[tor-bugs] #26311 [Core Tor/Tor]: Error in `/usr/bin/tor': free(): invalid next size (normal): 0x000055ed468598d0

Tor Bug Tracker & Wiki blackhole at torproject.org
Mon Jun 11 14:49:12 UTC 2018


#26311: Error in `/usr/bin/tor': free(): invalid next size (normal):
0x000055ed468598d0
--------------------------+------------------------------------
 Reporter:  cypherpunks   |          Owner:  (none)
     Type:  defect        |         Status:  new
 Priority:  Medium        |      Milestone:  Tor: 0.3.4.x-final
Component:  Core Tor/Tor  |        Version:  Tor: 0.3.3.5-rc
 Severity:  Normal        |     Resolution:
 Keywords:                |  Actual Points:
Parent ID:                |         Points:
 Reviewer:                |        Sponsor:
--------------------------+------------------------------------

Comment (by starlight):

 Speculative yet plausible theory:

 Allowing the possibility network storage is not directly corrupting
 memory, the slowness of paging over network may be exposing a race-
 condition bug where an unprotected critical-section results in corruption.
 This of course is the nastiest class of bug.

 My understanding is that much of the work processing consensus documents
 was recently moved from the main event-loop thread to worker threads and
 this might have led to the introduction of an unprotected race.

 Issue may have arrived suddenly due to increasing memory pressure on the
 shared container or VM from other instances; where previously paging may
 have not been present, but occurs now.  If successfuly locking of memory
 with `DisableAllSwap` reduces or eliminates the traps, theory is further
 validated.

 Best way to find such bugs in my experience with the Valgrind compnent
 Helgrind.  Helgrind shows where the problem resides without necessarily
 triggering it.  Slow as Hell though. . .only runs test.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/26311#comment:23>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list