Opened 5 years ago

Closed 5 years ago

#13325 closed defect (fixed)

Tor crash on OpenBSD-current since 2014-08-10

Reported by: fredzupy Owned by:
Priority: High Milestone: Tor: 0.2.5.x-final
Component: Core Tor/Tor Version:
Severity: Keywords: tor-relay openbsd 024-backport
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Tor is broken under OpenBSD-current since this patch, I think, <http://marc.info/?l=openbsd-cvs&m=140768179627976&w=2>).
The function prune_v2_cipher_list() in src/common/tortls.c now crash Tor (Segmentation fault). All Tor versions impacted.

Commenting out the prune_v2_cipher_list() seems to be enough as a workaround.

Here is a gdb backtrace with tor-0.2.5.7-rc in debug mode:

Oct 02 14:41:12.000 [debug] tor_tls_debug_state_callback(): SSL 0x83b91000 is now in state before/accept initialization [type=16,val=1].
Oct 02 14:41:12.000 [debug] tor_tls_debug_state_callback(): SSL 0x83b91000 is now in state before/accept initialization [type=8193,val=1].
Oct 02 14:41:12.000 [debug] tor_tls_debug_state_callback(): SSL 0x83b91000 is now in state unknown state [type=8194,val=-1].
Oct 02 14:41:12.000 [debug] tor_tls_handshake(): After call, 0x82a59d80 was in state unknown state
Oct 02 14:41:12.000 [debug] connection_tls_continue_handshake(): wanted read
Oct 02 14:41:12.000 [debug] conn_read_callback(): socket 22 wants to read.
Oct 02 14:41:12.000 [debug] tor_tls_handshake(): About to call SSL_accept on 0x82a59d80 (unknown state)

Program received signal SIGSEGV, Segmentation fault.
0x00000000 in ?? ()
(gdb) bt
#0 0x00000000 in ?? ()
#1 0x1a8d578b in tor_tls_classify_client_ciphers (ssl=0x83b91000, peer_ciphers=0x85251200) at src/common/tortls.c:1489
#2 0x1a8d58ff in tor_tls_session_secret_cb (ssl=0x83b91000, secret=0x8a659608, secret_len=0x8a659604, peer_ciphers=0x85251200, cipher=0xcfbe0184, arg=0x0) at src/common/tortls.c:1683
#3 0x0b9e09ec in ssl3_get_client_hello (s=0x83b91000) at /usr/src/lib/libssl/ssl/../../libssl/src/ssl/s3_srvr.c:1119
#4 0x0b9e176f in ssl3_accept (s=0x83b91000) at /usr/src/lib/libssl/ssl/../../libssl/src/ssl/s3_srvr.c:346
#5 0x0b9f22fa in SSL_accept (s=0x83b91000) at /usr/src/lib/libssl/ssl/../../libssl/src/ssl/ssl_lib.c:922
#6 0x0b9d8836 in ssl23_get_client_hello (s=0x83b91000) at /usr/src/lib/libssl/ssl/../../libssl/src/ssl/s23_srvr.c:573
#7 0x0b9d915c in ssl23_accept (s=0x83b91000) at /usr/src/lib/libssl/ssl/../../libssl/src/ssl/s23_srvr.c:232
#8 0x0b9f22fa in SSL_accept (s=0x83b91000) at /usr/src/lib/libssl/ssl/../../libssl/src/ssl/ssl_lib.c:922
#9 0x1a8d5d59 in tor_tls_handshake (tls=0x82a59d80) at src/common/tortls.c:2113
#10 0x1a865f10 in connection_tls_continue_handshake (conn=0x83b93000) at src/or/connection_or.c:1468
#11 0x1a857dee in connection_handle_read (conn=0x83b93000) at src/or/connection.c:3287
#12 0x1a7a842f in conn_read_callback (fd=22, event=2, _conn=0x83b93000) at src/or/main.c:736
#13 0x0bb9ca02 in event_base_loop (base=0x7e447000, flags=0) at /usr/src/lib/libevent/event.c:404
#14 0x1a7a3eab in do_main_loop () at src/or/main.c:2027
#15 0x1a7a55ca in tor_main (argc=3, argv=0xcfbe09c4) at src/or/main.c:3047
#16 0x1a7a1cdd in main (argc=536912672, argv=0x8696ee00) at src/or/tor_main.c:30
(gdb)

Child Tickets

Change History (9)

comment:1 Changed 5 years ago by nickm

Component: - Select a componentTor
Keywords: tor-relay openbsd added
Milestone: Tor: 0.2.5.x-final
Priority: normalmajor

Hm. Where in prune_v2_cipherlist exactly is it crashing? My guess would be the call to m->get_cipher_by_char . Does that pointer no longer exist, or is it NULL, or what?

comment:2 in reply to:  1 Changed 5 years ago by fredzupy

Replying to nickm:

Hm. Where in prune_v2_cipherlist exactly is it crashing? My guess would be the call to m->get_cipher_by_char . Does that pointer no longer exist, or is it NULL, or what?

Yes it crash in m->get_cipher_by_char.
<http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/lib/libssl/src/ssl/ssl.h.diff?r1=1.62&r2=1.63&f=h> Make me think they plan to remove it.

m->get_cipher_by_char is NULL.

Last edited 5 years ago by fredzupy (previous) (diff)

comment:3 Changed 5 years ago by nickm

Keywords: 024-backport added

I've got a likely fix in branch "bug13325_024" in my public repository. It should apply cleanly to 0.2.4 and later. Needs review and testing.

(raw commit here https://gitweb.torproject.org/nickm/tor.git/commitdiff_plain/d1fa0163e571913b8e4972c5c8a2d46798f46156 )

Does applying this work for you?

comment:4 Changed 5 years ago by nickm

Status: newneeds_review

comment:5 Changed 5 years ago by yawning

The branch looks good to me.

comment:6 Changed 5 years ago by nickm

Okay. I've run both cases against openssl and verified that they produce the same output. I haven't tested on openbsd-current. Could somebody do that?

comment:7 in reply to:  6 Changed 5 years ago by fredzupy

Replying to nickm:

Okay. I've run both cases against openssl and verified that they produce the same output. I haven't tested on openbsd-current. Could somebody do that?

I've only patch tortls.c and then run make.
It looks good to me. Tor no longer crash.
Thanks!

comment:8 Changed 5 years ago by nickm

Milestone: Tor: 0.2.5.x-finalTor: 0.2.4.x-final

Okay. Merged this to 0.2.5 and forward to master. Marking for possible backport to 0.2.4

comment:9 Changed 5 years ago by nickm

Milestone: Tor: 0.2.4.x-finalTor: 0.2.5.x-final
Resolution: fixed
Status: needs_reviewclosed

No backport at this point for per-platform build fixes or startup fixes in 0.2.4. Just upgrade to 0.2.5, ok?

Note: See TracTickets for help on using tickets.