[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-bugs] #16106 [Tor]: Sandbox causes crash when creating a hidden service through the control port

#16106: Sandbox causes crash when creating a hidden service through the control
port
----------------------+-------------------------------
 Reporter:  micahlee  |          Owner:
     Type:  defect    |         Status:  new
 Priority:  normal    |      Milestone:
Component:  Tor       |        Version:  Tor: 0.2.5.12
 Keywords:            |  Actual Points:
Parent ID:            |         Points:
----------------------+-------------------------------
 I'm trying to squash a bug with running OnionShare in Tails and I've
 narrowed it down to a bug in the Tor server in sandbox mode. Here's the
 related OnionShare issue:
 https://github.com/micahflee/onionshare/issues/179

 Here's a simple script that creates a hidden service using the Tor control
 port, with stem and flask:

 {{{#!python
 import os
 from stem.control import Controller
 from flask import Flask

 def main():
     # set up flask
     app = Flask("example")

     @app.route('/')
     def index():
         return "<h1>Testing Tor sandbox!</h1>"

     # set up hidden service
     controller = Controller.from_port()
     controller.authenticate()

     hs_dir = '/tmp/bugtest'
     print "Creating our hidden service in %s" % hs_dir

     controller.set_options([
         ('HiddenServiceDir', hs_dir),
         ('HiddenServicePort', '80 127.0.0.1:5000')
     ])

     onion = open(hs_dir + "/hostname", "r").read().strip()
     print 'Running on {0}'.format(onion)

     # start web app
     app.run(port=5000)

 if __name__ == '__main__':
     main()
 }}}

 (Note that you need to manually delete /tmp/bugtest before running this
 script a second time.)

 If you set "Sandbox 0" in torrc and run this script, it works great, and
 the output looks like this:

 {{{
 user@dev:~/code/tor-sandbox-hs-bug$ sudo python tor-sandbox-hs-bug.py
 Creating our hidden service in /tmp/bugtest
 Running on 3ekculjvzye6zr6s.onion
  * Running on http://127.0.0.1:5000/
 127.0.0.1 - - [18/May/2015 15:37:56] "GET / HTTP/1.1" 200 -
 127.0.0.1 - - [18/May/2015 15:37:59] "GET /favicon.ico HTTP/1.1" 404 -
 }}}

 But if you set "Sandbox 1" in torrc and run the same script again, the
 script throws an exception and tor crashes:

 {{{
 user@dev:~/code/tor-sandbox-hs-bug$ sudo python tor-sandbox-hs-bug.py
 Creating our hidden service in /tmp/bugtest
 Traceback (most recent call last):
   File "tor-sandbox-hs-bug.py", line 32, in <module>
     main()
   File "tor-sandbox-hs-bug.py", line 22, in main
     ('HiddenServicePort', '80 127.0.0.1:5000')
   File "/usr/lib/python2.7/dist-packages/stem/control.py", line 1859, in
 set_options
     response = self.msg(query)
   File "/usr/lib/python2.7/dist-packages/stem/control.py", line 469, in
 msg
     raise exc
 stem.SocketClosed: Received empty socket content.
 }}}

 Here's what ends up in the tor log:

 {{{
 May 18 15:38:48.000 [notice] New control connection opened from 127.0.0.1.
 May 18 15:38:48.000 [notice] Tor 0.2.5.12 (git-3731dd5c3071dcba) opening
 log file.
 May 18 15:38:48.000 [warn] sandbox_intern_string(): Bug: No interned
 sandbox parameter found for /tmp/bugtest
 May 18 15:38:48.000 [warn] sandbox_intern_string(): Bug: No interned
 sandbox parameter found for /tmp/bugtest/private_key
 May 18 15:38:48.000 [warn] sandbox_intern_string(): Bug: No interned
 sandbox parameter found for /tmp/bugtest/private_key.tmp

 ============================================================ T= 1431988728
 (Sandbox) Caught a bad syscall attempt (syscall open)
 /usr/bin/tor(+0x128176)[0x7f1391729176]
 /lib/x86_64-linux-gnu/libpthread.so.0(open64+0x10)[0x7f13901fa1d0]
 /lib/x86_64-linux-gnu/libpthread.so.0(open64+0x10)[0x7f13901fa1d0]
 /usr/bin/tor(tor_open_cloexec+0x40)[0x7f1391715380]
 /usr/bin/tor(start_writing_to_file+0xf2)[0x7f1391724182]
 /usr/bin/tor(+0x1232eb)[0x7f13917242eb]
 /usr/bin/tor(+0x123438)[0x7f1391724438]
 /usr/bin/tor(crypto_pk_write_private_key_to_filename+0xcb)[0x7f1391731b6b]
 /usr/bin/tor(init_key_from_file+0x172)[0x7f1391668302]
 /usr/bin/tor(+0x5a36e)[0x7f139165b36e]
 /usr/bin/tor(rend_service_load_all_keys+0x81)[0x7f139165d451]
 /usr/bin/tor(set_options+0xc5f)[0x7f13916bff5f]
 /usr/bin/tor(options_trial_assign+0xbb)[0x7f13916c14fb]
 /usr/bin/tor(+0xdbe2e)[0x7f13916dce2e]
 /usr/bin/tor(connection_control_process_inbuf+0x776)[0x7f13916e1056]
 /usr/bin/tor(+0xcbd95)[0x7f13916ccd95]
 /usr/bin/tor(+0x34a21)[0x7f1391635a21]
 /usr/lib/x86_64-linux-
 gnu/libevent-2.0.so.5(event_base_loop+0x7fc)[0x7f1390c8a3dc]
 /usr/bin/tor(do_main_loop+0x194)[0x7f1391637204]
 /usr/bin/tor(tor_main+0x1705)[0x7f139163a035]
 /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf5)[0x7f138fc5fb45]
 /usr/bin/tor(+0x3279b)[0x7f139163379b]
 }}}

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/16106>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs