[tor-bugs] #983 [Tor Relay]: Abort crash in libcrypto malloc during onion handshake
Tor Bug Tracker & Wiki
torproject-admin at torproject.org
Thu Nov 11 20:15:55 UTC 2010
#983: Abort crash in libcrypto malloc during onion handshake
-------------------------+--------------------------------------------------
Reporter: neoeinstein | Type: defect
Status: closed | Priority: normal
Milestone: | Component: Tor Relay
Version: 0.2.1.14-rc | Resolution: user disappeared
Keywords: | Parent:
-------------------------+--------------------------------------------------
Changes (by nickm):
* status: new => closed
* resolution: None => user disappeared
Old description:
> Occurred after ~15 hours of uptime on an x86_64 box.
> I keep all cores archived, so if you have requests for me
> to run against the core, let me know.
>
> """
> GNU gdb 6.8-debian
> Copyright (C) 2008 Free Software Foundation, Inc.
> License GPLv3+: GNU GPL version 3 or later
> <http://gnu.org/licenses/gpl.html>
> This is free software: you are free to change and redistribute it.
> There is NO WARRANTY, to the extent permitted by law. Type "show
> copying"
> and "show warranty" for details.
> This GDB was configured as "x86_64-linux-gnu"...
>
> warning: Can't read pathname for load map: Input/output error.
> Reading symbols from /lib/libz.so.1...done.
> Loaded symbols for /lib/libz.so.1
> Reading symbols from /usr/lib/libevent-1.3e.so.1...done.
> Loaded symbols for /usr/lib/libevent-1.3e.so.1
> Reading symbols from /lib/libssl.so.0.9.8...done.
> Loaded symbols for /lib/libssl.so.0.9.8
> Reading symbols from /lib/libcrypto.so.0.9.8...done.
> Loaded symbols for /lib/libcrypto.so.0.9.8
> Reading symbols from /lib/libpthread.so.0...done.
> Loaded symbols for /lib/libpthread.so.0
> Reading symbols from /lib/libdl.so.2...done.
> Loaded symbols for /lib/libdl.so.2
> Reading symbols from /lib/libc.so.6...done.
> Loaded symbols for /lib/libc.so.6
> Reading symbols from /lib/libnsl.so.1...done.
> Loaded symbols for /lib/libnsl.so.1
> Reading symbols from /lib/librt.so.1...done.
> Loaded symbols for /lib/librt.so.1
> Reading symbols from /lib/libresolv.so.2...done.
> Loaded symbols for /lib/libresolv.so.2
> Reading symbols from /lib/ld-linux-x86-64.so.2...done.
> Loaded symbols for /lib64/ld-linux-x86-64.so.2
> Reading symbols from /lib/libnss_compat.so.2...done.
> Loaded symbols for /lib/libnss_compat.so.2
> Reading symbols from /lib/libnss_nis.so.2...done.
> Loaded symbols for /lib/libnss_nis.so.2
> Reading symbols from /lib/libnss_files.so.2...done.
> Loaded symbols for /lib/libnss_files.so.2
> Reading symbols from /lib/libnss_mdns4_minimal.so.2...done.
> Loaded symbols for /lib/libnss_mdns4_minimal.so.2
> Reading symbols from /lib/libnss_dns.so.2...done.
> Loaded symbols for /lib/libnss_dns.so.2
> Reading symbols from /lib/libgcc_s.so.1...done.
> Loaded symbols for /lib/libgcc_s.so.1
> Core was generated by `/usr/sbin/tor'.
> Program terminated with signal 6, Aborted.
> [New process 3611]
> [New process 19395]
> [New process 3612]
> [New process 3614]
> [New process 3613]
> #0 0x00007fd0ea7cbfb5 in raise () from /lib/libc.so.6
> (gdb) bt
> #0 0x00007fd0ea7cbfb5 in raise () from /lib/libc.so.6
> #1 0x00007fd0ea7cdbc3 in abort () from /lib/libc.so.6
> #2 0x00007fd0ea80b228 in ?? () from /lib/libc.so.6
> #3 0x00007fd0ea811b2c in ?? () from /lib/libc.so.6
> #4 0x00007fd0ea8138f1 in ?? () from /lib/libc.so.6
> #5 0x00007fd0ea815828 in malloc () from /lib/libc.so.6
> #6 0x00007fd0eaf91f33 in CRYPTO_malloc () from /lib/libcrypto.so.0.9.8
> #7 0x00007fd0eafbc18f in BN_mod_exp_mont_consttime () from
> /lib/libcrypto.so.0.9.8
> #8 0x00007fd0eafd8925 in ?? () from /lib/libcrypto.so.0.9.8
> #9 0x00007fd0eafd92ab in ?? () from /lib/libcrypto.so.0.9.8
> #10 0x00000000004b1786 in crypto_pk_private_decrypt (env=<value optimized
> out>, to=<value optimized out>, from=0x8 <Address 0x8 out of bounds>,
> fromlen=518, padding=<value optimized out>, warnOnFailure=0) at
> crypto.c:762
> #11 0x00000000004b2a7e in crypto_pk_private_hybrid_decrypt
> (env=0x16207c0, to=0x7fd0e9633c30 "",
> from=0x7fd0e9633e70
> "s\214\235½aNàÇå¯\030\adlf\233\021\206\\+\035\203{h
> ëÈâ\203AÉ®?\225Ï¢éôA\232ÙREC¨ÿÚÜí>¨\003\226ÚÔCd0¢1\211û~ÎMÖ\213W\t¿WB\223põ\024Ï3>è:rÆ\036\234.\233Á(2C3É,,\224ìÅ&.\\\237ÝÑ\017I\r/⸺\207\032\225\002\205á_}0\206o\005JÊÆ\216\234Ò]÷ÿ\231Ïß¡¾çWz\223\213\215j®\026ÐY<ç/µ<½\037âón¨\026ôÚfZBc4\031\b\221±ál\217Ùõ8Ç}\032ägæÂ{*",
> fromlen=186, padding=60002, warnOnFailure=0) at crypto.c:989
> #12 0x0000000000466b85 in onion_skin_server_handshake (
> onion_skin=0x7fd0e9633e70
> "s\214\235½aNàÇå¯\030\adlf\233\021\206\\+\035\203{h
> ëÈâ\203AÉ®?\225Ï¢éôA\232ÙREC¨ÿÚÜí>¨\003\226ÚÔCd0¢1\211û~ÎMÖ\213W\t¿WB\223põ\024Ï3>è:rÆ\036\234.\233Á(2C3É,,\224ìÅ&.\\\237ÝÑ\017I\r/⸺\207\032\225\002\205á_}0\206o\005JÊÆ\216\234Ò]÷ÿ\231Ïß¡¾çWz\223\213\215j®\026ÐY<ç/µ<½\037âón¨\026ôÚfZBc4\031\b\221±ál\217Ùõ8Ç}\032ägæÂ{*",
> private_key=0x16207c0, prev_private_key=0x0,
> handshake_reply_out=0x7fd0e9633f30 "å\002õ\006(Gf.%1|cÛL?
> IÜ\204g\031\036Å\016½\217\234µå9\215uEàCʨ¾Íá©xð\201)\f\233Ó\020ÃÎ\037¶\0041Z",
> key_out=0x7fd0e9633fd0
> "ãJ(v|ÈßBdð-3v\005QÛ\202±\211\022\205J&\0247öI\233\027G¥\034ƶÇ\022,#ÆïDJ*þ®,\vRú\217ûU\005$s>=MtßWßõò²ú\022\217:ÍHú",
> key_out_len=72) at onion.c:232
> #13 0x000000000044062a in cpuworker_main (data=<value optimized out>) at
> cpuworker.c:273
> #14 0x00000000004a6ab5 in tor_pthread_helper_fn (_data=0x1620220) at
> compat.c:1694
> #15 0x00007fd0ead163ba in start_thread () from /lib/libpthread.so.0
> #16 0x00007fd0ea87efcd in clone () from /lib/libc.so.6
> #17 0x0000000000000000 in ?? ()
> """
>
> [Automatically added by flyspray2trac: Operating System: Other Linux]
New description:
Occurred after ~15 hours of uptime on an x86_64 box.
I keep all cores archived, so if you have requests for me
to run against the core, let me know.
"""
GNU gdb 6.8-debian
Copyright (C) 2008 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later
<http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu"...
warning: Can't read pathname for load map: Input/output error.
Reading symbols from /lib/libz.so.1...done.
Loaded symbols for /lib/libz.so.1
Reading symbols from /usr/lib/libevent-1.3e.so.1...done.
Loaded symbols for /usr/lib/libevent-1.3e.so.1
Reading symbols from /lib/libssl.so.0.9.8...done.
Loaded symbols for /lib/libssl.so.0.9.8
Reading symbols from /lib/libcrypto.so.0.9.8...done.
Loaded symbols for /lib/libcrypto.so.0.9.8
Reading symbols from /lib/libpthread.so.0...done.
Loaded symbols for /lib/libpthread.so.0
Reading symbols from /lib/libdl.so.2...done.
Loaded symbols for /lib/libdl.so.2
Reading symbols from /lib/libc.so.6...done.
Loaded symbols for /lib/libc.so.6
Reading symbols from /lib/libnsl.so.1...done.
Loaded symbols for /lib/libnsl.so.1
Reading symbols from /lib/librt.so.1...done.
Loaded symbols for /lib/librt.so.1
Reading symbols from /lib/libresolv.so.2...done.
Loaded symbols for /lib/libresolv.so.2
Reading symbols from /lib/ld-linux-x86-64.so.2...done.
Loaded symbols for /lib64/ld-linux-x86-64.so.2
Reading symbols from /lib/libnss_compat.so.2...done.
Loaded symbols for /lib/libnss_compat.so.2
Reading symbols from /lib/libnss_nis.so.2...done.
Loaded symbols for /lib/libnss_nis.so.2
Reading symbols from /lib/libnss_files.so.2...done.
Loaded symbols for /lib/libnss_files.so.2
Reading symbols from /lib/libnss_mdns4_minimal.so.2...done.
Loaded symbols for /lib/libnss_mdns4_minimal.so.2
Reading symbols from /lib/libnss_dns.so.2...done.
Loaded symbols for /lib/libnss_dns.so.2
Reading symbols from /lib/libgcc_s.so.1...done.
Loaded symbols for /lib/libgcc_s.so.1
Core was generated by `/usr/sbin/tor'.
Program terminated with signal 6, Aborted.
[New process 3611]
[New process 19395]
[New process 3612]
[New process 3614]
[New process 3613]
#0 0x00007fd0ea7cbfb5 in raise () from /lib/libc.so.6
(gdb) bt
#0 0x00007fd0ea7cbfb5 in raise () from /lib/libc.so.6
#1 0x00007fd0ea7cdbc3 in abort () from /lib/libc.so.6
#2 0x00007fd0ea80b228 in ?? () from /lib/libc.so.6
#3 0x00007fd0ea811b2c in ?? () from /lib/libc.so.6
#4 0x00007fd0ea8138f1 in ?? () from /lib/libc.so.6
#5 0x00007fd0ea815828 in malloc () from /lib/libc.so.6
#6 0x00007fd0eaf91f33 in CRYPTO_malloc () from /lib/libcrypto.so.0.9.8
#7 0x00007fd0eafbc18f in BN_mod_exp_mont_consttime () from
/lib/libcrypto.so.0.9.8
#8 0x00007fd0eafd8925 in ?? () from /lib/libcrypto.so.0.9.8
#9 0x00007fd0eafd92ab in ?? () from /lib/libcrypto.so.0.9.8
#10 0x00000000004b1786 in crypto_pk_private_decrypt (env=<value optimized
out>, to=<value optimized out>, from=0x8 <Address 0x8 out of bounds>,
fromlen=518, padding=<value optimized out>, warnOnFailure=0) at
crypto.c:762
#11 0x00000000004b2a7e in crypto_pk_private_hybrid_decrypt (env=0x16207c0,
to=0x7fd0e9633c30 "",
from=0x7fd0e9633e70
"s\214\235½aNàÇå¯\030\adlf\233\021\206\\+\035\203{h
ëÈâ\203AÉ®?\225Ï¢éôA\232ÙREC¨ÿÚÜí>¨\003\226ÚÔCd0¢1\211û~ÎMÖ\213W\t¿WB\223põ\024Ï3>è:rÆ\036\234.\233Á(2C3É,,\224ìÅ&.\\\237ÝÑ\017I\r/⸺\207\032\225\002\205á_}0\206o\005JÊÆ\216\234Ò]÷ÿ\231Ïß¡¾çWz\223\213\215j®\026ÐY<ç/µ<½\037âón¨\026ôÚfZBc4\031\b\221±ál\217Ùõ8Ç}\032ägæÂ{*",
fromlen=186, padding=60002, warnOnFailure=0) at crypto.c:989
#12 0x0000000000466b85 in onion_skin_server_handshake (
onion_skin=0x7fd0e9633e70
"s\214\235½aNàÇå¯\030\adlf\233\021\206\\+\035\203{h
ëÈâ\203AÉ®?\225Ï¢éôA\232ÙREC¨ÿÚÜí>¨\003\226ÚÔCd0¢1\211û~ÎMÖ\213W\t¿WB\223põ\024Ï3>è:rÆ\036\234.\233Á(2C3É,,\224ìÅ&.\\\237ÝÑ\017I\r/⸺\207\032\225\002\205á_}0\206o\005JÊÆ\216\234Ò]÷ÿ\231Ïß¡¾çWz\223\213\215j®\026ÐY<ç/µ<½\037âón¨\026ôÚfZBc4\031\b\221±ál\217Ùõ8Ç}\032ägæÂ{*",
private_key=0x16207c0, prev_private_key=0x0,
handshake_reply_out=0x7fd0e9633f30 "å\002õ\006(Gf.%1|cÛL?
IÜ\204g\031\036Å\016½\217\234µå9\215uEàCʨ¾Íá©xð\201)\f\233Ó\020ÃÎ\037¶\0041Z",
key_out=0x7fd0e9633fd0
"ãJ(v|ÈßBdð-3v\005QÛ\202±\211\022\205J&\0247öI\233\027G¥\034ƶÇ\022,#ÆïDJ*þ®,\vRú\217ûU\005$s>=MtßWßõò²ú\022\217:ÍHú",
key_out_len=72) at onion.c:232
#13 0x000000000044062a in cpuworker_main (data=<value optimized out>) at
cpuworker.c:273
#14 0x00000000004a6ab5 in tor_pthread_helper_fn (_data=0x1620220) at
compat.c:1694
#15 0x00007fd0ead163ba in start_thread () from /lib/libpthread.so.0
#16 0x00007fd0ea87efcd in clone () from /lib/libc.so.6
#17 0x0000000000000000 in ?? ()
"""
[Automatically added by flyspray2trac: Operating System: Other Linux]
--
Comment:
Can't resolve this without more information; closing as "user
disappeared". :(
Please comment or reopen if anybody can get this to happen with a more
recent version of Tor, or reproduce it under dmalloc or valgrind.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/983#comment:4>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list