[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-bugs] #30773 [Core Tor/Tor]: New bug class: Accessing rend_data/hs_ident after marking for close a circuit

To: undisclosed-recipients: ;
Subject: [tor-bugs] #30773 [Core Tor/Tor]: New bug class: Accessing rend_data/hs_ident after marking for close a circuit
From: "Tor Bug Tracker & Wiki" <blackhole@xxxxxxxxxxxxxx>
Date: Wed, 05 Jun 2019 15:27:57 -0000
Auto-submitted: auto-generated
Delivered-to: archiver@xxxxxxxx
Delivery-date: Wed, 05 Jun 2019 11:28:07 -0400
List-archive: <http://lists.torproject.org/pipermail/tor-bugs/>
List-help: <mailto:tor-bugs-request@lists.torproject.org?subject=help>
List-id: "auto: Tor bug tracker status mails" <tor-bugs.lists.torproject.org>
List-post: <mailto:tor-bugs@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=unsubscribe>
Reply-to: no-reply@xxxxxxxxxxxxxx, tor-assistants@xxxxxxxxxxxxxx
Sender: "tor-bugs" <tor-bugs-bounces@xxxxxxxxxxxxxxxxxxxx>

#30773: New bug class:  Accessing rend_data/hs_ident after marking for close a
circuit
------------------------------+--------------------------------
     Reporter:  asn           |      Owner:  (none)
         Type:  defect        |     Status:  new
     Priority:  Medium        |  Milestone:  Tor: 0.4.1.x-final
    Component:  Core Tor/Tor  |    Version:
     Severity:  Normal        |   Keywords:  tor-hs bug
Actual Points:                |  Parent ID:
       Points:                |   Reviewer:
      Sponsor:                |
------------------------------+--------------------------------
 See #30771 for an example of this issue:

 {{{
      circuit_mark_for_close(TO_CIRCUIT(circ), END_CIRC_REASON_FINISHED);

      /* close any other intros launched in parallel */
 rend_client_close_other_intros(rend_data_get_pk_digest(circ->rend_data,
                                                            NULL));
 }}}

 It seems to be caused by a bad interaction between #29034 and #28780, plus
 some naughty v2 code. The v2 code marks the circuit as closed and then
 tries to access rend_data out of it, but because of #28780 the mark for
 close repurposes the circuit to a padding circuit instead, and then
 because #29034 we also clean its rend_data. This causes the crash.

 We should make sure that this pattern is impossible in other parts of the
 code, so that we don't assert out again, or even worse access freed
 memory.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/30773>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Follow-Ups:
- Re: [tor-bugs] #30773 [Core Tor/Tor]: New bug class: Accessing rend_data/hs_ident after marking for close a circuit
  - From: Tor Bug Tracker & Wiki
- Re: [tor-bugs] #30773 [Core Tor/Tor]: New bug class: Accessing rend_data/hs_ident after marking for close a circuit
  - From: Tor Bug Tracker & Wiki

Prev by Author: Re: [tor-bugs] #27801 [Core Tor/Tor]: tor_api: CreateConnection() interface
Next by Author: [tor-bugs] #30914 [Core Tor/Tor]: Move struct manipulation code out of confparse.c
Previous by thread: Re: [tor-bugs] #29028 [Applications/Tor Browser]: Don't set `privacy.resistFingerprinting.autoDeclineNoUserInputCanvasPrompts` to `false` anymore
Next by thread: Re: [tor-bugs] #30773 [Core Tor/Tor]: New bug class: Accessing rend_data/hs_ident after marking for close a circuit
Index(es):
- Author
- Thread