[tor-bugs] #15901 [Tor]: apparent memory corruption from control channel request processing -- very difficult to isolate
Tor Bug Tracker & Wiki
blackhole at torproject.org
Mon May 4 14:51:22 UTC 2015
#15901: apparent memory corruption from control channel request processing -- very
difficult to isolate
---------------------------+--------------------------------
Reporter: starlight | Owner:
Type: defect | Status: new
Priority: critical | Milestone: Tor: 0.2.7.x-final
Component: Tor | Version: Tor: 0.2.5.12
Resolution: | Keywords:
Actual Points: | Parent ID:
Points: |
---------------------------+--------------------------------
Comment (by starlight):
Uploaded unparsable-desc from first occurrence.
I suspect the only useful information may be the
number of entries as the contents look perfectly
ok. The bug seems to be about corrupting the
openssl objects employed in verifying the
descriptors rather then the descriptors
themselves.
Will prepare a package of the core and the system
files that can be used with gdb's "set sysroot"
command for a fully examinable core. Want to
share that privately so contact me at
starlight dot YYYYqQ at binnacle dot cx
where YYYY is the year and Q is the quarter
(1-4) and I'll provide a link where it can
be downloaded.
But be aware that the core is mainly providing
"effect" rather than "cause" unless it's
examined by someone intimate with the code
and who gets luckly and sees something they
recognized and that leads to the code illegally
overwriting memory. This is why I have not
dug into it.
The stack trace is apparent with 'gdb's
'where' command, but says nothing of value
as I manually killed the relay process with
"pkill -SEGV tor" after the corruption
occurred--the trace is of the signal
termination handler.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/15901#comment:5>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list