[tor-bugs] #14815 [Tor]: use-after-free in cpuworker_onion_handshake_replyfn()
Tor Bug Tracker & Wiki
blackhole at torproject.org
Mon Feb 9 06:47:12 UTC 2015
#14815: use-after-free in cpuworker_onion_handshake_replyfn()
--------------------+------------------------------------
Reporter: arma | Owner:
Type: defect | Status: new
Priority: normal | Milestone: Tor: 0.2.6.x-final
Component: Tor | Version:
Keywords: | Actual Points:
Parent ID: | Points:
--------------------+------------------------------------
Running git master (37d16c3cc7) on moria1 I see in my valgrind:
{{{
==60115== Invalid read of size 4
==60115== at 0x1F861E: cpuworker_onion_handshake_replyfn
(cpuworker.c:339)
==60115== by 0x23FCF1: replyqueue_process (workqueue.c:482)
==60115== by 0x50B9B43: event_base_loop (in
/usr/lib64/libevent-1.4.so.2.1.3)
==60115== by 0x13A570: do_main_loop (main.c:2117)
==60115== by 0x13BED4: tor_main (main.c:3096)
==60115== by 0x5D49D5C: (below main) (in /lib64/libc-2.12.so)
==60115== Address 0x148e5360 is 0 bytes inside a block of size 376 free'd
==60115== at 0x4A06430: free (vg_replace_malloc.c:446)
==60115== by 0x1B6823: circuit_close_all_marked (circuitlist.c:460)
==60115== by 0x13E74F: second_elapsed_callback (main.c:1594)
==60115== by 0x50B9B43: event_base_loop (in
/usr/lib64/libevent-1.4.so.2.1.3)
==60115== by 0x13A570: do_main_loop (main.c:2117)
==60115== by 0x13BED4: tor_main (main.c:3096)
==60115== by 0x5D49D5C: (below main) (in /lib64/libc-2.12.so)
==60115==
==60115== Invalid read of size 2
==60115== at 0x1F862B: cpuworker_onion_handshake_replyfn
(cpuworker.c:351)
==60115== by 0x23FCF1: replyqueue_process (workqueue.c:482)
==60115== by 0x50B9B43: event_base_loop (in
/usr/lib64/libevent-1.4.so.2.1.3)
==60115== by 0x13A570: do_main_loop (main.c:2117)
==60115== by 0x13BED4: tor_main (main.c:3096)
==60115== by 0x5D49D5C: (below main) (in /lib64/libc-2.12.so)
==60115== Address 0x148e53e0 is 128 bytes inside a block of size 376
free'd
==60115== at 0x4A06430: free (vg_replace_malloc.c:446)
==60115== by 0x1B6823: circuit_close_all_marked (circuitlist.c:460)
==60115== by 0x13E74F: second_elapsed_callback (main.c:1594)
==60115== by 0x50B9B43: event_base_loop (in
/usr/lib64/libevent-1.4.so.2.1.3)
==60115== by 0x13A570: do_main_loop (main.c:2117)
==60115== by 0x13BED4: tor_main (main.c:3096)
==60115== by 0x5D49D5C: (below main) (in /lib64/libc-2.12.so)
==60115==
==60115== Invalid write of size 8
==60115== at 0x1F8633: cpuworker_onion_handshake_replyfn
(cpuworker.c:349)
==60115== by 0x23FCF1: replyqueue_process (workqueue.c:482)
==60115== by 0x50B9B43: event_base_loop (in
/usr/lib64/libevent-1.4.so.2.1.3)
==60115== by 0x13A570: do_main_loop (main.c:2117)
==60115== by 0x13BED4: tor_main (main.c:3096)
==60115== by 0x5D49D5C: (below main) (in /lib64/libc-2.12.so)
==60115== Address 0x148e5430 is 208 bytes inside a block of size 376
free'd
==60115== at 0x4A06430: free (vg_replace_malloc.c:446)
==60115== by 0x1B6823: circuit_close_all_marked (circuitlist.c:460)
==60115== by 0x13E74F: second_elapsed_callback (main.c:1594)
==60115== by 0x50B9B43: event_base_loop (in
/usr/lib64/libevent-1.4.so.2.1.3)
==60115== by 0x13A570: do_main_loop (main.c:2117)
==60115== by 0x13BED4: tor_main (main.c:3096)
==60115== by 0x5D49D5C: (below main) (in /lib64/libc-2.12.so)
}}}
(Looks like one bug with three different symptoms)
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/14815>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list