[tor-bugs] #17041 [Tor]: Memory corruption in the HS client
Tor Bug Tracker & Wiki
blackhole at torproject.org
Fri Sep 11 10:51:38 UTC 2015
#17041: Memory corruption in the HS client
------------------------------+------------------------------------
Reporter: dgoulet | Owner:
Type: defect | Status: new
Priority: critical | Milestone: Tor: 0.2.7.x-final
Component: Tor | Version:
Keywords: SponsorR, tor-hs | Actual Points:
Parent ID: | Points:
------------------------------+------------------------------------
This is in git master and hasn't been released.
Here is how the bug is triggered. You download a descriptor of a valid HS.
Then restart that HS (thus making the current descriptor obsolete) and
retry right away to download the descriptor for that HS. The tor client
stops with a segfault in `malloc()` (you sometime need couple of tries to
trigger the issue).
Now I believe this is a memory corruption of some sort since during the
git bisect, I was able to trigger bad free() and other segfaults with
`tor_memcmp()` in some other non related functions with the same usecase.
Bisect gave me this commit as the first bad commit:
{{{
commit ab9a0e340728abd96128da726f67b4ccca10ba52
Author: David Goulet <dgoulet at ev0ke.net>
Date: Thu Jun 18 16:09:18 2015 -0400
Add rend failure cache
[...]
}}}
That precise commit introduces a memory corruption somewhere somehow, I
can't find it for now so I'm filling this ticket. Attached is a debug log
(3.3M) of the issue being triggered. It's also quite easy to run tor in
gdb and catch the issue.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/17041>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list