[tor-bugs] #29819 [Core Tor/Tor]: Seccomp: sandbox crash on rt_sigaction with libseccomp 0.2.4 (was: Linux kernel 5.0.3 crashes sandbox configured Tor client)
Tor Bug Tracker & Wiki
blackhole at torproject.org
Sun Mar 24 21:38:18 UTC 2019
#29819: Seccomp: sandbox crash on rt_sigaction with libseccomp 0.2.4
---------------------------------------------+-----------------------------
Reporter: toralf | Owner: nickm
Type: defect | Status: assigned
Priority: Medium | Milestone: Tor:
| 0.4.0.x-final
Component: Core Tor/Tor | Version: Tor:
| unspecified
Severity: Normal | Resolution:
Keywords: crash, linux, sandbox, 040-must | Actual Points:
Parent ID: | Points: 0.2
Reviewer: | Sponsor:
---------------------------------------------+-----------------------------
Changes (by pege):
* cc: peter@… (added)
* version: Tor: 0.4.0.2-alpha => Tor: unspecified
Comment:
I can reproduce this now. Running Tor 0.3.5.8 on Fedora 29 with libseccomp
0.2.4.
The sandbox violation appears to be in libevent
([https://github.com/libevent/libevent/blob/release-2.1.8-stable/signal.c#L258
signal.c:258])
I'll to find some time in the next few days to track down the issue. I've
no clue yet why this should behave differently with libseccomp 0.2.4.
{{{
[user at repro-seccomp ~]$ sudo -u toranon gdb tor
...
Reading symbols from tor...Reading symbols from
/usr/lib/debug/usr/bin/tor-0.3.5.8-1.fc29.x86_64.debug...done.
done.
(gdb) r
Starting program: /usr/bin/tor
warning: Loadable section ".note.gnu.property" outside of ELF segments
warning: Loadable section ".note.gnu.property" outside of ELF segments
warning: Loadable section ".note.gnu.property" outside of ELF segments
warning: Loadable section ".note.gnu.property" outside of ELF segments
warning: Loadable section ".note.gnu.property" outside of ELF segments
warning: Loadable section ".note.gnu.property" outside of ELF segments
warning: Loadable section ".note.gnu.property" outside of ELF segments
warning: Loadable section ".note.gnu.property" outside of ELF segments
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".
warning: Loadable section ".note.gnu.property" outside of ELF segments
warning: Loadable section ".note.gnu.property" outside of ELF segments
warning: Loadable section ".note.gnu.property" outside of ELF segments
warning: Loadable section ".note.gnu.property" outside of ELF segments
warning: Loadable section ".note.gnu.property" outside of ELF segments
warning: Loadable section ".note.gnu.property" outside of ELF segments
warning: Loadable section ".note.gnu.property" outside of ELF segments
warning: Loadable section ".note.gnu.property" outside of ELF segments
Mar 24 22:30:52.707 [notice] Tor 0.3.5.8 running on Linux with Libevent
2.1.8-stable, OpenSSL 1.1.1b, Zlib 1.2.11, Liblzma 5.2.4, and Libzstd
1.3.8.
Mar 24 22:30:52.707 [notice] Tor can't help you if you use it wrong! Learn
how to be safe at https://www.torproject.org/download/download#warning
Mar 24 22:30:52.707 [notice] Read configuration file "/etc/tor/torrc".
Mar 24 22:30:52.709 [notice] Opening Socks listener on 127.0.0.1:9050
Mar 24 22:30:52.709 [notice] Opened Socks listener on 127.0.0.1:9050
Mar 24 22:30:52.709 [notice] Opening Control listener on /run/tor/control
Mar 24 22:30:52.709 [notice] Opened Control listener on /run/tor/control
Mar 24 22:30:52.000 [warn] Your log may contain sensitive information -
you're logging more than "notice". Don't log unless it serves an important
reason. Overwrite the log afterwards.
Mar 24 22:30:52.000 [info] options_act_reversible(): Recomputed OOS
thresholds: ConnLimit 1000, ConnLimit_ 4064, ConnLimit_high_thresh 4000,
ConnLimit_low_thresh 3048
Mar 24 22:30:52.000 [debug] tor_disable_debugger_attach(): Attemping to
disable debugger attachment to Tor for unprivileged users.
Mar 24 22:30:52.000 [info] tor_lockfile_lock(): Locking
"/var/lib/tor/.tor/lock"
Mar 24 22:30:52.000 [debug] parse_dir_authority_line(): Trusted 100
dirserver at 128.31.0.39:9131 (9695)
Mar 24 22:30:52.000 [debug] parse_dir_authority_line(): Trusted 100
dirserver at 86.59.21.38:80 (847B)
Mar 24 22:30:52.000 [debug] parse_dir_authority_line(): Trusted 100
dirserver at 194.109.206.212:80 (7EA6)
Mar 24 22:30:52.000 [debug] parse_dir_authority_line(): Trusted 16
dirserver at 66.111.2.131:9030 (BA44)
Mar 24 22:30:52.000 [debug] parse_dir_authority_line(): Trusted 100
dirserver at 131.188.40.189:80 (F204)
Mar 24 22:30:52.000 [debug] parse_dir_authority_line(): Trusted 100
dirserver at 193.23.244.244:80 (7BE6)
Mar 24 22:30:52.000 [debug] parse_dir_authority_line(): Trusted 100
dirserver at 171.25.193.9:443 (BD6A)
Mar 24 22:30:52.000 [debug] parse_dir_authority_line(): Trusted 100
dirserver at 154.35.175.225:80 (CF6D)
Mar 24 22:30:52.000 [debug] parse_dir_authority_line(): Trusted 100
dirserver at 199.58.81.140:80 (74A9)
Mar 24 22:30:52.000 [debug] parse_dir_authority_line(): Trusted 100
dirserver at 204.13.164.118:80 (24E2)
Mar 24 22:30:52.000 [debug] file_status(): stat()ing
/var/lib/tor/.tor/state
Mar 24 22:30:52.000 [info] or_state_load(): Loaded state from
"/var/lib/tor/.tor/state"
Mar 24 22:30:52.000 [info] circuit_build_times_parse_state(): Adding 0
timeouts.
Mar 24 22:30:52.000 [info] circuit_build_times_parse_state(): Loaded 0/0
values from 0 lines in circuit time histogram
Mar 24 22:30:52.000 [info] read_file_to_str(): Could not open
"/var/lib/tor/.tor/router-stability": No such file or directory
Mar 24 22:30:52.000 [debug] tor_rename(): Renaming
/run/tor/control.authcookie.tmp to /run/tor/control.authcookie
Mar 24 22:30:52.000 [info] init_cookie_authentication(): Generated auth
cookie file in '"/run/tor/control.authcookie"'.
Mar 24 22:30:52.000 [debug] kist_scheduler_run_interval():
KISTSchedRunInterval=0, turning to the consensus.
Mar 24 22:30:52.000 [debug] scheduler_can_use_kist(): Determined KIST
sched_run_interval should be 10. Can use KIST.
Mar 24 22:30:52.000 [info] scheduler_kist_set_full_mode(): Setting KIST
scheduler with kernel support (KIST mode)
Mar 24 22:30:52.000 [debug] kist_scheduler_run_interval():
KISTSchedRunInterval=0, turning to the consensus.
Mar 24 22:30:52.000 [info] cmux_ewma_set_options(): Enabled cell_ewma
algorithm because of value in CircuitPriorityHalflifeMsec in consensus;
scale factor is 0.793701 per 10 seconds
Mar 24 22:30:52.000 [notice] Parsing GEOIP IPv4 file /usr/share/tor/geoip.
Mar 24 22:30:52.000 [notice] Parsing GEOIP IPv6 file
/usr/share/tor/geoip6.
Mar 24 22:30:52.000 [info] add_predicted_port(): New port prediction
added. Will continue predictive circ building for 2807 more seconds.
Mar 24 22:30:52.000 [info] crypto_openssl_late_init(): NOT using OpenSSL
engine support.
Mar 24 22:30:52.000 [info] evaluate_evp_for_aes(): This version of OpenSSL
has a known-good EVP counter-mode implementation. Using it.
Program received signal SIGSYS, Bad system call.
0x00007ffff7879104 in __libc_sigaction (sig=sig at entry=1,
act=act at entry=0x7fffffffe100, oact=0x5555560f8db0)
at ../sysdeps/unix/sysv/linux/sigaction.c:58
58 result = INLINE_SYSCALL_CALL (rt_sigaction, sig,
Missing separate debuginfos, use: dnf debuginfo-install
libseccomp-2.4.0-0.fc29.x86_64
(gdb) bt
#0 0x00007ffff7879104 in __libc_sigaction (sig=sig at entry=1,
act=act at entry=0x7fffffffe100, oact=0x5555560f8db0)
at ../sysdeps/unix/sysv/linux/sigaction.c:58
#1 0x00007ffff7879239 in __sigaction (sig=sig at entry=1,
act=act at entry=0x7fffffffe100, oact=<optimized out>)
at ../nptl/sigaction.c:30
#2 0x00007ffff7def062 in evsig_set_handler_
(base=base at entry=0x5555558808a0, evsignal=evsignal at entry=1,
handler=handler at entry=0x7ffff7deec20 <evsig_handler>) at signal.c:258
#3 0x00007ffff7def1dc in evsig_add (base=0x5555558808a0, evsignal=1,
old=<optimized out>,
events=<optimized out>, p=<optimized out>) at signal.c:302
#4 0x00007ffff7de76f5 in evmap_signal_add_
(base=base at entry=0x5555558808a0, sig=<optimized out>,
ev=ev at entry=0x55555587cf90) at evmap.c:457
#5 0x00007ffff7de27be in event_add_nolock_ (ev=ev at entry=0x55555587cf90,
tv=tv at entry=0x0,
tv_is_absolute=tv_is_absolute at entry=0) at event.c:2602
#6 0x00007ffff7de2a8e in event_add (ev=0x55555587cf90, tv=tv at entry=0x0)
at event.c:2445
#7 0x00005555555acd6f in handle_signals () at src/app/main/main.c:508
#8 0x00005555555ad9df in run_tor_main_loop () at src/app/main/main.c:1275
#9 0x00005555555aee85 in tor_run_main
(tor_cfg=tor_cfg at entry=0x555555852950) at src/app/main/main.c:1484
#10 0x00005555555ac07e in tor_main (argc=1, argv=0x7fffffffe528) at
src/feature/api/tor_api.c:164
#11 0x00005555555abc0d in main (argc=<optimized out>, argv=<optimized
out>) at src/app/main/tor_main.c:32
(gdb) l
53 SET_SA_RESTORER (&kact, act);
54 }
55
56 /* XXX The size argument hopefully will have to be changed to
the
57 real size of the user-level sigset_t. */
58 result = INLINE_SYSCALL_CALL (rt_sigaction, sig,
59 act ? &kact : NULL,
60 oact ? &koact : NULL, STUB(act)
_NSIG / 8);
61
62 if (oact && result >= 0)
(gdb) f 1
#1 0x00007ffff7879239 in __sigaction (sig=sig at entry=1,
act=act at entry=0x7fffffffe100, oact=<optimized out>)
at ../nptl/sigaction.c:30
30 return __libc_sigaction (sig, act, oact);
(gdb) l
25 {
26 __set_errno (EINVAL);
27 return -1;
28 }
29
30 return __libc_sigaction (sig, act, oact);
31 }
32 libc_hidden_weak (__sigaction)
33 weak_alias (__sigaction, sigaction)
(gdb) f 2
#2 0x00007ffff7def062 in evsig_set_handler_
(base=base at entry=0x5555558808a0, evsignal=evsignal at entry=1,
handler=handler at entry=0x7ffff7deec20 <evsig_handler>) at signal.c:258
258 if (sigaction(evsignal, &sa, sig->sh_old[evsignal]) == -1)
{
(gdb) l
253 memset(&sa, 0, sizeof(sa));
254 sa.sa_handler = handler;
255 sa.sa_flags |= SA_RESTART;
256 sigfillset(&sa.sa_mask);
257
258 if (sigaction(evsignal, &sa, sig->sh_old[evsignal]) == -1)
{
259 event_warn("sigaction");
260 mm_free(sig->sh_old[evsignal]);
261 sig->sh_old[evsignal] = NULL;
262 return (-1);
}}}
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/29819#comment:7>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list