[tor-bugs] #22368 [Core Tor/Tor]: double-free of MyFamily lines
Tor Bug Tracker & Wiki
blackhole at torproject.org
Wed May 24 22:40:05 UTC 2017
#22368: double-free of MyFamily lines
------------------------------+--------------------------------
Reporter: arma | Owner:
Type: defect | Status: new
Priority: Medium | Milestone: Tor: 0.3.1.x-final
Component: Core Tor/Tor | Version: Tor: 0.3.1.1-alpha
Severity: Normal | Keywords:
Actual Points: | Parent ID:
Points: | Reviewer:
Sponsor: |
------------------------------+--------------------------------
Run a relay under valgrind with "myfamily moria1", and then ctrl-C it once
it bootstraps. Upon exit, you'll get:
{{{
==17604== Invalid free() / delete / delete[] / realloc()
==17604== at 0x4C29E90: free (in /usr/lib/valgrind/vgpreload_memcheck-
amd64-linux.so)
==17604== by 0x277E75: config_free_lines (confline.c:323)
==17604== by 0x1F56F2: or_options_free (config.c:898)
==17604== by 0x1F6583: config_free_all (config.c:907)
==17604== by 0x157CCC: tor_free_all (main.c:3238)
==17604== by 0x157DB0: tor_cleanup (main.c:3310)
==17604== by 0x2614E5: hibernate_begin (hibernate.c:818)
==17604== by 0x1584E9: process_signal (main.c:2686)
==17604== by 0x1584E9: signal_callback (main.c:2663)
==17604== by 0x5361A14: event_base_loop (in /usr/lib/x86_64-linux-
gnu/libevent-2.0.so.5.1.9)
==17604== by 0x156E23: run_main_loop_once (main.c:2594)
==17604== by 0x156E23: run_main_loop_until_done (main.c:2648)
==17604== by 0x156E23: do_main_loop (main.c:2561)
==17604== by 0x15A664: tor_main (main.c:3745)
==17604== by 0x152628: main (tor_main.c:34)
==17604== Address 0x668f9a0 is 0 bytes inside an unallocated block of
size 16 in arena "client"
}}}
User DeS originally found this bug on #22255, with this stack trace:
{{{
==33656== Invalid free() / delete / delete[] / realloc()
==33656== at 0x4C2BDEC: free (in /usr/lib/valgrind/vgpreload_memcheck-
amd64-linux.so)
==33656== by 0x1A4378: routerinfo_free (routerlist.c:3172)
==33656== by 0x199BF6: router_rebuild_descriptor (router.c:2449)
==33656== by 0x199CD2: router_get_my_routerinfo (router.c:2013)
==33656== by 0x1D183E: channel_tls_process_netinfo_cell
(channeltls.c:1679)
==33656== by 0x1D183E: channel_tls_handle_cell (channeltls.c:1133)
==33656== by 0x2137A0: connection_or_process_cells_from_inbuf
(connection_or.c:2085)
==33656== by 0x20ABE4: connection_handle_read_impl (connection.c:3451)
==33656== by 0x153CB0: conn_read_callback (main.c:736)
==33656== by 0x5363F23: event_base_loop (in /usr/lib/x86_64-linux-
gnu/libevent-2.0.so.5.1.9)
==33656== by 0x154DDC: run_main_loop_once (main.c:2594)
==33656== by 0x154DDC: run_main_loop_until_done (main.c:2648)
==33656== by 0x154DDC: do_main_loop (main.c:2561)
==33656== by 0x158594: tor_main (main.c:3745)
==33656== by 0x1507C8: main (tor_main.c:34)
==33656== Address 0x6453720 is 0 bytes inside a block of size 42 free'd
==33656== at 0x4C2BDEC: free (in /usr/lib/valgrind/vgpreload_memcheck-
amd64-linux.so)
==33656== by 0x1995BC: router_build_fresh_descriptor (router.c:2327)
==33656== by 0x199BE2: router_rebuild_descriptor (router.c:2445)
==33656== by 0x199CD2: router_get_my_routerinfo (router.c:2013)
==33656== by 0x1D183E: channel_tls_process_netinfo_cell
(channeltls.c:1679)
==33656== by 0x1D183E: channel_tls_handle_cell (channeltls.c:1133)
==33656== by 0x2137A0: connection_or_process_cells_from_inbuf
(connection_or.c:2085)
==33656== by 0x20ABE4: connection_handle_read_impl (connection.c:3451)
==33656== by 0x153CB0: conn_read_callback (main.c:736)
==33656== by 0x5363F23: event_base_loop (in /usr/lib/x86_64-linux-
gnu/libevent-2.0.so.5.1.9)
==33656== by 0x154DDC: run_main_loop_once (main.c:2594)
==33656== by 0x154DDC: run_main_loop_until_done (main.c:2648)
==33656== by 0x154DDC: do_main_loop (main.c:2561)
==33656== by 0x158594: tor_main (main.c:3745)
==33656== by 0x1507C8: main (tor_main.c:34)
==33656==
==33656== Invalid free() / delete / delete[] / realloc()
==33656== at 0x4C2BDEC: free (in /usr/lib/valgrind/vgpreload_memcheck-
amd64-linux.so)
==33656== by 0x1995BC: router_build_fresh_descriptor (router.c:2327)
==33656== by 0x199BE2: router_rebuild_descriptor (router.c:2445)
==33656== by 0x199CD2: router_get_my_routerinfo (router.c:2013)
==33656== by 0x19A358: router_my_exit_policy_is_reject_star
(router.c:1963)
==33656== by 0x247025: dns_resolve_impl.constprop.9 (dns.c:720)
==33656== by 0x249A68: dns_resolve (dns.c:614)
==33656== by 0x2101BA: connection_exit_begin_conn
(connection_edge.c:3292)
==33656== by 0x17B4A0: connection_edge_process_relay_cell
(relay.c:1648)
==33656== by 0x17CCD8: circuit_receive_relay_cell (relay.c:328)
==33656== by 0x1EF725: command_process_relay_cell (command.c:542)
==33656== by 0x1EF725: command_process_cell (command.c:196)
==33656== by 0x1D19A2: channel_tls_handle_cell (channeltls.c:1152)
==33656== Address 0x6452e10 is 80 bytes inside a block of size 128
alloc'd
==33656== at 0x4C2CE8E: realloc (in /usr/lib/valgrind
/vgpreload_memcheck-amd64-linux.so)
==33656== by 0x5858E68: CRYPTO_realloc (in /lib/x86_64-linux-
gnu/libcrypto.so.1.0.0)
==33656== by 0x58DF3B9: sk_dup (in /lib/x86_64-linux-
gnu/libcrypto.so.1.0.0)
==33656== by 0x55D900D: ??? (in /lib/x86_64-linux-gnu/libssl.so.1.0.0)
==33656== by 0x55D13B3: SSL_set_cipher_list (in /lib/x86_64-linux-
gnu/libssl.so.1.0.0)
==33656== by 0x29407E: tor_tls_session_secret_cb (tortls.c:1599)
==33656== by 0x55AD7D5: ??? (in /lib/x86_64-linux-gnu/libssl.so.1.0.0)
==33656== by 0x55B1DAC: ??? (in /lib/x86_64-linux-gnu/libssl.so.1.0.0)
==33656== by 0x55BF863: ??? (in /lib/x86_64-linux-gnu/libssl.so.1.0.0)
==33656== by 0x2973A2: tor_tls_handshake (tortls.c:1901)
==33656== by 0x216D7F: connection_tls_continue_handshake
(connection_or.c:1420)
==33656== by 0x217137: connection_tls_start_handshake
(connection_or.c:1372)
==33656==
==33656== Invalid read of size 8
==33656== at 0x58E41E1: EVP_MD_CTX_cleanup (in /lib/x86_64-linux-
gnu/libcrypto.so.1.0.0)
==33656== by 0x58E463D: EVP_MD_CTX_destroy (in /lib/x86_64-linux-
gnu/libcrypto.so.1.0.0)
==33656== by 0x55BA0D0: ??? (in /lib/x86_64-linux-gnu/libssl.so.1.0.0)
==33656== by 0x55B789B: ??? (in /lib/x86_64-linux-gnu/libssl.so.1.0.0)
==33656== by 0x55D44DA: SSL_free (in /lib/x86_64-linux-
gnu/libssl.so.1.0.0)
==33656== by 0x295BD5: tor_tls_free (tortls.c:1794)
==33656== by 0x204EA7: connection_free_ (connection.c:572)
==33656== by 0x1536BD: conn_close_if_marked (main.c:908)
==33656== by 0x1536BD: close_closeable_connections (main.c:700)
==33656== by 0x153FE0: run_scheduled_events (main.c:1474)
==33656== by 0x153FE0: second_elapsed_callback (main.c:2175)
==33656== by 0x5363F23: event_base_loop (in /usr/lib/x86_64-linux-
gnu/libevent-2.0.so.5.1.9)
==33656== by 0x154DDC: run_main_loop_once (main.c:2594)
==33656== by 0x154DDC: run_main_loop_until_done (main.c:2648)
==33656== by 0x154DDC: do_main_loop (main.c:2561)
==33656== by 0x158594: tor_main (main.c:3745)
==33656== Address 0x699aeaf2 is not stack'd, malloc'd or (recently)
free'd
}}}
Once we've resolved this ticket, we should take a closer look at that last
"Invalid read of size 8" stanza, and open a new ticket for it if needed.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/22368>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list