[tor-bugs] #15901 [Tor]: apparent memory corruption -- very difficult to isolate

Tor Bug Tracker & Wiki blackhole at torproject.org
Mon Aug 24 01:55:05 UTC 2015 

#15901: apparent memory corruption -- very difficult to isolate
---------------------------+--------------------------------
     Reporter:  starlight  |      Owner:
         Type:  defect     |     Status:  new
     Priority:  critical   |  Milestone:  Tor: 0.2.7.x-final
    Component:  Tor        |    Version:  Tor: 0.2.6.10
   Resolution:             |   Keywords:
Actual Points:             |  Parent ID:
       Points:             |
---------------------------+--------------------------------

Comment (by starlight):

 I thought about that.  Figure I'll just start the
 mprotect() at a rounded-up page boundary and end
 it, likewise, at a rounded-down page boundary.
 The consensus document is about 340 pages so
 statistically that's good-enough to catch it.
 Takes about three-to-four weeks after a
 `rm cached-*` restart for memory to arrange
 itself such that the bug hits the WIP
 consensus document.  I now realize that
 the signature validation of the consensus
 is acting as a honeypot for detecting the
 memory access bug.  Probably happens all
 the time but doesn't break anything else
 in an obvious way.

 Here's some more core-file analysis.  I'm
 beginning to suspect that the low-order two
 bytes of a pointer are being overwritten.

 {{{
 corruption value "n rHDXjA" or endian-adjusted 0x416A58444872206E

 load3 from core file, large segment near end, heap per "size -A"
    "load3         67067904        1_____________6"

 (gdb) find 0x00007f__98000000, 0x00007f__9bff6000, 0x416A58444872206E
 0x7___9ba35d44   FBIPartyTrain   1 of 10
 0x7___9bc423cc   FBIPartyTrain   2
 0x7___9bda5b62   FBIPartyTrain   3
 0x7___9bf0004b   FBIPartyTrain   4
 warning: Unable to access 15534 bytes of target memory at 0x7___9bff2353,
 halting search.


 load49 from core file, large segment near end, heap per "size -A"
    "load49       299806720        1_____________6"

 (gdb) find 0x00007f__aa638000, 0x00007f__bc423000, 0x416A58444872206E
 0x7___bb52c0b4   FBIPartyTrain   5
 0x7___bb52f4f0 * ToughMudder     6 of 10   seg offset 0x10EF74F0 of
 284128496, 94.7%
 0x7___bb71be2e   FBIPartyTrain   7
 0x7___bb85ee2a   FBIPartyTrain   8
 0x7___bb9cc864   FBIPartyTrain   9
 0x7___bbbab2c1   FBIPartyTrain  10
 warning: Unable to access 15416 bytes of target memory at 0x7___bc41f3c9,
 halting search.c

 display with

 (gdb) x/32c 0x7___bb52f4f0-16
 }}}

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/15901#comment:24>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list