Fix Tor#21018 where Tor clients could crash when attempting to visit a hostile...

Fix Tor#21018 where Tor clients could crash when attempting to visit a hostile hidden service [TROVE-2016-12-002,CVE-2016-1254]

Fix Tor#21018 where Tor clients could crash when attempting to visit a hostile...
7f1abe1b · Peter Palfrader · 59466b50 · 7f1abe1b · 7f1abe1b · 7f1abe1b
Commit 7f1abe1b authored 8 years ago by Peter Palfrader
--- a/debian/changelog
+++ b/debian/changelog
+tor (0.2.5.12-4) jessie-security; urgency=medium
+
+  * Fix for an issue (Tor#21018) where Tor clients could crash when
+    attempting to visit a hostile hidden service.
+    [TROVE-2016-12-002,CVE-2016-1254]
+
+ -- Peter Palfrader <weasel@debian.org>  Mon, 19 Dec 2016 22:01:22 +0100
+
 tor (0.2.5.12-3) jessie-security; urgency=medium

  * Fix a remote denial of service bug, torbug#20384, TROVE-2016-001.

--- a/debian/patches/series
+++ b/debian/patches/series
 improve-geoip-warning
 update-authority-set
 tor-bug-20384-TROVE-2016-10-001
+tor-bug-21018-TROVE-2016-12-002-CVE-2016-1254
--- a/debian/patches/tor-bug-21018-TROVE-2016-12-002-CVE-2016-1254
+++ b/debian/patches/tor-bug-21018-TROVE-2016-12-002-CVE-2016-1254
+From d978216dea6b21ac38230a59d172139185a68dbd Mon Sep 17 00:00:00 2001
+From: Nick Mathewson <nickm@torproject.org>
+Date: Sun, 18 Dec 2016 20:13:58 -0500
+Subject: [PATCH 1/2] Fix parsing bug with unecognized token at EOS
+
+In get_token(), we could read one byte past the end of the
+region. This is only a big problem in the case where the region
+itself is (a) potentially hostile, and (b) not explicitly
+nul-terminated.
+
+This patch fixes the underlying bug, and also makes sure that the
+one remaining case of not-NUL-terminated potentially hostile data
+gets NUL-terminated.
+
+Fix for bug 21018, TROVE-2016-12-002, and CVE-2016-1254
+---
+ changes/bug21018     | 11 +++++++++++
+ src/or/routerparse.c |  6 +++---
+ 2 files changed, 14 insertions(+), 3 deletions(-)
+ create mode 100644 changes/bug21018
+
+diff --git a/changes/bug21018 b/changes/bug21018
+new file mode 100644
+index 0000000..49a8b47
+--- /dev/null
+++ b/changes/bug21018
+@@ -0,0 +1,11 @@
+  o Major bugfixes (parsing, security):
+
+    - Fix a bug in parsing that could cause clients to read a single
+      byte past the end of an allocated region. This bug could be
+      used to cause hardened clients (built with
+      --enable-expensive-hardening) to crash if they tried to visit
+      a hostile hidden service.  Non-hardened clients are only
+      affected depending on the details of their platform's memory
+      allocator. Fixes bug 21018; bugfix on 0.2.0.8-alpha. Found by
+      using libFuzzer. Also tracked as TROVE-2016-12-002 and as
+      CVE-2016-1254.
+diff --git a/src/or/routerparse.c b/src/or/routerparse.c
+index 176c16f..71373ce 100644
+--- a/src/or/routerparse.c
+++ b/src/or/routerparse.c
+@@ -3857,7 +3857,7 @@ get_next_token(memarea_t *area,
+ 
+   if (tok->tp == ERR_) {
+     /* No keyword matched; call it an "K_opt" or "A_unrecognized" */
+-    if (**s == '@')
+    if (*s < eol && **s == '@')
+       tok->tp = A_UNKNOWN_;
+     else
+       tok->tp = K_OPT;
+@@ -4863,7 +4863,7 @@ rend_decrypt_introduction_points(char **ipos_decrypted,
+         crypto_cipher_free(cipher);
+ 
+         len = ipos_encrypted_size - 2 - client_entries_len - CIPHER_IV_LEN;
+-        dec = tor_malloc(len);
+        dec = tor_malloc_zero(len + 1);
+         declen = crypto_cipher_decrypt_with_iv(session_key, dec, len,
+             ipos_encrypted + 2 + client_entries_len,
+             ipos_encrypted_size - 2 - client_entries_len);
+@@ -4895,7 +4895,7 @@ rend_decrypt_introduction_points(char **ipos_decrypted,
+                         "small.");
+       return -1;
+     }
+-    dec = tor_malloc_zero(ipos_encrypted_size - CIPHER_IV_LEN - 1);
+    dec = tor_malloc_zero(ipos_encrypted_size - CIPHER_IV_LEN - 1 + 1);
+ 
+     declen = crypto_cipher_decrypt_with_iv(descriptor_cookie, dec,
+                                            ipos_encrypted_size -
+-- 
+2.1.4
+
+From 0fb3058eced5dce355d777288bd9ec255b875db4 Mon Sep 17 00:00:00 2001
+From: Nick Mathewson <nickm@torproject.org>
+Date: Sun, 18 Dec 2016 20:17:28 -0500
+Subject: [PATCH 2/2] Make log message warn about detected attempts to exploit
+ 21018.
+
+---
+ src/or/rendcommon.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/src/or/rendcommon.c b/src/or/rendcommon.c
+index d1f8b1a..296df55 100644
+--- a/src/or/rendcommon.c
+++ b/src/or/rendcommon.c
+@@ -1327,8 +1327,10 @@ rend_cache_store_v2_desc_as_client(const char *desc,
+                                                     intro_size);
+     if (n_intro_points <= 0) {
+       log_warn(LD_REND, "Failed to parse introduction points. Either the "
+-               "service has published a corrupt descriptor or you have "
+-               "provided invalid authorization data.");
+               "service has published a corrupt descriptor, or you have "
+               "provided invalid authorization data, or (maybe!) the "
+               "server is deliberately serving broken data in an attempt "
+               "to crash you with bug 21018.");
+       retval = -2;
+       goto err;
+     } else if (n_intro_points > MAX_INTRO_POINTS) {
+-- 
+2.1.4
+