[tor-bugs] #27995 [Core Tor/Tor]: hs v3 auth descriptor cookie validation: tor crash when parsing .auth file after SIGHUP
Tor Bug Tracker & Wiki
blackhole at torproject.org
Wed Oct 10 21:49:52 UTC 2018
#27995: hs v3 auth descriptor cookie validation: tor crash when parsing .auth file
after SIGHUP
-------------------------------------------------+-------------------------
Reporter: madage | Owner: (none)
Type: defect | Status: new
Priority: Medium | Component: Core
| Tor/Tor
Version: Tor: 0.3.5.2-alpha | Severity: Normal
Keywords: hs onion service v3 descriptor | Actual Points:
cookie validation |
Parent ID: | Points:
Reviewer: | Sponsor:
-------------------------------------------------+-------------------------
Hello devs,
While running tor onion service v3 with client auth disabled, if a new
client .auth file is put under the authorized_clients subdir and a SIGHUP
is sent to tor, the main process crashes after a bad assertion.
######
Oct 10 16:29:42.000 [info] load_client_keys(): Loading a client
authorization key file a.auth...
Oct 10 16:29:42.000 [info] load_client_keys(): Loaded a client
authorization key file a.auth.
Oct 10 16:29:42.000 [err] tor_assertion_failed_(): Bug:
../tor-0.3.5.2-alpha/src/feature/hs/hs_descriptor.c:2883:
hs_desc_build_authorized_client: Assertion !tor_mem_is_zero((char *)
descriptor_cookie, HS_DESC_DESCRIPTOR_COOKIE_LEN) failed; aborting. (on
Tor 0.3.5.2-alpha )
Oct 10 16:29:42.000 [err] Bug: Assertion !tor_mem_is_zero((char *)
descriptor_cookie, HS_DESC_DESCRIPTOR_COOKIE_LEN) failed in
hs_desc_build_authorized_client at
../tor-0.3.5.2-alpha/src/feature/hs/hs_descriptor.c:2883. Stack trace: (on
Tor 0.3.5.2-alpha )
Oct 10 16:29:42.000 [err] Bug: tor(log_backtrace_impl+0x5a) [0x781307]
(on Tor 0.3.5.2-alpha )
Oct 10 16:29:42.000 [err] Bug: tor(tor_assertion_failed_+0x105)
[0x77bc33] (on Tor 0.3.5.2-alpha )
Oct 10 16:29:42.000 [err] Bug:
tor(hs_desc_build_authorized_client+0x255) [0x58cfa8] (on Tor
0.3.5.2-alpha )
Oct 10 16:29:42.000 [err] Bug: tor(+0x1216c9) [0x5936c9] (on Tor
0.3.5.2-alpha )
Oct 10 16:29:42.000 [err] Bug: tor(+0x1207f5) [0x5927f5] (on Tor
0.3.5.2-alpha )
Oct 10 16:29:42.000 [err] Bug: tor(+0x11ed28) [0x590d28] (on Tor
0.3.5.2-alpha )
Oct 10 16:29:42.000 [err] Bug: tor(hs_service_load_all_keys+0xdc)
[0x598fb8] (on Tor 0.3.5.2-alpha )
Oct 10 16:29:42.000 [err] Bug: tor(+0x1bf5ea) [0x6315ea] (on Tor
0.3.5.2-alpha )
Oct 10 16:29:42.000 [err] Bug: tor(set_options+0xb0) [0x62e9f5] (on
Tor 0.3.5.2-alpha )
Oct 10 16:29:42.000 [err] Bug: tor(options_init_from_string+0x63d)
[0x63b6d6] (on Tor 0.3.5.2-alpha )
Oct 10 16:29:42.000 [err] Bug: tor(options_init_from_torrc+0x4f8)
[0x63ad2c] (on Tor 0.3.5.2-alpha )
Oct 10 16:29:42.000 [err] Bug: tor(+0x43a82) [0x4b5a82] (on Tor
0.3.5.2-alpha )
Oct 10 16:29:42.000 [err] Bug: tor(+0x44666) [0x4b6666] (on Tor
0.3.5.2-alpha )
Oct 10 16:29:42.000 [err] Bug: tor(+0x4443a) [0x4b643a] (on Tor
0.3.5.2-alpha )
Oct 10 16:29:42.000 [err] Bug: /usr/lib/i386-linux-
gnu/libevent-2.1.so.6(+0x209db) [0xb7dfa9db] (on Tor 0.3.5.2-alpha )
Oct 10 16:29:42.000 [err] Bug: /usr/lib/i386-linux-
gnu/libevent-2.1.so.6(event_base_loop+0x4d1) [0xb7dfb3b1] (on Tor
0.3.5.2-alpha )
Oct 10 16:29:42.000 [err] Bug: tor(tor_libevent_run_event_loop+0x4b)
[0x67047e] (on Tor 0.3.5.2-alpha )
Oct 10 16:29:42.000 [err] Bug: tor(+0x4418c) [0x4b618c] (on Tor
0.3.5.2-alpha )
Oct 10 16:29:42.000 [err] Bug: tor(+0x443a2) [0x4b63a2] (on Tor
0.3.5.2-alpha )
Oct 10 16:29:42.000 [err] Bug: tor(do_main_loop+0x372) [0x4b60e6] (on
Tor 0.3.5.2-alpha )
Oct 10 16:29:42.000 [err] Bug: tor(tor_run_main+0x256) [0x4bb6ac] (on
Tor 0.3.5.2-alpha )
Oct 10 16:29:42.000 [err] Bug: tor(tor_main+0x8a) [0x4b00d5] (on Tor
0.3.5.2-alpha )
Oct 10 16:29:42.000 [err] Bug: tor(main+0x46) [0x4afc8f] (on Tor
0.3.5.2-alpha )
Oct 10 16:29:42.000 [err] Bug: /lib/i386-linux-
gnu/libc.so.6(__libc_start_main+0xf1) [0xb791c9a1] (on Tor 0.3.5.2-alpha )
Oct 10 16:29:42.000 [err] Bug: tor(+0x3db41) [0x4afb41] (on Tor
0.3.5.2-alpha )
######
This crash happened while running a non-optimized tor version and this is
the backtrace from gdb:
#0 0xb7f75b91 in __kernel_vsyscall ()
#1 0xb7931112 in __libc_signal_restore_set (set=0xbfe7a9fc) at
../sysdeps/unix/sysv/linux/nptl-signals.h:80
#2 __GI_raise (sig=6) at ../sysdeps/unix/sysv/linux/raise.c:48
#3 0xb7932531 in __GI_abort () at abort.c:79
#4 0x0058cfad in hs_desc_build_authorized_client ()
#5 0x005936c9 in build_service_desc_superencrypted ()
#6 0x005927f5 in move_descriptors ()
#7 0x00590d28 in register_all_services ()
#8 0x00598fb8 in hs_service_load_all_keys ()
#9 0x006315ea in options_act ()
#10 0x0062e9f5 in set_options ()
#11 0x0063b6d6 in options_init_from_string ()
#12 0x0063ad2c in options_init_from_torrc ()
#13 0x004b5a82 in do_hup ()
#14 0x004b6666 in process_signal ()
#15 0x004b643a in signal_callback ()
#16 0xb7dfa9db in ?? () from /usr/lib/i386-linux-gnu/libevent-2.1.so.6
#17 0xb7dfb3b1 in event_base_loop () from /usr/lib/i386-linux-
gnu/libevent-2.1.so.6
#18 0x0067047e in tor_libevent_run_event_loop ()
#19 0x004b618c in run_main_loop_once ()
#20 0x004b63a2 in run_main_loop_until_done ()
#21 0x004b60e6 in do_main_loop ()
#22 0x004bb6ac in tor_run_main ()
#23 0x004b00d5 in tor_main ()
#24 0x004afc8f in main ()
######
If the process is restarted, there is no problem setting up the descriptor
cookie.
I've coded a dirty patch that solves this problem:
On tor 0.3.5.2-alpha/src/feature/hs/hs_service.c
1764a1765,1771
> /* Test that descriptor_cookie is not zero because we will use it
> * bellow */
> if (tor_mem_is_zero((char*)desc->descriptor_cookie,
> HS_DESC_DESCRIPTOR_COOKIE_LEN)) {
> crypto_strongest_rand(desc->descriptor_cookie,
> sizeof(desc->descriptor_cookie));
> }
I don't know if this is the best course of action or if it would be wiser
to check it elsewhere.
TODO: elaborate a unit test.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/27995>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list