[tor-bugs] #982 [Tor Relay]: Crash in closing tls connection

Tor Bug Tracker & Wiki torproject-admin at torproject.org
Fri Nov 12 00:39:20 UTC 2010 

#982: Crash in closing tls connection
--------------------------------+-------------------------------------------
 Reporter:  neoeinstein         |         Type:  defect   
   Status:  new                 |     Priority:  minor    
Milestone:  Tor: 0.2.2.x-final  |    Component:  Tor Relay
  Version:  0.2.1.14-rc         |   Resolution:  None     
 Keywords:                      |       Parent:           
--------------------------------+-------------------------------------------
Changes (by nickm):

  * milestone:  => Tor: 0.2.2.x-final


Old description:

> Happens seemingly at random after a long go of running.
>
> """
> GNU gdb 6.8-debian
> Copyright (C) 2008 Free Software Foundation, Inc.
> License GPLv3+: GNU GPL version 3 or later
> <http://gnu.org/licenses/gpl.html>
> This is free software: you are free to change and redistribute it.
> There is NO WARRANTY, to the extent permitted by law.  Type "show
> copying"
> and "show warranty" for details.
> This GDB was configured as "x86_64-linux-gnu"...
>
> warning: Can't read pathname for load map: Input/output error.
> Reading symbols from /lib/libz.so.1...done.
> Loaded symbols for /lib/libz.so.1
> Reading symbols from /usr/lib/libevent-1.3e.so.1...done.
> Loaded symbols for /usr/lib/libevent-1.3e.so.1
> Reading symbols from /lib/libssl.so.0.9.8...done.
> Loaded symbols for /lib/libssl.so.0.9.8
> Reading symbols from /lib/libcrypto.so.0.9.8...done.
> Loaded symbols for /lib/libcrypto.so.0.9.8
> Reading symbols from /lib/libpthread.so.0...done.
> Loaded symbols for /lib/libpthread.so.0
> Reading symbols from /lib/libdl.so.2...done.
> Loaded symbols for /lib/libdl.so.2
> Reading symbols from /lib/libc.so.6...done.
> Loaded symbols for /lib/libc.so.6
> Reading symbols from /lib/libnsl.so.1...done.
> Loaded symbols for /lib/libnsl.so.1
> Reading symbols from /lib/librt.so.1...done.
> Loaded symbols for /lib/librt.so.1
> Reading symbols from /lib/libresolv.so.2...done.
> Loaded symbols for /lib/libresolv.so.2
> Reading symbols from /lib/ld-linux-x86-64.so.2...done.
> Loaded symbols for /lib64/ld-linux-x86-64.so.2
> Reading symbols from /lib/libnss_compat.so.2...done.
> Loaded symbols for /lib/libnss_compat.so.2
> Reading symbols from /lib/libnss_nis.so.2...done.
> Loaded symbols for /lib/libnss_nis.so.2
> Reading symbols from /lib/libnss_files.so.2...done.
> Loaded symbols for /lib/libnss_files.so.2
> Reading symbols from /lib/libnss_mdns4_minimal.so.2...done.
> Loaded symbols for /lib/libnss_mdns4_minimal.so.2
> Reading symbols from /lib/libnss_dns.so.2...done.
> Loaded symbols for /lib/libnss_dns.so.2
> Reading symbols from /lib/libgcc_s.so.1...done.
> Loaded symbols for /lib/libgcc_s.so.1
> Core was generated by `/usr/sbin/tor'.
> Program terminated with signal 11, Segmentation fault.
> [New process 16346]
> [New process 23317]
> [New process 23318]
> [New process 23320]
> [New process 23319]
> #0  0x00007f9792a80693 in CRYPTO_add_lock () from /lib/libcrypto.so.0.9.8
> (gdb) bt
> #0  0x00007f9792a80693 in CRYPTO_add_lock () from /lib/libcrypto.so.0.9.8
> #1  0x00007f9792aebc29 in EVP_PKEY_free () from /lib/libcrypto.so.0.9.8
> #2  0x00007f9792dd8771 in ssl_cert_free () from /lib/libssl.so.0.9.8
> #3  0x00007f9792dd71d8 in SSL_free () from /lib/libssl.so.0.9.8
> #4  0x00000000004b6ab3 in tor_tls_free (tls=0x2159fa0) at tortls.c:922
> #5  0x00000000004280bf in _connection_free (conn=0x50720d0) at
> connection.c:388
> #6  0x000000000046093c in close_closeable_connections () at main.c:602
> #7  0x0000000000461033 in second_elapsed_callback (fd=<value optimized
> out>, event=<value optimized out>, args=<value optimized out>)
>     at main.c:1094
> #8  0x00007f9792ff867d in event_base_loop () from
> /usr/lib/libevent-1.3e.so.1
> #9  0x00000000004619c6 in do_main_loop () at main.c:1435
> #10 0x0000000000461c15 in tor_main (argc=1, argv=<value optimized out>)
> at main.c:2060
> #11 0x00007f97922a65a6 in __libc_start_main () from /lib/libc.so.6
> #12 0x0000000000407469 in _start ()
> (gdb) info frame 4
> Stack frame at 0x7fff9b642140:
>  rip = 0x4b6ab3 in tor_tls_free (tortls.c:922); saved rip 0x4280bf
>  called by frame at 0x7fff9b642180, caller of frame at 0x7fff9b642120
>  source language c.
>  Arglist at 0x7fff9b642118, args: tls=0x2159fa0
>  Locals at 0x7fff9b642118, Previous frame's sp is 0x7fff9b642140
>  Saved registers:
>   rbx at 0x7fff9b642130, rip at 0x7fff9b642138
> (gdb) f 4
> #4  0x00000000004b6ab3 in tor_tls_free (tls=0x2159fa0) at tortls.c:922
> 922     tortls.c: No such file or directory.
>         in tortls.c
> (gdb) p *tls
> $1 = {node = {hte_next = 0x0, hte_hash = 31986572}, context =
> 0x7f97883ce9f0, ssl = 0x7a04e30, socket = 1382, address = 0x7c344f0
> "[scrubbed]",
>   state = TOR_TLS_ST_OPEN, isServer = 1, wasV2Handshake = 1,
> got_renegotiate = 0, wantwrite_n = 0, last_write_count = 130436,
>   last_read_count = 9660, negotiated_callback = 0, callback_arg = 0x0}
> """
>
> [Automatically added by flyspray2trac: Operating System: Other Linux]

New description:

 Happens seemingly at random after a long go of running.

 """
 GNU gdb 6.8-debian
 Copyright (C) 2008 Free Software Foundation, Inc.
 License GPLv3+: GNU GPL version 3 or later
 <http://gnu.org/licenses/gpl.html>
 This is free software: you are free to change and redistribute it.
 There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
 and "show warranty" for details.
 This GDB was configured as "x86_64-linux-gnu"...

 warning: Can't read pathname for load map: Input/output error.
 Reading symbols from /lib/libz.so.1...done.
 Loaded symbols for /lib/libz.so.1
 Reading symbols from /usr/lib/libevent-1.3e.so.1...done.
 Loaded symbols for /usr/lib/libevent-1.3e.so.1
 Reading symbols from /lib/libssl.so.0.9.8...done.
 Loaded symbols for /lib/libssl.so.0.9.8
 Reading symbols from /lib/libcrypto.so.0.9.8...done.
 Loaded symbols for /lib/libcrypto.so.0.9.8
 Reading symbols from /lib/libpthread.so.0...done.
 Loaded symbols for /lib/libpthread.so.0
 Reading symbols from /lib/libdl.so.2...done.
 Loaded symbols for /lib/libdl.so.2
 Reading symbols from /lib/libc.so.6...done.
 Loaded symbols for /lib/libc.so.6
 Reading symbols from /lib/libnsl.so.1...done.
 Loaded symbols for /lib/libnsl.so.1
 Reading symbols from /lib/librt.so.1...done.
 Loaded symbols for /lib/librt.so.1
 Reading symbols from /lib/libresolv.so.2...done.
 Loaded symbols for /lib/libresolv.so.2
 Reading symbols from /lib/ld-linux-x86-64.so.2...done.
 Loaded symbols for /lib64/ld-linux-x86-64.so.2
 Reading symbols from /lib/libnss_compat.so.2...done.
 Loaded symbols for /lib/libnss_compat.so.2
 Reading symbols from /lib/libnss_nis.so.2...done.
 Loaded symbols for /lib/libnss_nis.so.2
 Reading symbols from /lib/libnss_files.so.2...done.
 Loaded symbols for /lib/libnss_files.so.2
 Reading symbols from /lib/libnss_mdns4_minimal.so.2...done.
 Loaded symbols for /lib/libnss_mdns4_minimal.so.2
 Reading symbols from /lib/libnss_dns.so.2...done.
 Loaded symbols for /lib/libnss_dns.so.2
 Reading symbols from /lib/libgcc_s.so.1...done.
 Loaded symbols for /lib/libgcc_s.so.1
 Core was generated by `/usr/sbin/tor'.
 Program terminated with signal 11, Segmentation fault.
 [New process 16346]
 [New process 23317]
 [New process 23318]
 [New process 23320]
 [New process 23319]
 #0  0x00007f9792a80693 in CRYPTO_add_lock () from /lib/libcrypto.so.0.9.8
 (gdb) bt
 #0  0x00007f9792a80693 in CRYPTO_add_lock () from /lib/libcrypto.so.0.9.8
 #1  0x00007f9792aebc29 in EVP_PKEY_free () from /lib/libcrypto.so.0.9.8
 #2  0x00007f9792dd8771 in ssl_cert_free () from /lib/libssl.so.0.9.8
 #3  0x00007f9792dd71d8 in SSL_free () from /lib/libssl.so.0.9.8
 #4  0x00000000004b6ab3 in tor_tls_free (tls=0x2159fa0) at tortls.c:922
 #5  0x00000000004280bf in _connection_free (conn=0x50720d0) at
 connection.c:388
 #6  0x000000000046093c in close_closeable_connections () at main.c:602
 #7  0x0000000000461033 in second_elapsed_callback (fd=<value optimized
 out>, event=<value optimized out>, args=<value optimized out>)
     at main.c:1094
 #8  0x00007f9792ff867d in event_base_loop () from
 /usr/lib/libevent-1.3e.so.1
 #9  0x00000000004619c6 in do_main_loop () at main.c:1435
 #10 0x0000000000461c15 in tor_main (argc=1, argv=<value optimized out>) at
 main.c:2060
 #11 0x00007f97922a65a6 in __libc_start_main () from /lib/libc.so.6
 #12 0x0000000000407469 in _start ()
 (gdb) info frame 4
 Stack frame at 0x7fff9b642140:
  rip = 0x4b6ab3 in tor_tls_free (tortls.c:922); saved rip 0x4280bf
  called by frame at 0x7fff9b642180, caller of frame at 0x7fff9b642120
  source language c.
  Arglist at 0x7fff9b642118, args: tls=0x2159fa0
  Locals at 0x7fff9b642118, Previous frame's sp is 0x7fff9b642140
  Saved registers:
   rbx at 0x7fff9b642130, rip at 0x7fff9b642138
 (gdb) f 4
 #4  0x00000000004b6ab3 in tor_tls_free (tls=0x2159fa0) at tortls.c:922
 922     tortls.c: No such file or directory.
         in tortls.c
 (gdb) p *tls
 $1 = {node = {hte_next = 0x0, hte_hash = 31986572}, context =
 0x7f97883ce9f0, ssl = 0x7a04e30, socket = 1382, address = 0x7c344f0
 "[scrubbed]",
   state = TOR_TLS_ST_OPEN, isServer = 1, wasV2Handshake = 1,
 got_renegotiate = 0, wantwrite_n = 0, last_write_count = 130436,
   last_read_count = 9660, negotiated_callback = 0, callback_arg = 0x0}
 """

 [Automatically added by flyspray2trac: Operating System: Other Linux]

--

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/982#comment:10>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list