[tor-bugs] #2954 [Tor Directory Authority]: Weird dirauth microdesc malloc failures, warns, ooms, exploit attempts?
Tor Bug Tracker & Wiki
torproject-admin at torproject.org
Tue Apr 19 06:25:23 UTC 2011
#2954: Weird dirauth microdesc malloc failures, warns, ooms, exploit attempts?
----------------------------------------+-----------------------------------
Reporter: mikeperry | Owner: mikeperry
Type: defect | Status: reopened
Priority: critical | Milestone: Tor: 0.2.3.x-final
Component: Tor Directory Authority | Version:
Resolution: | Keywords: MikePerryIterationFires20110417
Parent: | Points: 2
Actualpoints: 2 |
----------------------------------------+-----------------------------------
Changes (by rransom):
* status: closed => reopened
* resolution: fixed =>
* milestone: => Tor: 0.2.3.x-final
Comment:
Replying to [comment:3 mikeperry]:
> FYI: Here were the log lines:
>
{{{
Apr 09 10:41:06.278 [warn] parse error: Malformed object: missing object
end line
Apr 09 10:41:06.279 [warn] Unparseable microdescriptor: @last-listed
2010-02-04 01:50:01
Apr 09 10:41:07.486 [warn] parse error: Malformed object: missing object
end line
Apr 09 10:41:07.486 [warn] Unparseable microdescriptor: @last-listed
2010-02-06 05:50:01
Apr 09 10:41:09.900 [warn] parse error: Malformed object: missing object
end line
}}}
>
(ides emitted these log lines while loading microdescriptors from its
cached-microdescs.new file.)
Notice the `@last-listed` dates -- ides had been corrupting its microdesc
cache for over a year, but didn't OOM in the process of trying to parse
the entire tail of its MD cache until this month, when the file had become
''much'' longer.
Here is a longer piece of one of those ‘Unparseable microdescriptor’s:
{{{
Apr 09 10:41:14.550 [warn] Unparseable microdescriptor: @last-listed
2010-08-13 07:50:01
onion-key
-----BEGIN RSA PUBLIC KEY-----
MIGJAoGBAMeiFlr3EKP5qVMthV8Mi6NYvONH1ZlWNrg3947qNQj6OOE57hK/qT61
Ovx717sEtdfuksSXxxVVd8K1ym5gMP4ffAZWFYc5Z3PxusNEs+0EjwyVLxrrwnY/
hKG+XjXdW48TWQoad3HyRMMdQUfm+sSf6nEusEeRgg9gv+JHF1G/AgMBAAE=
--- at last-listed 2010-08-18 04:20:01
onion-key
-----BEGIN RSA PUBLIC KEY-----
MIGJAoGBALOgBn1u7gQCEIiowkX0cMVi20yZNoUXFbEn2HKreqGO/ZssPEcdAXbS
1QdONiazdwVC7oFmdJ0OtS+OPyKPkoBqw0lR9CtOBXlJ45n+r7X2Yks0BHCt68Xx
uqnP/1jODPsex2hxaa5WU0HXIh7idsIdJCrfZPw39V/Abw4mllKNAgMBAAE=
-----END RSA PUBLIC KEY-----
family slippy
@last-listed 2010-08-18 04:20:01
onion-key
-----BEGIN RSA PUBLIC KEY-----
MIGJAoGBALTs9+vmYkA4VIlzbeRydehhMVEYyifxCm1dibfv9A93we8QM/UvUkSk
}}}
> The microdesc code apparently does not log anything below warn, nor does
it log unparseable descriptors.
(Mike had to modify the ‘Unparseable microdescriptor’ `log_warn` call to
dump the descriptor into the log file.)
> Inspecting the microdesc cache revealed that several microdescs appeared
to be just running into the next without proper termination, perhaps a
side effect of earlier crashes/ooms.
`microdescs_add_list_to_cache` and `dump_microdescriptor` are scary.
Perhaps we should be prefixing each item in the `cached-*.new` files with
a line containing the cached item's length and a short (32 or fewer bits)
hash, and trying to resynchronize if we read a damaged item.
I'm reopening this ticket because I see no evidence that the underlying
bug has been fixed. In particular, `git blame` shows that nothing
relevant in src/or/microdesc.c or src/common/util.c has been changed since
2010-01-25, and microdescs were still being written improperly months
later.
Mike: Did you keep a copy of your `cached-microdescs*` files, or just
delete them?
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/2954#comment:5>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list