[tor-bugs] #15901 [Tor]: apparent memory corruption from control channel request processing -- very difficult to isolate

Tor Bug Tracker & Wiki blackhole at torproject.org
Mon May 4 15:04:07 UTC 2015


#15901: apparent memory corruption from control channel request processing -- very
difficult to isolate
---------------------------+--------------------------------
     Reporter:  starlight  |      Owner:
         Type:  defect     |     Status:  new
     Priority:  critical   |  Milestone:  Tor: 0.2.7.x-final
    Component:  Tor        |    Version:  Tor: 0.2.5.12
   Resolution:             |   Keywords:
Actual Points:             |  Parent ID:
       Points:             |
---------------------------+--------------------------------

Comment (by starlight):

 I realized that possibly the first event showed
 visibly corrupt "ISO time" strings due to the
 0.2.4.26 version memory layout rather than due
 to timing or luck.

 So I have built 0.2.4.27 with the core/stdio
 patch and put that live in the hope that
 the the "ISO time" flavor of the event can
 be reproduced.  If this happens, I intend
 to add some code to set one or more of the
 x86 debug registers to trap on a write to
 the time string, I.E. a hard-coded "watchpoint"
 without using 'gdb'.  This could result in a
 core file where the stack trace leads directly
 to the code path causing memory corruption.

 It appears that any use of an alternate
 malloc() such as with ASAN perturbs the
 memory layout such that the bug will not
 appear.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/15901#comment:6>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list