| Age | Commit message (Collapse) | Author |
|---|
|
Signed-off-by: David Goulet <dgoulet@torproject.org>
|
|
Signed-off-by: David Goulet <dgoulet@torproject.org>
|
|
|
|
Signed-off-by: David Goulet <dgoulet@torproject.org>
|
|
|
|
|
|
Signed-off-by: David Goulet <dgoulet@torproject.org>
|
|
Signed-off-by: David Goulet <dgoulet@torproject.org>
|
|
|
|
Signed-off-by: David Goulet <dgoulet@torproject.org>
|
|
|
|
Rust and CI fixes
See merge request tpo/core/tor!742
|
|
I saw this test fail intermittently due to what seemed like a filesystem
race in docker? The cleanup task was failing with a 'directory not
empty' error, despite trying to do a recursive 'rm'. This patch adds an
'ls' to the same directory, hoping the output might be useful to
diagnose future intermittent failures.
|
|
This adds a new "rust-latest" CI target that runs tests and clippy for
everything in the workspace. It's a subset of the equivalent on Arti.
|
|
Change 3f66ff9b000d1fbaae106e58269fe2aa306bc453 added geoip-db-tool to
the main workspace, so it's no longer using a local lockfile. Move its
lock to the crate root, remove from gitignore, and update it.
(We could also choose to not keep the lockfiles checked in, but it seems
useful to have them in our test and maintenance tooling here.)
|
|
Clippy found a transmute that could have been a reborrow.
|
|
This fixes warnings found by clippy 0.1.71 on Rust 1.71.1
Tested this by doing a geoip update without committing changes.
|
|
|
|
Revert "Nullify on_circuit if last conflux leg"
See merge request tpo/core/tor!744
|
|
|
|
|
|
This reverts commit 5487476fd919703b55cb1f1544d575224c9b685e.
|
|
Clean up torify
See merge request tpo/core/tor!740
|
|
Considering a compression bomb before looking for errors led to false negative
log warnings. Instead, it is possible the work failed for whatever reasons
which is not indicative of a compression bomb.
Fixes #40739
Signed-off-by: David Goulet <dgoulet@torproject.org>
|
|
hashx: Fix a few more compiler warnings
See merge request tpo/core/tor!739
|
|
This was causing CI failures that didn't reproduce on my local machine.
The DoS subsystem now has a new assert() which triggers a BUG on some
nonzero memory contents (or_conn->tracked_for_dos_mitigation), and
uninitialized stack memory might be nonzero.
|
|
This exemption used to be helpful in keeping exit relays from tripping
the DoS detection subsystem and losing Tor connectivity. Now exit relays
block re-entry into the network (tor issue #2667) so it's no longer
needed. We'd like to re-enable protection on these addresses to avoid
giving attackers a way around our DoS mitigations.
|
|
This is a fix for a very rare buffer overflow in hashx, specific to the
dynamic compiler on aarch64 platforms.
In practice this issue is extremely unlikely to hit randomly, and it's
only been seen in unit tests that supply unusual mock PRNG output to the
program generator. My best attempt at estimating the probability of
hitting the overflow randomly is about 10^-23. Crafting an input with
the intent to overflow can be done only as fast as an exhaustive search,
so long as Blake2B is unbroken.
The root cause is that hashx writes assembly code without any length
checks, and it uses an estimated size rather than an absolute maximum
size to allocate the buffer for compiled code. Some instructions are
much longer than others, especially on aarch64.
The length of the overflow is nearly 300 bytes in the worst synthetic
test cases I've developed so far. Overflow occurs during hashx_make(),
and the subsequent hashx_exec() will always SIGSEGV as the written code
crosses outside the region that's been marked executable. In typical use,
hashx_exec() is called immediately after hashx_make().
This fix increases the buffer size from 1 page to 2 pages on aarch64,
adds an analysis of the compiled code size, and adds runtime checks so we
can gracefully fail on overflow. It also adds a unit test (written in
Rust) that includes a PRNG sequence exercising the overflow. Without
this patch the unit test shows a SIGSEGV on aarch64, with this patch it
runs successfully and matches interpreter output.
Signed-off-by: Micah Elizabeth Scott <beth@torproject.org>
|
|
tor only marks a channel as 'open' once the TLS and OR handshakes have both
completed, and normal "client" (ORPort) DoS protection is not enabled until
the channel becomes open. This patch adds an additional earlier initialization
path for DoS protection on incoming TLS connections.
This leaves the existing dos_new_client_conn() call sites intact, but adds a
guard against multiple-initialization using the existing
tracked_for_dos_mitigation flag. Other types of channels shouldn't be affected
by this patch.
|
|
Replace pathfind() which tries to parse $PATH manually with command -v.
exec is always fatal, regardless of if it managed to execute.
|
|
Fix a couple cases where size_t values were being confused with int.
Signed-off-by: Micah Elizabeth Scott <beth@torproject.org>
|
|
|
|
|
|
Signed-off-by: David Goulet <dgoulet@torproject.org>
|
|
|
|
|
|
Signed-off-by: David Goulet <dgoulet@torproject.org>
|
|
Signed-off-by: David Goulet <dgoulet@torproject.org>
|
|
Signed-off-by: David Goulet <dgoulet@torproject.org>
|
|
Signed-off-by: David Goulet <dgoulet@torproject.org>
|
|
relay: Remove logging for a bug. It triggers a BUG() later
See merge request tpo/core/tor!738
|
|
Signed-off-by: David Goulet <dgoulet@torproject.org>
|
|
hashx: Rust hook for inspecting and modifying the random number stream
See merge request tpo/core/tor!734
|
|
Fix assert crash on relay-side due to on_circuit backpointer
See merge request tpo/core/tor!737
|
|
|
|
|
|
Signed-off-by: David Goulet <dgoulet@torproject.org>
|
|
Bug40828
See merge request tpo/core/tor!736
|
|
|
|
|
