[tor-bugs] #19859 [Core Tor/Tor]: Expose stream isolation information to controllers

Tor Bug Tracker & Wiki blackhole at torproject.org
Mon Nov 11 21:44:05 UTC 2019


#19859: Expose stream isolation information to controllers
-------------------------------------------------+-------------------------
 Reporter:  nickm                                |          Owner:  (none)
     Type:  enhancement                          |         Status:
                                                 |  needs_revision
 Priority:  Medium                               |      Milestone:  Tor:
                                                 |  0.4.3.x-final
Component:  Core Tor/Tor                         |        Version:
 Severity:  Normal                               |     Resolution:
 Keywords:  tor-hs tor-control dns isolation     |  Actual Points:
  needs-spec needs-design term-project           |
Parent ID:                                       |         Points:  3
 Reviewer:  nickm                                |        Sponsor:
-------------------------------------------------+-------------------------
Changes (by nickm):

 * status:  needs_review => needs_revision


Comment:

 CI isn't passing; the unit test seems to be failing with a use-after-free
 problem:
 {{{
 control/event/format_stream: [forking]
 =================================================================

 ==35695==ERROR: AddressSanitizer: heap-use-after-free on address
 0x602000627e90 at pc 0x00010a99e059 bp 0x7ffee6cd4160 sp 0x7ffee6cd3900

 WRITE of size 6 at 0x602000627e90 thread T0

     #0 0x10a99e058 in wrap_memset
 (libclang_rt.asan_osx_dynamic.dylib:x86_64+0x1b058)
     #1 0x7fff7f5fbb0c in memset_s (libsystem_c.dylib:x86_64+0x6db0c)
     #2 0x1096d6c99 in memwipe crypto_util.c:82
     #3 0x1094d695c in socks_request_free_ proto_socks.c:99
     #4 0x1093de8da in connection_free_minimal connection.c:685
     #5 0x10939d3d3 in testcase_run_one tinytest.c:107
     #6 0x10939dca2 in tinytest_main tinytest.c:454
     #7 0x10939b8e7 in main testing_common.c:350
     #8 0x7fff7f5443d4 in start (libdyld.dylib:x86_64+0x163d4)

 0x602000627e90 is located 0 bytes inside of 7-byte region
 [0x602000627e90,0x602000627e97)

 freed by thread T0 here:

     #0 0x10a9e1bed in wrap_free
 (libclang_rt.asan_osx_dynamic.dylib:x86_64+0x5ebed)
     #1 0x1090a3e5e in test_cntev_format_stream
 test_controller_events.c:666
     #2 0x10939d3d3 in testcase_run_one tinytest.c:107
     #3 0x10939dca2 in tinytest_main tinytest.c:454
     #4 0x10939b8e7 in main testing_common.c:350
     #5 0x7fff7f5443d4 in start (libdyld.dylib:x86_64+0x163d4)

 previously allocated by thread T0 here:

     #0 0x10a9dbbbf in wrap_strdup
 (libclang_rt.asan_osx_dynamic.dylib:x86_64+0x58bbf)
     #1 0x109778e3f in tor_strdup_ malloc.c:165
     #2 0x1090a3316 in test_cntev_format_stream
 test_controller_events.c:552
     #3 0x10939d3d3 in testcase_run_one tinytest.c:107
     #4 0x10939dca2 in tinytest_main tinytest.c:454
     #5 0x10939b8e7 in main testing_common.c:350
     #6 0x7fff7f5443d4 in start (libdyld.dylib:x86_64+0x163d4)
 }}}

 To me, this looks like you're setting something up in a fake connection
 objecct that is getting double-freed.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/19859#comment:24>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list