[tor-bugs] #27708 [Core Tor/Tor]: Heap use-after-free on git master dbb0abc9f1a174efdb65d581f5dbe46dbad2ebb5
Tor Bug Tracker & Wiki
blackhole at torproject.org
Fri Sep 14 14:21:45 UTC 2018
#27708: Heap use-after-free on git master dbb0abc9f1a174efdb65d581f5dbe46dbad2ebb5
------------------------------+--------------------------------
Reporter: dgoulet | Owner: (none)
Type: defect | Status: new
Priority: Medium | Milestone: Tor: 0.3.5.x-final
Component: Core Tor/Tor | Version:
Severity: Normal | Keywords: regression, crash
Actual Points: | Parent ID:
Points: | Reviewer:
Sponsor: |
------------------------------+--------------------------------
I found this issue by setting an invalid `HiddenServiceDir` containing 2
level of directories for tor to create for which it can't do it leading to
`options_act()` returning -1.
{{{
HiddenServiceDir /tmp/level1/level2
}}}
Here is the ASAN output:
{{{
==10573==ERROR: AddressSanitizer: heap-use-after-free on address
0x61d000002948 at pc 0x55741b1f88d1 bp 0x7ffe0d70bc10 sp 0x7ffe0d70bc00
READ of size 8 at 0x61d000002948 thread T0
#0 0x55741b1f88d0 in or_options_free_ src/app/config/config.c:1005
#1 0x55741b2009af in config_free_all src/app/config/config.c:1034
#2 0x55741ad38034 in tor_free_all src/core/mainloop/main.c:3693
#3 0x55741ad38b6e in tor_run_main src/core/mainloop/main.c:4277
#4 0x55741ad2286b in tor_main src/feature/api/tor_api.c:164
#5 0x55741ad1d7cb in main src/app/main/tor_main.c:32
#6 0x7fc43440109a in __libc_start_main (/lib/x86_64-linux-
gnu/libc.so.6+0x2409a)
#7 0x55741ad219e9 in _start
(/home/dgoulet/Documents/git/tor/src/app/tor+0x9119e9)
0x61d000002948 is located 200 bytes inside of 2264-byte region
[0x61d000002880,0x61d000003158)
freed by thread T0 here:
#0 0x7fc43614cb70 in free (/usr/lib/x86_64-linux-
gnu/libasan.so.5+0xedb70)
#1 0x55741b23e3e7 in config_free_ src/app/config/confparse.c:871
#2 0x55741b1f8548 in or_options_free_ src/app/config/config.c:1026
#3 0x55741b22bbcc in options_init_from_string
src/app/config/config.c:5487
#4 0x55741b22d540 in options_init_from_torrc
src/app/config/config.c:5233
#5 0x55741ad37098 in tor_init src/core/mainloop/main.c:3540
#6 0x55741ad389c0 in tor_run_main src/core/mainloop/main.c:4275
#7 0x55741ad2286b in tor_main src/feature/api/tor_api.c:164
#8 0x55741ad1d7cb in main src/app/main/tor_main.c:32
#9 0x7fc43440109a in __libc_start_main (/lib/x86_64-linux-
gnu/libc.so.6+0x2409a)
previously allocated by thread T0 here:
#0 0x7fc43614cf30 in __interceptor_malloc (/usr/lib/x86_64-linux-
gnu/libasan.so.5+0xedf30)
#1 0x55741b3b378a in tor_malloc_ src/lib/malloc/malloc.c:45
#2 0x55741b3b3821 in tor_malloc_zero_ src/lib/malloc/malloc.c:71
#3 0x55741b22b294 in options_init_from_string
src/app/config/config.c:5336
#4 0x55741b22d540 in options_init_from_torrc
src/app/config/config.c:5233
#5 0x55741ad37098 in tor_init src/core/mainloop/main.c:3540
#6 0x55741ad389c0 in tor_run_main src/core/mainloop/main.c:4275
#7 0x55741ad2286b in tor_main src/feature/api/tor_api.c:164
#8 0x55741ad1d7cb in main src/app/main/tor_main.c:32
#9 0x7fc43440109a in __libc_start_main (/lib/x86_64-linux-
gnu/libc.so.6+0x2409a)
SUMMARY: AddressSanitizer: heap-use-after-free
src/app/config/config.c:1005 in or_options_free_
}}}
Logs shows:
{{{
Sep 14 10:20:00.000 [warn] Error creating directory /tmp/level1/level2: No
such file or directory
Sep 14 10:20:00.000 [warn] Error loading rendezvous service keys
Sep 14 10:20:00.000 [err] set_options(): Bug: Acting on config options
left us in a broken state. Dying. (on Tor 0.3.5.0-alpha-dev
dbb0abc9f1a174ef)
}}}
What I can tell is that if `options_act()` returns -1, we'll inevitably
end up in this situation so this isn't HS only. Kind of difficult to
follow the stacktrace as the use-after-free points to a free(). I know
that the pointer there is NULL at that time...
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/27708>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list