[tor-bugs] #6029 [Tor Relay]: relay crash in libcrypto (tor_tls_handshake)
Tor Bug Tracker & Wiki
torproject-admin at torproject.org
Fri Jun 1 11:16:09 UTC 2012
#6029: relay crash in libcrypto (tor_tls_handshake)
-----------------------+----------------------------------------------------
Reporter: ln5 | Owner:
Type: defect | Status: new
Priority: major | Milestone:
Component: Tor Relay | Version:
Keywords: | Parent:
Points: | Actualpoints:
-----------------------+----------------------------------------------------
Old description:
> This is on a very fast relay (>200 mbit/s). Started happening day
> before yesterday without any known changes to tor, libevent or
> openssl. Reproducable within hours it seems.
>
> $ uname -a
> Linux tor 2.6.32-38-server #83-Ubuntu SMP Wed Jan 4 11:26:59 UTC 2012
> x86_64 GNU/Linux
>
> libevent is 2.0.19-stable.
>
> Jun 01 08:49:46.000 [notice] Tor 0.2.3.15-alpha (git-2513a3e959b61612)
> opening log file.
> Jun 01 08:49:46.000 [notice] This version of OpenSSL has a known-good EVP
> counter-mode implementation. Using it.
> Jun 01 08:49:46.000 [notice] OpenSSL OpenSSL 1.0.1c 10 May 2012 looks
> like version 0.9.8m or later; I will try SSL_OP to enable renegotiation
> Jun 01 08:49:46.000 [notice] Your Tor server's identity key fingerprint
> is 'ndnr1 6330CCF8FEED2EF9B12FCF6688E2577C65522BA4'
>
> (gdb) bt full
> #0 0x00007ffff6a02acd in write () from /lib/libc.so.6
> No symbol table info available.
> #1 0x00007ffff71a1035 in sock_write () from
> /home/linus/usr/lib/libcrypto.so.1.0.0
> No symbol table info available.
> #2 0x00007ffff719f1a7 in BIO_write () from
> /home/linus/usr/lib/libcrypto.so.1.0.0
> No symbol table info available.
> #3 0x00007ffff71a2389 in buffer_ctrl () from
> /home/linus/usr/lib/libcrypto.so.1.0.0
> No symbol table info available.
> #4 0x00007ffff74b6307 in ssl3_accept () from
> /home/linus/usr/lib/libssl.so.1.0.0
> No symbol table info available.
> #5 0x00007ffff74c2b05 in ssl23_get_client_hello () from
> /home/linus/usr/lib/libssl.so.1.0.0
> No symbol table info available.
> #6 0x00007ffff74c33e5 in ssl23_accept () from
> /home/linus/usr/lib/libssl.so.1.0.0
> No symbol table info available.
> #7 0x000000000052e3f9 in tor_tls_handshake (tls=0x7fffdc774b60) at
> tortls.c:1743
> r = 0
> oldstate = 24576
> __PRETTY_FUNCTION__ = "tor_tls_handshake"
> __func__ = "tor_tls_handshake"
> #8 0x00000000004bd04e in connection_tls_continue_handshake
> (conn=0x7fffdc4507a0)
> at connection_or.c:1182
> result = 7
> __PRETTY_FUNCTION__ = "connection_tls_continue_handshake"
> __func__ = "connection_tls_continue_handshake"
> #9 0x00000000004bcf01 in connection_tls_start_handshake
> (conn=0x7fffdc4507a0, receiving=1)
> at connection_or.c:1139
> __PRETTY_FUNCTION__ = "connection_tls_start_handshake"
> __func__ = "connection_tls_start_handshake"
> #10 0x00000000004a7b5b in connection_init_accepted_conn
> (conn=0x7fffdc4507a0, listener=0x7ac900)
> at connection.c:1278
> No locals.
> #11 0x00000000004a7a7f in connection_handle_listener_read (conn=0x7ac900,
> new_type=4)
> at connection.c:1256
> news = 314
> newconn = 0x7fffdc4507a0
> addrbuf = {ss_family = 2, __ss_align = 0, __ss_padding = '\000'
> <repeats 111 times>}
> remote = 0x7fffffffddd0
> remotelen = 16
> options = 0x7a9c80
> __PRETTY_FUNCTION__ = "connection_handle_listener_read"
> __func__ = "connection_handle_listener_read"
> #12 0x00000000004aad5e in connection_handle_read_impl (conn=0x7ac900) at
> connection.c:2627
> max_to_read = -1
> try_to_read = 140737354119250
> before = 140737488346864
> n_read = 0
> socket_error = 0
> __PRETTY_FUNCTION__ = "connection_handle_read_impl"
> __func__ = "connection_handle_read_impl"
> #13 0x00000000004ab14e in connection_handle_read (conn=0x7ac900) at
> connection.c:2721
> res = 32767
> #14 0x000000000040a578 in conn_read_callback (fd=8, event=2,
> _conn=0x7ac900) at main.c:702
> conn = 0x7ac900
> __PRETTY_FUNCTION__ = "conn_read_callback"
> #15 0x00007ffff771010c in event_process_active_single_queue
> (base=0x7ac110, flags=<value optimized out>)
> at event.c:1346
> ev = 0x7ac9d0
> #16 event_process_active (base=0x7ac110, flags=<value optimized out>) at
> event.c:1416
> activeq = 0x7ab9b0
> i = 0
> #17 event_base_loop (base=0x7ac110, flags=<value optimized out>) at
> event.c:1617
> n = 1
> evsel = 0x7ffff7940d80
> tv = {tv_sec = 0, tv_usec = 53123}
> tv_p = <value optimized out>
> res = <value optimized out>
> retval = <value optimized out>
> __func__ = "event_base_loop"
> #18 0x000000000040cf32 in do_main_loop () at main.c:1924
> loop_result = 0
> now = 1338533388
> __PRETTY_FUNCTION__ = "do_main_loop"
> __func__ = "do_main_loop"
> #19 0x000000000040e4a7 in tor_main (argc=3, argv=0x7fffffffe1f8) at
> main.c:2619
> result = 0
> __PRETTY_FUNCTION__ = "tor_main"
> #20 0x0000000000408b34 in main (argc=3, argv=0x7fffffffe1f8) at
> tor_main.c:30
> No locals.
New description:
This is on a very fast relay (>200 mbit/s). Started happening day
before yesterday without any known changes to tor, libevent or
openssl. Reproducable within hours it seems.
$ uname -a
Linux tor 2.6.32-38-server #83-Ubuntu SMP Wed Jan 4 11:26:59 UTC 2012
x86_64 GNU/Linux
libevent is 2.0.19-stable.
{{{
Jun 01 08:49:46.000 [notice] Tor 0.2.3.15-alpha (git-2513a3e959b61612)
opening log file.
Jun 01 08:49:46.000 [notice] This version of OpenSSL has a known-good EVP
counter-mode implementation. Using it.
Jun 01 08:49:46.000 [notice] OpenSSL OpenSSL 1.0.1c 10 May 2012 looks like
version 0.9.8m or later; I will try SSL_OP to enable renegotiation
Jun 01 08:49:46.000 [notice] Your Tor server's identity key fingerprint is
'ndnr1 6330CCF8FEED2EF9B12FCF6688E2577C65522BA4'
(gdb) bt full
#0 0x00007ffff6a02acd in write () from /lib/libc.so.6
No symbol table info available.
#1 0x00007ffff71a1035 in sock_write () from
/home/linus/usr/lib/libcrypto.so.1.0.0
No symbol table info available.
#2 0x00007ffff719f1a7 in BIO_write () from
/home/linus/usr/lib/libcrypto.so.1.0.0
No symbol table info available.
#3 0x00007ffff71a2389 in buffer_ctrl () from
/home/linus/usr/lib/libcrypto.so.1.0.0
No symbol table info available.
#4 0x00007ffff74b6307 in ssl3_accept () from
/home/linus/usr/lib/libssl.so.1.0.0
No symbol table info available.
#5 0x00007ffff74c2b05 in ssl23_get_client_hello () from
/home/linus/usr/lib/libssl.so.1.0.0
No symbol table info available.
#6 0x00007ffff74c33e5 in ssl23_accept () from
/home/linus/usr/lib/libssl.so.1.0.0
No symbol table info available.
#7 0x000000000052e3f9 in tor_tls_handshake (tls=0x7fffdc774b60) at
tortls.c:1743
r = 0
oldstate = 24576
__PRETTY_FUNCTION__ = "tor_tls_handshake"
__func__ = "tor_tls_handshake"
#8 0x00000000004bd04e in connection_tls_continue_handshake
(conn=0x7fffdc4507a0)
at connection_or.c:1182
result = 7
__PRETTY_FUNCTION__ = "connection_tls_continue_handshake"
__func__ = "connection_tls_continue_handshake"
#9 0x00000000004bcf01 in connection_tls_start_handshake
(conn=0x7fffdc4507a0, receiving=1)
at connection_or.c:1139
__PRETTY_FUNCTION__ = "connection_tls_start_handshake"
__func__ = "connection_tls_start_handshake"
#10 0x00000000004a7b5b in connection_init_accepted_conn
(conn=0x7fffdc4507a0, listener=0x7ac900)
at connection.c:1278
No locals.
#11 0x00000000004a7a7f in connection_handle_listener_read (conn=0x7ac900,
new_type=4)
at connection.c:1256
news = 314
newconn = 0x7fffdc4507a0
addrbuf = {ss_family = 2, __ss_align = 0, __ss_padding = '\000'
<repeats 111 times>}
remote = 0x7fffffffddd0
remotelen = 16
options = 0x7a9c80
__PRETTY_FUNCTION__ = "connection_handle_listener_read"
__func__ = "connection_handle_listener_read"
#12 0x00000000004aad5e in connection_handle_read_impl (conn=0x7ac900) at
connection.c:2627
max_to_read = -1
try_to_read = 140737354119250
before = 140737488346864
n_read = 0
socket_error = 0
__PRETTY_FUNCTION__ = "connection_handle_read_impl"
__func__ = "connection_handle_read_impl"
#13 0x00000000004ab14e in connection_handle_read (conn=0x7ac900) at
connection.c:2721
res = 32767
#14 0x000000000040a578 in conn_read_callback (fd=8, event=2,
_conn=0x7ac900) at main.c:702
conn = 0x7ac900
__PRETTY_FUNCTION__ = "conn_read_callback"
#15 0x00007ffff771010c in event_process_active_single_queue
(base=0x7ac110, flags=<value optimized out>)
at event.c:1346
ev = 0x7ac9d0
#16 event_process_active (base=0x7ac110, flags=<value optimized out>) at
event.c:1416
activeq = 0x7ab9b0
i = 0
#17 event_base_loop (base=0x7ac110, flags=<value optimized out>) at
event.c:1617
n = 1
evsel = 0x7ffff7940d80
tv = {tv_sec = 0, tv_usec = 53123}
tv_p = <value optimized out>
res = <value optimized out>
retval = <value optimized out>
__func__ = "event_base_loop"
#18 0x000000000040cf32 in do_main_loop () at main.c:1924
loop_result = 0
now = 1338533388
__PRETTY_FUNCTION__ = "do_main_loop"
__func__ = "do_main_loop"
#19 0x000000000040e4a7 in tor_main (argc=3, argv=0x7fffffffe1f8) at
main.c:2619
result = 0
__PRETTY_FUNCTION__ = "tor_main"
#20 0x0000000000408b34 in main (argc=3, argv=0x7fffffffe1f8) at
tor_main.c:30
No locals.
}}}
--
Comment(by Sebastian):
Replying to [ticket:6029 ln5]:
> This is on a very fast relay (>200 mbit/s). Started happening day
> before yesterday without any known changes to tor, libevent or
> openssl. Reproducable within hours it seems.
>
> $ uname -a
> Linux tor 2.6.32-38-server #83-Ubuntu SMP Wed Jan 4 11:26:59 UTC 2012
x86_64 GNU/Linux
>
> libevent is 2.0.19-stable.
>
> Jun 01 08:49:46.000 [notice] Tor 0.2.3.15-alpha (git-2513a3e959b61612)
opening log file.
> Jun 01 08:49:46.000 [notice] This version of OpenSSL has a known-good
EVP counter-mode implementation. Using it.
> Jun 01 08:49:46.000 [notice] OpenSSL OpenSSL 1.0.1c 10 May 2012 looks
like version 0.9.8m or later; I will try SSL_OP to enable renegotiation
> Jun 01 08:49:46.000 [notice] Your Tor server's identity key fingerprint
is 'ndnr1 6330CCF8FEED2EF9B12FCF6688E2577C65522BA4'
>
> (gdb) bt full
> #0 0x00007ffff6a02acd in write () from /lib/libc.so.6
> No symbol table info available.
> #1 0x00007ffff71a1035 in sock_write () from
/home/linus/usr/lib/libcrypto.so.1.0.0
> No symbol table info available.
> #2 0x00007ffff719f1a7 in BIO_write () from
/home/linus/usr/lib/libcrypto.so.1.0.0
> No symbol table info available.
> #3 0x00007ffff71a2389 in buffer_ctrl () from
/home/linus/usr/lib/libcrypto.so.1.0.0
> No symbol table info available.
> #4 0x00007ffff74b6307 in ssl3_accept () from
/home/linus/usr/lib/libssl.so.1.0.0
> No symbol table info available.
> #5 0x00007ffff74c2b05 in ssl23_get_client_hello () from
/home/linus/usr/lib/libssl.so.1.0.0
> No symbol table info available.
> #6 0x00007ffff74c33e5 in ssl23_accept () from
/home/linus/usr/lib/libssl.so.1.0.0
> No symbol table info available.
> #7 0x000000000052e3f9 in tor_tls_handshake (tls=0x7fffdc774b60) at
tortls.c:1743
> r = 0
> oldstate = 24576
> __PRETTY_FUNCTION__ = "tor_tls_handshake"
> __func__ = "tor_tls_handshake"
> #8 0x00000000004bd04e in connection_tls_continue_handshake
(conn=0x7fffdc4507a0)
> at connection_or.c:1182
> result = 7
> __PRETTY_FUNCTION__ = "connection_tls_continue_handshake"
> __func__ = "connection_tls_continue_handshake"
> #9 0x00000000004bcf01 in connection_tls_start_handshake
(conn=0x7fffdc4507a0, receiving=1)
> at connection_or.c:1139
> __PRETTY_FUNCTION__ = "connection_tls_start_handshake"
> __func__ = "connection_tls_start_handshake"
> #10 0x00000000004a7b5b in connection_init_accepted_conn
(conn=0x7fffdc4507a0, listener=0x7ac900)
> at connection.c:1278
> No locals.
> #11 0x00000000004a7a7f in connection_handle_listener_read
(conn=0x7ac900, new_type=4)
> at connection.c:1256
> news = 314
> newconn = 0x7fffdc4507a0
> addrbuf = {ss_family = 2, __ss_align = 0, __ss_padding = '\000'
<repeats 111 times>}
> remote = 0x7fffffffddd0
> remotelen = 16
> options = 0x7a9c80
> __PRETTY_FUNCTION__ = "connection_handle_listener_read"
> __func__ = "connection_handle_listener_read"
> #12 0x00000000004aad5e in connection_handle_read_impl (conn=0x7ac900) at
connection.c:2627
> max_to_read = -1
> try_to_read = 140737354119250
> before = 140737488346864
> n_read = 0
> socket_error = 0
> __PRETTY_FUNCTION__ = "connection_handle_read_impl"
> __func__ = "connection_handle_read_impl"
> #13 0x00000000004ab14e in connection_handle_read (conn=0x7ac900) at
connection.c:2721
> res = 32767
> #14 0x000000000040a578 in conn_read_callback (fd=8, event=2,
_conn=0x7ac900) at main.c:702
> conn = 0x7ac900
> __PRETTY_FUNCTION__ = "conn_read_callback"
> #15 0x00007ffff771010c in event_process_active_single_queue
(base=0x7ac110, flags=<value optimized out>)
> at event.c:1346
> ev = 0x7ac9d0
> #16 event_process_active (base=0x7ac110, flags=<value optimized out>) at
event.c:1416
> activeq = 0x7ab9b0
> i = 0
> #17 event_base_loop (base=0x7ac110, flags=<value optimized out>) at
event.c:1617
> n = 1
> evsel = 0x7ffff7940d80
> tv = {tv_sec = 0, tv_usec = 53123}
> tv_p = <value optimized out>
> res = <value optimized out>
> retval = <value optimized out>
> __func__ = "event_base_loop"
> #18 0x000000000040cf32 in do_main_loop () at main.c:1924
> loop_result = 0
> now = 1338533388
> __PRETTY_FUNCTION__ = "do_main_loop"
> __func__ = "do_main_loop"
> #19 0x000000000040e4a7 in tor_main (argc=3, argv=0x7fffffffe1f8) at
main.c:2619
> result = 0
> __PRETTY_FUNCTION__ = "tor_main"
> #20 0x0000000000408b34 in main (argc=3, argv=0x7fffffffe1f8) at
tor_main.c:30
> No locals.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/6029#comment:1>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list