[tor-bugs] #4862 [Tor]: Consider disabling dynamic intro point formula (numerology)

Tor Bug Tracker & Wiki blackhole at torproject.org
Sun Jun 14 13:47:03 UTC 2015


#4862: Consider disabling dynamic intro point formula (numerology)
-------------------------+-------------------------------------------------
     Reporter:  hellais  |      Owner:
         Type:           |     Status:  needs_revision
  enhancement            |  Milestone:  Tor: 0.2.7.x-final
     Priority:  major    |    Version:  Tor: 0.2.7
    Component:  Tor      |   Keywords:  needs-proposal, tor-hs,
   Resolution:           |  027-triaged-1-in, SponsorR
Actual Points:           |  Parent ID:
       Points:           |
  medium/large           |
-------------------------+-------------------------------------------------

Comment (by asn):

 I started testing this!

 It seems like tor will crash when the HS tries to upload the second HS
 descriptor.

 It will crash like this:
 {{{
 #0  0x00005555555b3014 in rend_data_dup (data=0x7fffffffe030) at
 src/or/rendcommon.c:1407
 #1  0x000055555564c3ff in directory_initiate_command_rend
 (_addr=0x555556184480, or_port=20, dir_port=57712, digest=0x555555aa65fc
 "\351:~;\371\237>\374.\246\356|D\270\230\340\201\212\322\305\026W2\356\252\033I\237KE\031\332h\251\367f8\356\203\353\236B/\243\253p܌\215\022\210\026\224\062\365\306)#F#",
     dir_purpose=176 '\260', dir_purpose at entry=17 '\021', router_purpose=64
 '@', router_purpose at entry=0 '\000', indirection=4294958752, resource=0x0,
     payload=0x555556185d20 "rendezvous-service-descriptor
 5ex2pe24d4y3nus3umqen4rgbqlk34v6\nversion 2\npermanent-key\n-----BEGIN RSA
 PUBLIC
 KEY-----\nMIGJAoGBAM1ZaWMtX7rigjmTALwcr4bteltZVF4YCP9F6NLx0lB3SACu/XNrQVpt\nX8H7CMf3t3HYRlciX"...,
 payload_len=3253, if_modified_since=0, rend_query=0x7fffffffe030)
     at src/or/directory.c:981
 #2  0x000055555564c940 in directory_initiate_command_routerstatus_rend
 (status=status at entry=0x555555aa65e0, dir_purpose=dir_purpose at entry=17
 '\021', router_purpose=router_purpose at entry=0 '\000',
 indirection=indirection at entry=DIRIND_ANONYMOUS,
 resource=resource at entry=0x0,
     payload=payload at entry=0x555556185d20 "rendezvous-service-descriptor
 5ex2pe24d4y3nus3umqen4rgbqlk34v6\nversion 2\npermanent-key\n-----BEGIN RSA
 PUBLIC
 KEY-----\nMIGJAoGBAM1ZaWMtX7rigjmTALwcr4bteltZVF4YCP9F6NLx0lB3SACu/XNrQVpt\nX8H7CMf3t3HYRlciX"...,
 payload_len=3253, if_modified_since=0,
     rend_query=0x7fffffffe030) at src/or/directory.c:646
 #3  0x00005555555b9b9d in directory_post_to_hs_dir
 (renddesc=0x55555616ec40, descs=0x55555617bbc0, hs_dirs=0x0,
 service_id=0x7fffffffe170 "brhc7vtx6cmchjda", seconds_valid=33661) at
 src/or/rendservice.c:3158
 #4  0x00005555555b9f27 in upload_service_descriptor
 (service=0x555555975e40) at src/or/rendservice.c:3273
 #5  0x00005555555babc0 in rend_consider_services_upload
 (now=now at entry=1434288689) at src/or/rendservice.c:3696
 }}}

 I think the problem was introduced with the refactoring commit
 `6d127695ea`: In `directory_post_to_hs_dir()` it introduced the
 `rend_data` structure allocated on the stack, that is not properly
 initialized before passed to
 `directory_initiate_command_routerstatus_rend()`. So even though the
 `onion_address` element was initialized, other required elements were not
 and that caused crashes. This crash happened in `rend_data_dup()` when the
 code was trying to access the `hsdirs_fp` pointer that was never
 initialized (and properly contains stack garbage).

 Not yet sure why the invocation to
 `directory_initiate_command_routerstatus()` was changed in the refactoring
 commit.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/4862#comment:37>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list