Tor/Tor]: Undefined behavior in tor_vasprintf()

2019-06-27 Thread Tor Bug Tracker & Wiki 
#31001: Undefined behavior in tor_vasprintf()
-+-
 Reporter:  asn  |  Owner:  (none)
 Type:  defect   | Status:
 |  needs_revision
 Priority:  Medium   |  Milestone:  Tor:
 |  0.4.1.x-final
Component:  Core Tor/Tor |Version:
 Severity:  Normal   | Resolution:
 Keywords:  041-must hackerone bug-bounty|  Actual Points:
  security-low unlikely-crash 029-backport   |
  035-backport 040-backport 041-backport |
Parent ID:   | Points:  0.5
 Reviewer:   |Sponsor:
-+-
Changes (by teor):

 * status:  needs_review => needs_revision
 * keywords:  041-must hackerone bug-bounty =>
 041-must hackerone bug-bounty security-low unlikely-crash 029-backport
 035-backport 040-backport 041-backport
 * points:   => 0.5


Comment:

 This patch makes sense to me, and it passes CI.

 I'm marking it as security-low, because most common compilers don't
 aggressively optimise signed overflow in this context.
 (If they did, this code could introduce some nasty bugs in tor.)

 So the negative value will be converted to size_t by adding SIZE_T_MAX.
 On 32-bit systems, that's the correct value, on 64-bit systems, that's
 UINT64_MAX - INT32_MIN, which will fail to malloc and crash.
 Fortunately, most of Tor's parsers have document size limits that are much
 lower than 2GB.

 But we still need to backport this fix to compact.c in 0.2.9, and then
 merge forward.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #31001 [Core Tor/Tor]: Undefined behavior in tor_vasprintf()

2019-06-27 Thread Tor Bug Tracker & Wiki 
#31001: Undefined behavior in tor_vasprintf()
---+---
 Reporter:  asn|  Owner:  (none)
 Type:  defect | Status:  needs_review
 Priority:  Medium |  Milestone:  Tor:
   |  0.4.1.x-final
Component:  Core Tor/Tor   |Version:
 Severity:  Normal | Resolution:
 Keywords:  041-must hackerone bug-bounty  |  Actual Points:
Parent ID: | Points:
 Reviewer: |Sponsor:
---+---
Changes (by asn):

 * status:  new => needs_review


Comment:

 Bug found by Tobias Stoeckmann.

 Patch by Tobias can be found here:
 https://github.com/torproject/tor/pull/1144

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

[tor-bugs] #31001 [Core Tor/Tor]: Undefined behavior in tor_vasprintf()

2019-06-27 Thread Tor Bug Tracker & Wiki 
#31001: Undefined behavior in tor_vasprintf()
--+---
 Reporter:  asn   |  Owner:  (none)
 Type:  defect| Status:  new
 Priority:  Medium|  Milestone:  Tor: 0.4.1.x-final
Component:  Core Tor/Tor  |Version:
 Severity:  Normal|   Keywords:  041-must hackerone bug-bounty
Actual Points:|  Parent ID:
   Points:|   Reviewer:
  Sponsor:|
--+---
 {{{
 Overflowing a signed integer in C is an undefined behaviour.
 It is possible to trigger this undefined behaviour in tor_asprintf on
 Windows or systems lacking vasprintf.

 On these systems, eiter _vscprintf or vsnprintf is called to retrieve
 the required amount of bytes to hold the string. These functions can
 return INT_MAX. The easiest way to recreate this is the use of a
 specially crafted configuration file, e.g. containing the line:

 FirewallPorts A

 This line triggers the needed tor_asprintf call which eventually
 leads to an INT_MAX return value from _vscprintf or vsnprintf.

 The needed byte for \0 is added to the result, triggering the
 overflow and therefore the undefined behaviour.

 Casting the value to size_t before addition fixes the behaviour.

 }}}

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs