[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #28312 [Core Tor/Tor]: Crash when configuring a PidFile containing ~

#28312: Crash when configuring a PidFile containing ~
-------------------------------------------------+-------------------------
 Reporter:  teor                                 |          Owner:  (none)
     Type:  defect                               |         Status:  new
 Priority:  High                                 |      Milestone:  Tor:
                                                 |  0.3.5.x-final
Component:  Core Tor/Tor                         |        Version:  Tor:
                                                 |  0.3.2.1-alpha
 Severity:  Normal                               |     Resolution:
 Keywords:  memory-safety, regression,           |  Actual Points:
  security-low                                   |
Parent ID:  #28298                               |         Points:
 Reviewer:                                       |        Sponsor:
-------------------------------------------------+-------------------------

Comment (by teor):

 It is reproducible, here's the AddressSanitizer output:
 {{{
 Nov 05 00:02:49.018 [notice] Tor 0.3.4.8 (git-da95b91355248ad8) running on
 Darwin with Libevent 2.1.8-stable, OpenSSL 1.0.2p, Zlib 1.2.11, Liblzma
 5.2.4, and Libzstd 1.3.7.
 ...
 =================================================================
 ==3252==ERROR: AddressSanitizer: heap-use-after-free on address
 0x61d000003d48 at pc 0x00010cfc9888 bp 0x7ffee2d27350 sp 0x7ffee2d27348
 READ of size 8 at 0x61d000003d48 thread T0
     #0 0x10cfc9887 in or_options_free_ config.c:968
     #1 0x10cfc9ac7 in config_free_all config.c:997
     #2 0x10d1f9195 in tor_free_all main.c:3677
     #3 0x10d1f9a54 in tor_run_main main.c:4258
     #4 0x10d3c5e20 in tor_main tor_api.c:84
     #5 0x10ced8efa in main tor_main.c:32
     #6 0x7fff710f6014 in start (libdyld.dylib:x86_64+0x1014)

 0x61d000003d48 is located 200 bytes inside of 2256-byte region
 [0x61d000003c80,0x61d000004550)
 freed by thread T0 here:
     #0 0x10e27410d in wrap_free
 (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x5710d)
     #1 0x10cfe7a16 in options_init_from_string config.c:5534
     #2 0x10cfe5b83 in options_init_from_torrc config.c:5280
     #3 0x10d1f88ff in tor_init main.c:3524
     #4 0x10d1f9a45 in tor_run_main main.c:4256
     #5 0x10d3c5e20 in tor_main tor_api.c:84
     #6 0x10ced8efa in main tor_main.c:32
     #7 0x7fff710f6014 in start (libdyld.dylib:x86_64+0x1014)

 previously allocated by thread T0 here:
     #0 0x10e273f53 in wrap_malloc
 (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x56f53)
     #1 0x10d46b469 in tor_malloc_ util.c:150
     #2 0x10d46b520 in tor_malloc_zero_ util.c:178
     #3 0x10cfe6c8e in options_init_from_string config.c:5383
     #4 0x10cfe5b83 in options_init_from_torrc config.c:5280
     #5 0x10d1f88ff in tor_init main.c:3524
     #6 0x10d1f9a45 in tor_run_main main.c:4256
     #7 0x10d3c5e20 in tor_main tor_api.c:84
     #8 0x10ced8efa in main tor_main.c:32
     #9 0x7fff710f6014 in start (libdyld.dylib:x86_64+0x1014)

 SUMMARY: AddressSanitizer: heap-use-after-free config.c:968 in
 or_options_free_
 Shadow bytes around the buggy address:
   0x1c3a00000750: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
   0x1c3a00000760: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
   0x1c3a00000770: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
   0x1c3a00000780: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
   0x1c3a00000790: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 =>0x1c3a000007a0: fd fd fd fd fd fd fd fd fd[fd]fd fd fd fd fd fd
   0x1c3a000007b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
   0x1c3a000007c0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
   0x1c3a000007d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
   0x1c3a000007e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
   0x1c3a000007f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 Shadow byte legend (one shadow byte represents 8 application bytes):
   Addressable:           00
   Partially addressable: 01 02 03 04 05 06 07
   Heap left redzone:       fa
   Freed heap region:       fd
   Stack left redzone:      f1
   Stack mid redzone:       f2
   Stack right redzone:     f3
   Stack after return:      f5
   Stack use after scope:   f8
   Global redzone:          f9
   Global init order:       f6
   Poisoned by user:        f7
   Container overflow:      fc
   Array cookie:            ac
   Intra object redzone:    bb
   ASan internal:           fe
   Left alloca redzone:     ca
   Right alloca redzone:    cb
 ==3252==ABORTING
 Abort trap: 6
 Exit 134
 }}}

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/28312#comment:3>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs