[tor-dev] Torsocks 2.x issue - Need eyes on that

David Goulet dgoulet at ev0ke.net
Wed Oct 30 17:47:49 UTC 2013 

On 30 Oct (12:28:19), Lunar wrote:
> Lunar:
> > David Goulet:
> > > Now the issue was detected with firefox which uses a custom malloc hook
> > > meaning that it handles its own memory allocation. This hook uses mmap()
> > > that firefox redefines to be a direct syscall(__NR_mmap, ...) and
> > > remember that this symbol is hijacked by torsocks.
> > > […]
> > > It's a bit of a catch 22 because torsocks is basically looking for the
> > > libc syscall symbol but then it gets call inside that lookup code
> > > path...
> > 
> > Wouldn't one way out be to also hook malloc to use a
> > static buffer until dlsym() is done? The code snippet in the following
> > answer is doing just that:
> > <http://stackoverflow.com/a/10008252>
> 
> Meh… scratch that. It looks like defining calloc() in libtorsocks.so is
> not enough to have our own function called. Not sure why.
> 
> With the attached patch, at least we panic cleanly.

Ok, I manage to make it work with Firefox. The fix is to simply handle
mmap/munmap inside the torsocks syscall code. This allows torsocks to
find the syscall symbol from the libc and work well afterwards. This
works because the firefox mmap() redefinition is not applied in
libtorsocks thus we can call directly the mmap() symbol linked to the
libc.

However, and a BIG however, this is a special fix for specific case
where memory allocation is handle by the application AND syscall() is
used. It will not cover the broader issue of using other syscall within
a malloc hook for instance.

After two days, I only see that solution for now as a "working fix" for
application that use syscall() directly for their memory allocation.

Thoughts?

Cheers!
David

> 
> -- 
> Lunar                                             <lunar at torproject.org>

> diff --git a/src/lib/syscall.c b/src/lib/syscall.c
> index 0edd460..d520c0a 100644
> --- a/src/lib/syscall.c
> +++ b/src/lib/syscall.c
> @@ -17,6 +17,8 @@
>  
>  #include <assert.h>
>  #include <stdarg.h>
> +#include <stdlib.h>
> +#include <stdio.h>
>  
>  #include <common/log.h>
>  
> @@ -112,6 +114,19 @@ LIBC_SYSCALL_DECL
>  	LIBC_SYSCALL_RET_TYPE ret;
>  	va_list args;
>  
> +#if defined(SYS_mmap) || defined(SYS_mmap2)
> +	if (NULL == tsocks_libc_syscall) {
> +		switch (__number) {
> +		case SYS_mmap:
> +#ifdef SYS_mmap2
> +		case SYS_mmap2:
> +#endif
> +			fprintf(stderr, "Panic! mmap has been called before we had our hands on the real syscall()\n");
> +			exit(EXIT_FAILURE);
> +			break;
> +		}
> +	}
> +#endif
>  	/* Find symbol if not already set. Exit if not found. */
>  	tsocks_libc_syscall = tsocks_find_libc_symbol(LIBC_SYSCALL_NAME_STR,
>  			TSOCKS_SYM_EXIT_NOT_FOUND);




> _______________________________________________
> tor-dev mailing list
> tor-dev at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 620 bytes
Desc: Digital signature
URL: <http://lists.torproject.org/pipermail/tor-dev/attachments/20131030/2d1a0092/attachment.sig>

More information about the tor-dev mailing list