[tor-bugs] #14815 [Tor]: use-after-free in cpuworker_onion_handshake_replyfn()
Tor Bug Tracker & Wiki
blackhole at torproject.org
Mon Feb 9 14:58:01 UTC 2015
#14815: use-after-free in cpuworker_onion_handshake_replyfn()
------------------------+--------------------------------
Reporter: arma | Owner:
Type: defect | Status: new
Priority: normal | Milestone: Tor: 0.2.6.x-final
Component: Tor | Version:
Resolution: | Keywords:
Actual Points: | Parent ID:
Points: |
------------------------+--------------------------------
Comment (by Sebastian):
Here's my analysis:
Something calls cpuworker_cancel_circ_handshake(), which calls
workqueue_entry_cancel(). But that doesn't cancel the job, because it's
currently running. Then cpuworker_cancel_circ_handshake() does
circ->workqueue_entry = NULL;
Now the second rolls over, and we hunt dead circs.
circuit_close_all_marked() checks if a circ has a workqueue_entry != NULL,
and if so, it doesn't free the circ - but if the workqueue_entry == NULL,
then it goes ahead and frees the circ. Now the job finishes but the circ
is already freed, and boom.
I currently think moving the circ->workqueue_entry = NULL into the if
(job) inside cpuworker_cancel_circ_handshake() is the correct fix, because
we also do that in cpuworker_onion_handshake_replyfn().
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/14815#comment:2>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list