#24400: Seccomp filter incorrectly tries to act on strings, allowing sandbox bypass --------------------------+------------------------------------ Reporter: Sebastian | Owner: (none) Type: defect | Status: new Priority: Medium | Milestone: Tor: 0.3.3.x-final Component: Core Tor/Tor | Version: Severity: Major | Resolution: Keywords: sandbox | Actual Points: Parent ID: | Points: Reviewer: | Sponsor: --------------------------+------------------------------------
Comment (by cypherpunks): In case it's necessary, another PoC showing that `.rodata`, not just the heap, can be written to: {{{ $ cat rodata.c #include <unistd.h> #include <string.h> #include <sys/mman.h> void main(void) { static const unsigned char rodata[4096] = { 0 }; long page_base = ((long)rodata / 4097) * 4096; mprotect((void *)page_base, 1, PROT_READ|PROT_WRITE); strcpy((void *)page_base, "Hello, world!\n"); write(1, rodata, 4096); } $ gcc rodata.c $ ./a.out Hello, world! }}} -- Ticket URL: <https://trac.torproject.org/projects/tor/ticket/24400#comment:5> Tor Bug Tracker & Wiki <https://trac.torproject.org/> The Tor Project: anonymity online
_______________________________________________ tor-bugs mailing list tor-bugs@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs