[tor-bugs] #16495 [Tor Browser]: Tor Browser 5.0a3 crashes on nytimes.com with security level set to "High"

Tor Bug Tracker & Wiki blackhole at torproject.org
Fri Jul 3 11:48:51 UTC 2015


#16495: Tor Browser 5.0a3 crashes on nytimes.com with security level set to "High"
-------------------------+-------------------------------------------------
     Reporter:  gk       |      Owner:  tbb-team
         Type:  defect   |     Status:  new
     Priority:           |  Milestone:
  critical               |    Version:
    Component:  Tor      |   Keywords:  tbb-crash, tbb-5.0a,
  Browser                |  TorBrowserTeam201507
   Resolution:           |  Parent ID:
Actual Points:           |
       Points:           |
-------------------------+-------------------------------------------------

Comment (by mcs):

 Replying to [comment:4 gk]:
 > After building a recent GDB I got a better stacktrace:
 > {{{
 > Program received signal SIGSEGV, Segmentation fault.
 > 0xb3d62e2a in BaseType (this=0x5a5a5a5a)
 >     at /home/ubuntu/build/tor-browser/dom/base/nsAttrValue.h:455
 > 455    /home/ubuntu/build/tor-browser/dom/base/nsAttrValue.h: Datei oder
 Verzeichnis nicht gefunden.
 > (gdb) bt
 > #0  0xb3d62e2a in BaseType (this=0x5a5a5a5a)
 >     at /home/ubuntu/build/tor-browser/dom/base/nsAttrValue.h:455
 > #1  nsAttrValue::Type (this=0x5a5a5a5a)
 >     at /home/ubuntu/build/tor-browser/dom/base/nsAttrValue.cpp:186
 > #2  0xb3d62f45 in nsAttrValue::GetAtomCount (this=0x5a5a5a5a)

 The new stacktrace is much better.
 The "this=0x5a5a5a5a" indicates a UAF.  Now the question is "How did we
 get to that state?"
 Maybe look at aElement within RuleHash::EnumerateAllRules() or higher in
 the call stack to see if the entire element has been freed?

 I was hoping that a debug build might shed more light on this crash, but I
 foolishly picked Win32 instead of Linux32 because I know my old Linux
 system has hopelessly old tools (not good for compiling or debugging)...
 and of course my non-Gitian Windows build has failed a couple of times so
 far (at the moment I am stuck on unresolved symbols when trying to link
 libxul).

 Unfortunately, Kathy and I are traveling this weekend (starting in an hour
 or so) and will only have sporadic access to the net.  So someone else
 will need to debug this, or we will look at it on Monday.  Sorry for the
 bad timing :(

 I did encounter one compile error that has an obvious fix while trying to
 complete a Windows debug build; I opened #16497 for that.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/16495#comment:5>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list