[tor-bugs] #23372 [Core Tor/Tor]: test: stack-use-after-scope in hs_service/build_update_descriptors

Tor Bug Tracker & Wiki blackhole at torproject.org
Thu Aug 31 12:33:05 UTC 2017 

#23372: test: stack-use-after-scope in hs_service/build_update_descriptors
------------------------------+--------------------------------
     Reporter:  dgoulet       |      Owner:  (none)
         Type:  defect        |     Status:  new
     Priority:  Medium        |  Milestone:  Tor: 0.3.2.x-final
    Component:  Core Tor/Tor  |    Version:
     Severity:  Normal        |   Keywords:  tor-test, tor-hs
Actual Points:                |  Parent ID:
       Points:                |   Reviewer:
      Sponsor:                |
------------------------------+--------------------------------
 Here is the libasan stacktrace:
 {{{
 ==32333==ERROR: AddressSanitizer: stack-use-after-scope on address
 0x7ffd2c537fe8 at pc 0x55a25e624399 bp 0x7ffd2c537920 sp 0x7ffd2c537910
 READ of size 1 at 0x7ffd2c537fe8 thread T0
     #0 0x55a25e624398 in node_allows_single_hop_exits
 src/or/nodelist.c:984
     #1 0x55a25e708afb in router_choose_random_node
 src/or/routerlist.c:2815
     #2 0x55a25e5c2493 in pick_intro_point src/or/hs_service.c:1406
     #3 0x55a25e5c2493 in pick_needed_intro_points src/or/hs_service.c:1498
     #4 0x55a25e5c2493 in update_service_descriptor
 src/or/hs_service.c:1589
     #5 0x55a25e5c2493 in update_all_descriptors src/or/hs_service.c:1622
     #6 0x55a25e1337c6 in test_build_update_descriptors
 src/test/test_hs_service.c:1140
     #7 0x55a25e31f01a in testcase_run_bare_ src/ext/tinytest.c:106
     #8 0x55a25e31f989 in testcase_run_forked_ src/ext/tinytest.c:190
     #9 0x55a25e31f989 in testcase_run_one src/ext/tinytest.c:248
     #10 0x55a25e321013 in tinytest_main src/ext/tinytest.c:435
     #11 0x55a25dee3200 in main src/test/testing_common.c:319
     #12 0x7f11c6e08420 in __libc_start_main (/lib/x86_64-linux-
 gnu/libc.so.6+0x20420)
     #13 0x55a25dee5ee9 in _start (src/test/test+0x956ee9)
 }}}

 The issue seems to be that we use `routerinfo_t ri;` on the stack and then
 assign it to a `node_t` with `nodelist_set_routerinfo(&ri, NULL)`.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/23372>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list