[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-bugs] #30773 [Core Tor/Tor]: New bug class: Accessing rend_data/hs_ident after marking for close a circuit



#30773: New bug class:  Accessing rend_data/hs_ident after marking for close a
circuit
------------------------------+--------------------------------
     Reporter:  asn           |      Owner:  (none)
         Type:  defect        |     Status:  new
     Priority:  Medium        |  Milestone:  Tor: 0.4.1.x-final
    Component:  Core Tor/Tor  |    Version:
     Severity:  Normal        |   Keywords:  tor-hs bug
Actual Points:                |  Parent ID:
       Points:                |   Reviewer:
      Sponsor:                |
------------------------------+--------------------------------
 See #30771 for an example of this issue:

 {{{
      circuit_mark_for_close(TO_CIRCUIT(circ), END_CIRC_REASON_FINISHED);

      /* close any other intros launched in parallel */
 rend_client_close_other_intros(rend_data_get_pk_digest(circ->rend_data,
                                                            NULL));
 }}}

 It seems to be caused by a bad interaction between #29034 and #28780, plus
 some naughty v2 code. The v2 code marks the circuit as closed and then
 tries to access rend_data out of it, but because of #28780 the mark for
 close repurposes the circuit to a padding circuit instead, and then
 because #29034 we also clean its rend_data. This causes the crash.

 We should make sure that this pattern is impossible in other parts of the
 code, so that we don't assert out again, or even worse access freed
 memory.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/30773>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs