[tor-bugs] #20103 [Core Tor/Tor]: Crash on OpenBSD: tor invoked from Tor Browser 6.0.4
Tor Bug Tracker & Wiki
blackhole at torproject.org
Sun Sep 18 15:14:52 UTC 2016
#20103: Crash on OpenBSD: tor invoked from Tor Browser 6.0.4
-----------------------------------------+---------------------------------
Reporter: attila | Owner:
Type: defect | Status: new
Priority: High | Milestone: Tor:
| 0.2.9.x-final
Component: Core Tor/Tor | Version: Tor: 0.2.8.7
Severity: Normal | Resolution:
Keywords: bug regression 028-backport | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
-----------------------------------------+---------------------------------
Comment (by rubiate):
Bah, I'm slow. Of course, it works the same everywhere, just the results
are different. On OpenBSD the memory is read protected after it's freed,
hence crashes.
I should have compiled it ASAN on Debian (doh, that's probably what you
meant), would've worked this out faster.
{{{
==12100==ERROR: AddressSanitizer: heap-use-after-free on address
0x60e0004adf78 at pc 0x7f5185128426 bp 0x7ffed0454d70 sp 0x7ffed0454d68
READ of size 2 at 0x60e0004adf78 thread T0
#0 0x7f5185128425 in tor_addr_family src/common/address.h:155
#1 0x7f5185128425 in tor_addr_is_null src/common/address.c:871
#2 0x7f5185128868 in tor_addr_is_valid src/common/address.c:932
#3 0x7f5184e4f23b in node_get_all_orports src/or/nodelist.c:838
#4 0x7f518510625a in node_is_a_configured_bridge
src/or/entrynodes.c:1871
#5 0x7f5185112d1a in any_bridge_supports_microdescriptors
src/or/entrynodes.c:2487
#6 0x7f5184e39499 in we_use_microdescriptors_for_circuits
src/or/microdesc.c:924
#7 0x7f5184e397c3 in usable_consensus_flavor src/or/microdesc.c:961
#8 0x7f5184e3fe8f in networkstatus_consensus_is_bootstrapping
src/or/networkstatus.c:1257
#9 0x7f51850977da in find_dl_schedule src/or/directory.c:3731
#10 0x7f51850a005e in download_status_reset src/or/directory.c:3950
#11 0x7f5184e43cd0 in networkstatus_set_current_consensus
src/or/networkstatus.c:1690
#12 0x7f51850a2a4c in connection_dir_client_reached_eof
src/or/directory.c:2009
#13 0x7f51850a72a9 in connection_dir_reached_eof
src/or/directory.c:2471
#14 0x7f5185049d7e in connection_reached_eof src/or/connection.c:4841
#15 0x7f5185049d7e in connection_handle_read_impl
src/or/connection.c:3528
#16 0x7f5184e24dd7 in conn_read_callback src/or/main.c:803
#17 0x7f51830693db in event_base_loop (/usr/lib/x86_64-linux-
gnu/libevent-2.0.so.5+0x103db)
#18 0x7f5184e26606 in run_main_loop_once src/or/main.c:2543
#19 0x7f5184e26606 in run_main_loop_until_done src/or/main.c:2589
#20 0x7f5184e26606 in do_main_loop src/or/main.c:2515
#21 0x7f5184e2be04 in tor_main src/or/main.c:3646
#22 0x7f5184e198cb in main src/or/tor_main.c:30
#23 0x7f518158ab44 in __libc_start_main (/lib/x86_64-linux-
gnu/libc.so.6+0x21b44)
#24 0x7f5184e1c28a (tor/src/or/tor+0x56528a)
0x60e0004adf78 is located 88 bytes inside of 160-byte region
[0x60e0004adf20,0x60e0004adfc0)
freed by thread T0 here:
#0 0x7f5183811527 in __interceptor_free (/usr/lib/x86_64-linux-
gnu/libasan.so.1+0x54527)
#1 0x7f5184e3b9ea in networkstatus_vote_free
src/or/networkstatus.c:320
#2 0x7f5184e43915 in networkstatus_set_current_consensus
src/or/networkstatus.c:1662
#3 0x7f51850a2a4c in connection_dir_client_reached_eof
src/or/directory.c:2009
#4 0x7f51850a72a9 in connection_dir_reached_eof
src/or/directory.c:2471
#5 0x7f5185049d7e in connection_reached_eof src/or/connection.c:4841
#6 0x7f5185049d7e in connection_handle_read_impl
src/or/connection.c:3528
#7 0x7f5184e24dd7 in conn_read_callback src/or/main.c:803
#8 0x7f51830693db in event_base_loop (/usr/lib/x86_64-linux-
gnu/libevent-2.0.so.5+0x103db)
}}}
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/20103#comment:11>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list