Opened 6 years ago

Closed 4 years ago

#10409 closed defect (fixed)

breaks on corrupted caches

Reported by: weasel Owned by:
Priority: Medium Milestone: Tor: 0.2.4.x-final
Component: Core Tor/Tor Version: Tor: 0.2.4.18-rc
Severity: Keywords: tor-client 023-backport
Cc: nickm Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

As reported in http://bugs.debian.org/732105, tor breaks when one of its cache files is corrupted:

weasel@valiant:~$ /usr/sbin/tor --SocksPort 1950
Dec 15 12:32:10.412 [notice] Tor v0.2.4.19 (git-9a83ee5e4d3cece4) running on Linux with Libevent 2.0.19-stable and OpenSSL 1.0.1e.
Dec 15 12:32:10.412 [notice] Tor can't help you if you use it wrong! Learn how to be safe at https://www.torproject.org/download/download#warning
Dec 15 12:32:10.412 [notice] Read configuration file "/etc/tor/torrc".
Dec 15 12:32:10.416 [notice] Opening Socks listener on 127.0.0.1:1950
Dec 15 12:32:10.000 [notice] Parsing GEOIP IPv4 file /usr/share/tor/geoip.
Dec 15 12:32:10.000 [notice] Parsing GEOIP IPv6 file /usr/share/tor/geoip6.
Dec 15 12:32:10.000 [notice] We were built to run on a 64-bit CPU, with OpenSSL 1.0.1 or later, but with a version of OpenSSL that apparently lacks accelerated support for the NIST P-224 and P-256 groups. Building openssl with such support (using the enable-ec_nistp_64_gcc_128 option when configuring it) would make ECDH much faster.
Dec 15 12:32:10.000 [warn] Illegal nickname "P@last-listed" in family line
*** glibc detected *** /usr/sbin/tor: free(): invalid pointer: 0x00007f61d277a32b ***
======= Backtrace: =========
/lib/x86_64-linux-gnu/libc.so.6(+0x76d76)[0x7f61d2e9bd76]
/lib/x86_64-linux-gnu/libc.so.6(cfree+0x6c)[0x7f61d2ea0aac]
/usr/sbin/tor(+0x18ac2)[0x7f61d4518ac2]
/usr/sbin/tor(+0x66c4d)[0x7f61d4566c4d]
/usr/sbin/tor(+0x19d35)[0x7f61d4519d35]
/usr/sbin/tor(+0x19f81)[0x7f61d4519f81]
/usr/sbin/tor(+0x1a0ff)[0x7f61d451a0ff]
/usr/sbin/tor(+0x232b5)[0x7f61d45232b5]
/usr/sbin/tor(+0x1f5bd)[0x7f61d451f5bd]
/usr/sbin/tor(+0x1fccc)[0x7f61d451fccc]
/usr/sbin/tor(+0x168f9)[0x7f61d45168f9]
/usr/sbin/tor(+0x181de)[0x7f61d45181de]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xfd)[0x7f61d2e43ead]
/usr/sbin/tor(+0x12a9d)[0x7f61d4512a9d]
======= Memory map: ========
7f61cc000000-7f61cc021000 rw-p 00000000 00:00 0 
7f61cc021000-7f61d0000000 ---p 00000000 00:00 0 
7f61d2457000-7f61d246c000 r-xp 00000000 fe:01 265249                     /lib/x86_64-linux-gnu/libgcc_s.so.1
7f61d246c000-7f61d266c000 ---p 00015000 fe:01 265249                     /lib/x86_64-linux-gnu/libgcc_s.so.1
7f61d266c000-7f61d266d000 rw-p 00015000 fe:01 265249                     /lib/x86_64-linux-gnu/libgcc_s.so.1
7f61d266d000-7f61d2b1b000 r--p 00000000 fe:02 264713                     /home/weasel/.tor/cached-microdescs
7f61d2b1b000-7f61d2c09000 rw-p 00000000 00:00 0 
7f61d2c09000-7f61d2c20000 r-xp 00000000 fe:01 262222                     /lib/x86_64-linux-gnu/libpthread-2.13.so
7f61d2c20000-7f61d2e1f000 ---p 00017000 fe:01 262222                     /lib/x86_64-linux-gnu/libpthread-2.13.so
7f61d2e1f000-7f61d2e20000 r--p 00016000 fe:01 262222                     /lib/x86_64-linux-gnu/libpthread-2.13.so
7f61d2e20000-7f61d2e21000 rw-p 00017000 fe:01 262222                     /lib/x86_64-linux-gnu/libpthread-2.13.so
7f61d2e21000-7f61d2e25000 rw-p 00000000 00:00 0 
7f61d2e25000-7f61d2fa5000 r-xp 00000000 fe:01 263183                     /lib/x86_64-linux-gnu/libc-2.13.so
7f61d2fa5000-7f61d31a5000 ---p 00180000 fe:01 263183                     /lib/x86_64-linux-gnu/libc-2.13.so
7f61d31a5000-7f61d31a9000 r--p 00180000 fe:01 263183                     /lib/x86_64-linux-gnu/libc-2.13.so
7f61d31a9000-7f61d31aa000 rw-p 00184000 fe:01 263183                     /lib/x86_64-linux-gnu/libc-2.13.so
7f61d31aa000-7f61d31af000 rw-p 00000000 00:00 0 
7f61d31af000-7f61d31b1000 r-xp 00000000 fe:01 262758                     /lib/x86_64-linux-gnu/libdl-2.13.so
7f61d31b1000-7f61d33b1000 ---p 00002000 fe:01 262758                     /lib/x86_64-linux-gnu/libdl-2.13.so
7f61d33b1000-7f61d33b2000 r--p 00002000 fe:01 262758                     /lib/x86_64-linux-gnu/libdl-2.13.so
7f61d33b2000-7f61d33b3000 rw-p 00003000 fe:01 262758                     /lib/x86_64-linux-gnu/libdl-2.13.so
7f61d33b3000-7f61d33ba000 r-xp 00000000 fe:01 263075                     /lib/x86_64-linux-gnu/librt-2.13.so
7f61d33ba000-7f61d35b9000 ---p 00007000 fe:01 263075                     /lib/x86_64-linux-gnu/librt-2.13.so
7f61d35b9000-7f61d35ba000 r--p 00006000 fe:01 263075                     /lib/x86_64-linux-gnu/librt-2.13.so
7f61d35ba000-7f61d35bb000 rw-p 00007000 fe:01 263075                     /lib/x86_64-linux-gnu/librt-2.13.so
7f61d35bb000-7f61d3772000 r-xp 00000000 fe:01 670240                     /usr/lib/x86_64-linux-gnu/libcrypto.so.1.0.0
7f61d3772000-7f61d3971000 ---p 001b7000 fe:01 670240                     /usr/lib/x86_64-linux-gnu/libcrypto.so.1.0.0
7f61d3971000-7f61d398c000 r--p 001b6000 fe:01 670240                     /usr/lib/x86_64-linux-gnu/libcrypto.so.1.0.0
7f61d398c000-7f61d399b000 rw-p 001d1000 fe:01 670240                     /usr/lib/x86_64-linux-gnu/libcrypto.so.1.0.0
7f61d399b000-7f61d399f000 rw-p 00000000 00:00 0 
7f61d399f000-7f61d39f5000 r-xp 00000000 fe:01 670241                     /usr/lib/x86_64-linux-gnu/libssl.so.1.0.0
7f61d39f5000-7f61d3bf4000 ---p 00056000 fe:01 670241                     /usr/lib/x86_64-linux-gnu/libssl.so.1.0.0
7f61d3bf4000-7f61d3bf7000 r--p 00055000 fe:01 670241                     /usr/lib/x86_64-linux-gnu/libssl.so.1.0.0
7f61d3bf7000-7f61d3bfe000 rw-p 00058000 fe:01 670241                     /usr/lib/x86_64-linux-gnu/libssl.so.1.0.0
7f61d3bfe000-7f61d3c43000 r-xp 00000000 fe:01 659299                     /usr/lib/x86_64-linux-gnu/libevent-2.0.so.5.1.7
7f61d3c43000-7f61d3e42000 ---p 00045000 fe:01 659299                     /usr/lib/x86_64-linux-gnu/libevent-2.0.so.5.1.7
7f61d3e42000-7f61d3e44000 r--p 00044000 fe:01 659299                     /usr/lib/x86_64-linux-gnu/libevent-2.0.so.5.1.7
7f61d3e44000-7f61d3e45000 rw-p 00046000 fe:01 659299                     /usr/lib/x86_64-linux-gnu/libevent-2.0.so.5.1.7
7f61d3e45000-7f61d3ec6000 r-xp 00000000 fe:01 263077                     /lib/x86_64-linux-gnu/libm-2.13.so
7f61d3ec6000-7f61d40c5000 ---p 00081000 fe:01 263077                     /lib/x86_64-linux-gnu/libm-2.13.so
7f61d40c5000-7f61d40c6000 r--p 00080000 fe:01 263077                     /lib/x86_64-linux-gnu/libm-2.13.so
7f61d40c6000-7f61d40c7000 rw-p 00081000 fe:01 263077                     /lib/x86_64-linux-gnu/libm-2.13.so
7f61d40c7000-7f61d40dd000 r-xp 00000000 fe:01 265244                     /lib/x86_64-linux-gnu/libz.so.1.2.7
7f61d40dd000-7f61d42dc000 ---p 00016000 fe:01 265244                     /lib/x86_64-linux-gnu/libz.so.1.2.7
7f61d42dc000-7f61d42dd000 r--p 00015000 fe:01 265244                     /lib/x86_64-linux-gnu/libz.so.1.2.7
7f61d42dd000-7f61d42de000 rw-p 00016000 fe:01 265244                     /lib/x86_64-linux-gnu/libz.so.1.2.7
7f61d42de000-7f61d42fe000 r-xp 00000000 fe:01 263187                     /lib/x86_64-linux-gnu/ld-2.13.so
7f61d430a000-7f61d440b000 rw-p 00000000 00:00 0 
7f61d44cd000-7f61d44d3000 rw-p 00000000 00:00 0 
7f61d44fb000-7f61d44fd000 rw-p 00000000 00:00 0 
7f61d44fd000-7f61d44fe000 r--p 0001f000 fe:01 263187                     /lib/x86_64-linux-gnu/ld-2.13.so
7f61d44fe000-7f61d44ff000 rw-p 00020000 fe:01 263187                     /lib/x86_64-linux-gnu/ld-2.13.so
7f61d44ff000-7f61d4500000 rw-p 00000000 00:00 0 
7f61d4500000-7f61d46b8000 r-xp 00000000 fe:01 674775                     /usr/bin/tor
7f61d48b7000-7f61d48ba000 r--p 001b7000 fe:01 674775                     /usr/bin/tor
7f61d48ba000-7f61d48c0000 rw-p 001ba000 fe:01 674775                     /usr/bin/tor
7f61d48c0000-7f61d48c3000 rw-p 00000000 00:00 0 
7f61d4f22000-7f61d55ab000 rw-p 00000000 00:00 0                          [heap]
7fffd698a000-7fffd69ab000 rw-p 00000000 00:00 0                          [stack]
7fffd69d5000-7fffd69d6000 r-xp 00000000 00:00 0                          [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  [vsyscall]
zsh: abort      /usr/sbin/tor --SocksPort 1950
e134:weasel@valiant:~$ 

I'll attach the cached-microdescs file.

Child Tickets

Attachments (1)

cached-microdescs.xz (1.7 MB) - added by weasel 6 years ago.

Download all attachments as: .zip

Change History (12)

Changed 6 years ago by weasel

Attachment: cached-microdescs.xz added

comment:1 Changed 6 years ago by weasel

Component: - Select a componentTor
Version: Tor: 0.2.4.18-rc

comment:2 Changed 6 years ago by arma

Milestone: Tor: 0.2.3.x-final

Good bug! I reproduced it on release-0.2.3 branch too.

comment:3 Changed 6 years ago by arma

If you want a shorter cached-microdesc file that still causes it, here's one:

@last-listed 2013-08-08 19:02:59
onion-key
-----BEGIN RSA PUBLIC KEY-----
MIGJAoGBAM91vLFNaM+gGhnRIdz2Cm/Kl7Xz0cOobIdVzhS3cKUJfk867hCuTipS
NveLBzNopvgXKruAAzEj3cACxk6Q8lv5UWOGCD1UolkgsWSE62RBjap44g+oc9J1
RI9968xOTZw0VaBQg9giEILNXl0djoikQ+5tQRUvLDDa67gpa5Q1AgMBAAE=
-----END RSA PUBLIC KEY-----
family @

comment:4 Changed 6 years ago by arma

Cc: nickm added
diff --git a/src/or/routerparse.c b/src/or/routerparse.c
index 299d07d..f934d44 100644
--- a/src/or/routerparse.c
+++ b/src/or/routerparse.c
@@ -4444,6 +4444,8 @@ microdescs_parse_from_string(const char *s, const char *e
 
     md = NULL;
   next:
+    if (!copy_body)
+      md->body = NULL;
     microdesc_free(md);
     md = NULL;
 

fixes it for me. But maybe there is a smarter / more right fix.

comment:5 Changed 6 years ago by arma

(There is a more right fix. Checking if (md && !copy_body) is wiser.)

comment:6 Changed 6 years ago by arma

bob points out that every instance of microdesc_free is potentially triggerable.

I guess we either have to sort it out by context (sounds fragile), or maybe we have a bit that specifies whether we malloced into body or not.

comment:7 Changed 6 years ago by cypherpunks

Simpler fix is to pass where to microdescs_parse_from_string(). It's safe to assign saved_location accordingly to where as it already known what is body pointer about. dirvote_create_microdescriptor() should to pass SAVED_NOWHERE to microdescs_parse_from_string() for this case, it's actually saves md nowhere yet.

Last edited 6 years ago by cypherpunks (previous) (diff)

comment:8 Changed 6 years ago by nickm

That seems like a better fix. I'll hack it up some time today, unless someone else is working on it.

comment:9 Changed 6 years ago by nickm

Keywords: tor-client 023-backport added
Milestone: Tor: 0.2.3.x-finalTor: 0.2.4.x-final
Status: newneeds_review

That was nice and easy. Branch "bug10409_023" in my public repository applies to 0.2.3 and later. Test included.

This patch could also have removed some of the now-redundant code that sets md->saved_location later on, but frankly it didn't seem like the best idea to change the code more than necessary in a stable release.

Needs review.

comment:10 Changed 6 years ago by nickm

Milestone: Tor: 0.2.4.x-finalTor: 0.2.3.x-final

Merged into 0.2.4. Backportable into 0.2.3.

comment:11 Changed 4 years ago by nickm

Milestone: Tor: 0.2.3.x-finalTor: 0.2.4.x-final
Resolution: fixed
Status: needs_reviewclosed

Marking a batch of tickets that had been under consideration for 0.2.3 backport as fixed-in-0.2.4. There is no plan for further 0.2.3 releases.

Note: See TracTickets for help on using tickets.