[tor-bugs] #20103 [Core Tor/Tor]: Difficult-to-reproduce crash on OpenBSD: tor invoked from Tor Browser 6.0.4

Tor Bug Tracker & Wiki blackhole at torproject.org
Thu Sep 8 17:31:24 UTC 2016 

#20103: Difficult-to-reproduce crash on OpenBSD: tor invoked from Tor Browser 6.0.4
--------------------------+------------------------------
 Reporter:  attila        |          Owner:
     Type:  defect        |         Status:  new
 Priority:  High          |      Milestone:
Component:  Core Tor/Tor  |        Version:  Tor: 0.2.8.7
 Severity:  Normal        |     Resolution:
 Keywords:                |  Actual Points:
Parent ID:                |         Points:
 Reviewer:                |        Sponsor:
--------------------------+------------------------------

Comment (by attila):

 After a few more hours of testing and screwing around I've found this is
 not hard to reproduce at all:

 1. start TBB;
 2. load a page (I've been using https://blog.torproject.org but I don't
 think it matters much);
 3. wait :-)

 Under OpenBSD-current/amd64 as of the 5 Sept snap you'll eventually get a
 crash like the one I dissected above; there's a more recent snap and I'm
 working on upgrading to it.

 I now have gdb attached to the last instance of tor that TBB started and
 am waiting for it to die so I can learn more, but it crashed for me
 overnight and the tail end of the logs might be interesting to someone who
 knows more than me (I cranked up logging to debug before having TBB
 restart tor):

 {{{
 ...
 Sep 08 15:54:58.000 [debug] relay_lookup_conn(): found conn for stream
 23866.
 Sep 08 15:54:58.000 [debug] circuit_receive_relay_cell(): Sending to
 origin.
 Sep 08 15:54:58.000 [debug] connection_edge_process_relay_cell(): Now seen
 3005 relay cells here (command 2, stream 23866).
 Sep 08 15:54:58.000 [debug] connection_edge_process_relay_cell(): circ
 deliver_window now 966.
 Sep 08 15:54:58.000 [debug] connection_or_process_cells_from_inbuf(): 24:
 starting, inbuf_datalen 514 (0 pending in tls object).
 Sep 08 15:54:58.000 [debug] channel_queue_cell(): Directly handling
 incoming cell_t 0x7f7fffff4880 for channel 0x477f126c000 (global ID 3)
 Sep 08 15:54:58.000 [debug] circuit_get_by_circid_channel_impl():
 circuit_get_by_circid_channel_impl() returning circuit 0x477f126c800 for
 circ_id 2778626874, channel ID 3 (0x477f126c000)
 Sep 08 15:54:58.000 [debug] relay_lookup_conn(): found conn for stream
 23866.
 Sep 08 15:54:58.000 [debug] circuit_receive_relay_cell(): Sending to
 origin.
 Sep 08 15:54:58.000 [debug] connection_edge_process_relay_cell(): Now seen
 3006 relay cells here (command 3, stream 23866).
 Sep 08 15:54:58.000 [info] connection_edge_process_relay_cell(): -1: end
 cell (closed normally) for stream 23866. Removing stream.
 Sep 08 15:54:58.000 [debug] connection_or_process_cells_from_inbuf(): 24:
 starting, inbuf_datalen 0 (0 pending in tls object).
 Sep 08 15:54:58.000 [debug] conn_close_if_marked(): Cleaning up connection
 (fd -
 Sep 08 15:54:58.000 [debug] conn_close_if_marked(): Flushed last 2115
 bytes from a linked conn; 0 left; flushlen 0; wants-to-flush==0
 Sep 08 15:54:58.000 [debug] circuit_detach_stream(): Removing stream 23866
 from circ 2778626874
 Sep 08 15:54:58.000 [debug] connection_remove(): removing socket -1 (type
 Socks), n_conns now 8
 Sep 08 15:54:58.000 [info] connection_free_(): Freeing linked Socks
 connection [open] with 0 bytes on inbuf, 0 on outbuf.
 Sep 08 15:54:58.000 [debug] conn_read_callback(): socket -1 wants to read.
 Sep 08 15:54:58.000 [debug] fetch_from_buf_http(): headerlen 198, bodylen
 612109.
 Sep 08 15:54:58.000 [debug] connection_dir_client_reached_eof(): Received
 response from directory server '66.111.2.20:9001': 200 "OK" (purpose: 14)
 Sep 08 15:54:58.000 [debug] router_new_address_suggestion(): Got X-Your-
 Address-Is: my.home.ip.address
 Sep 08 15:54:58.000 [debug] connection_dir_client_reached_eof(): Time on
 received directory is within tolerance; we are 0 seconds skewed.  (That's
 okay.)
 Sep 08 15:54:58.000 [info] connection_dir_client_reached_eof(): Received
 consensus directory (size 1403277) from server '66.111.2.20:9001'
 Sep 08 15:54:58.000 [info] A consensus needs 5 good signatures from
 recognized authorities for us to accept it. This one has 8 (dannenberg
 tor26 longclaw maatuska moria1 dizum gabelmoo Faravahar).
 }}}

 This last message is the same message that appeared in the log from the
 original crash that George called to my attention (which I forgot to
 mention in the initial ticket, sorry), which ended thus:

 {{{
 Sep 07 09:57:05.000 [debug] connection_dir_client_reached_eof(): Received
 response from directory server '66.111.2.20:9001': 200 "OK" (purpose: 14)
 Sep 07 09:57:05.000 [debug] router_new_address_suggestion(): Got X-Your-
 Address-Is: a.b.c.d
 Sep 07 09:57:05.000 [debug] connection_dir_client_reached_eof(): Time on
 received directory is within tolerance; we are -3 seconds skewed.  (That's
 okay.)
 Sep 07 09:57:05.000 [info] connection_dir_client_reached_eof(): Received
 consensus directory (size 1401858) from server '66.111.2.20:9001'
 Sep 07 09:57:05.000 [info] A consensus needs 5 good signatures from
 recognized authorities for us to accept it. This one has 8 (dannenberg
 tor26 longclaw maatuska moria1 dizum gabelmoo Faravahar).
 }}}

 One more note: since I'm in Mexico I have to use known bridges to get onto
 Tor.  I would like to do something about this in the future, but for now
 it should be noted that my torrc for TBB looks like this:

 {{{
 # This file was generated by Tor; if you edit it, comments will not be
 preserved
 # The old torrc file was renamed to torrc.orig.1 or similar, and Tor will
 ignore it

 Bridge 66.111.2.16:9001
 Bridge 66.111.2.20:9001
 DataDirectory /home/attila/TorBrowser-Data/Browser/tor_data
 HiddenServiceStatistics 0
 UseBridges 1
 Log debug file /home/attila/tmp/tor-debug.log
 }}}

 If anyone wants to play with this you can find packages for the latest
 OpenBSD-current/amd64 snapshot here temporarily:
 [https://bits.haqistan.net/~tdp/amd64].  Those are only the packages
 necessary to install this latest test build of TBB on OpenBSD/amd64.  If
 you're on a fresh -current install you'll need the run dependencies as
 well.  I put a list of them in [https://bits.haqistan.net/~tdp/amd64/full-
 run-depends.txt] to make it simple.  If you were to download all the files
 in that directory onto your current/amd64 box/vm the following would
 install them (assuming they are in `.`):

 {{{
 $ doas pkg_add -l full-run-depends.txt -z
 $ doas pkg_add *.tgz
 }}}

 Hopefully my gdb session will kick out a segfault at some point and maybe
 I can see more.  The two logs from crashes I have are rather large but if
 someone wants them I can put them somewhere.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/20103#comment:2>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list