Opened 2 years ago

Closed 2 years ago

#14803 closed defect (fixed)

Tor segfault with hidden service SETCONF

Reported by: atagar Owned by:
Priority: Very High Milestone: Tor: 0.2.6.x-final
Component: Core Tor/Tor Version:
Severity: Keywords:
Cc: andrea Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

The following commit...

https://gitweb.torproject.org/tor.git/commit/?id=44e9daf

Introduces a regression where SETCONF for hidden services triggers sadness. Caught because stem's integ tests no longer pass...

atagar@odin:~/Desktop/stem$ cat test/data/torrc
# configuration for stem integration tests
DataDirectory /home/atagar/Desktop/stem/test/data
SocksListenAddress 127.0.0.1:1112
DownloadExtraInfo 1
Log notice stdout
Log notice file /home/atagar/Desktop/stem/test/data/tor_log
ControlPort 1111

atagar@odin:~/Desktop/stem$ tor -f test/data/torrc

Then to trigger it...

atagar@odin:~/Desktop/tor/tor$ telnet localhost 1111
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
AUTHENTICATE
250 OK
GETCONF HiddenServiceOptions
250 HiddenServiceOptions
Connection closed by foreign host.
atagar@odin:~/Desktop/tor/tor$ telnet localhost 1111
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
AUTHENTICATE
250 OK
SETCONF HiddenServiceDir="/home/atagar/Desktop/stem/test/data/test_hidden_service2" HiddenServicePort="8030 127.0.0.1:8030" HiddenServicePort="8031 127.0.0.1:8031" HiddenServicePort="8032 127.0.0.1:8032" HiddenServiceAuthorizeClient="stealth a, b" HiddenServiceDir="/home/atagar/Desktop/stem/test/data/test_hidden_service_empty" HiddenServiceDir="/home/atagar/Desktop/stem/test/data/test_hidden_service1" HiddenServicePort="8020 127.0.0.1:8020" HiddenServicePort="8021 127.0.0.1:8021" HiddenServiceVersion="2"
Connection closed by foreign host.

And tor will spew...

Feb 08 18:37:54.000 [warn] ControlPort is open, but no authentication method has been configured.  This means that any program on your computer can reconfigure your Tor.  That's bad!  You should upgrade your Tor controller as soon as possible.

============================================================ T= 1423449474
Tor 0.2.6.2-alpha-dev (git-44e9dafb67370aa6) died: Caught signal 11
tor(+0x121f0e)[0xb76e4f0e]
/lib/i386-linux-gnu/libc.so.6(+0x7663e)[0xb71a563e]
/lib/i386-linux-gnu/libc.so.6(+0x7663e)[0xb71a563e]
tor(smartlist_free+0x38)[0xb76ea138]
tor(rend_config_services+0x4f9)[0xb7617379]
tor(+0xc19aa)[0xb76849aa]
tor(options_trial_assign+0xb4)[0xb7689384]
tor(+0xe49c1)[0xb76a79c1]
tor(connection_control_process_inbuf+0x6e4)[0xb76aba34]
tor(+0xca584)[0xb768d584]
tor(connection_handle_read+0x7c7)[0xb7693bf7]
tor(+0x28d51)[0xb75ebd51]
/usr/lib/libevent-2.0.so.5(event_base_loop+0x209)[0xb750dce9]
tor(do_main_loop+0x1bb)[0xb75ec73b]
tor(tor_main+0x1f6d)[0xb75f00fd]
tor(main+0x33)[0xb75e89a3]
/lib/i386-linux-gnu/libc.so.6(__libc_start_main+0xf3)[0xb71484d3]
tor(+0x259ed)[0xb75e89ed]
Aborted

Child Tickets

Change History (10)

comment:1 Changed 2 years ago by atagar

Oops, pasted an extra telnet session. Oh well.

comment:2 follow-up: Changed 2 years ago by arma

Mine doesn't seg fault, but valgrind picks up on something:

==13438== Invalid write of size 1
==13438==    at 0x168973: rend_config_services (rendservice.c:407)
==13438==    by 0x1CBFAE: options_validate (config.c:3548)
==13438==    by 0x1D01B4: options_trial_assign (config.c:2047)
==13438==    by 0x1EB8FD: control_setconf_helper (control.c:739)
==13438==    by 0x1EFD04: connection_control_process_inbuf (control.c:786)
==13438==    by 0x1D9A84: connection_handle_read (connection.c:3339)
==13438==    by 0x1411B0: conn_read_callback (main.c:777)
==13438==    by 0x52D9253: event_base_loop (in /usr/lib/x86_64-linux-gnu/libevent-2.0.so.5.1.7)
==13438==    by 0x141AFC: do_main_loop (main.c:2117)
==13438==    by 0x144AAC: tor_main (main.c:3096)
==13438==    by 0x5F92EAC: (below main) (libc-start.c:244)
==13438==  Address 0x8ef96dc is 0 bytes after a block of size 28 alloc'd
==13438==    at 0x4C28BED: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==13438==    by 0x230C97: tor_malloc_ (util.c:167)
==13438==    by 0x230D35: tor_malloc_zero_ (util.c:193)
==13438==    by 0x168BA0: rend_config_services (rendservice.c:317)
==13438==    by 0x1CBFAE: options_validate (config.c:3548)
==13438==    by 0x1D01B4: options_trial_assign (config.c:2047)
==13438==    by 0x1EB8FD: control_setconf_helper (control.c:739)
==13438==    by 0x1EFD04: connection_control_process_inbuf (control.c:786)
==13438==    by 0x1D9A84: connection_handle_read (connection.c:3339)
==13438==    by 0x1411B0: conn_read_callback (main.c:777)
==13438==    by 0x52D9253: event_base_loop (in /usr/lib/x86_64-linux-gnu/libevent-2.0.so.5.1.7)
==13438==    by 0x141AFC: do_main_loop (main.c:2117)

comment:3 Changed 2 years ago by atagar

Quick update with the findings so far. Sebastian and Roger are unable to repro so looks to be platform specific (yay!). Tried to narrow this to the simplest repro...

For tor...

% git checkout 44e9daf
% git clean -fdx
% make dist-clean; ./autogen.sh && ./configure && make
% mkdir /tmp/tor_test
[made a torrc...]

% cat /tmp/tor_test/torrc 
DataDirectory /tmp/tor_test
ControlPort 1111

% tor -f /tmp/tor_test/torrc

And then...

% telnet localhost 1111
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
AUTHENTICATE
250 OK
SETCONF HiddenServiceDir="/tmp/tor_test" HiddenServicePort="8030 127.0.0.1:8030"                                                             
Connection closed by foreign host.

The tor instance fails with...

Feb 08 19:29:13.000 [warn] ControlPort is open, but no authentication method has been configured.  This means that any program on your computer can reconfigure your Tor.  That's bad!  You should upgrade your Tor controller as soon as possible.
*** glibc detected *** tor: free(): invalid next size (fast): 0xb9297c38 ***
======= Backtrace: =========
/lib/i386-linux-gnu/libc.so.6(+0x75b12)[0xb7120b12]
tor(+0x52309)[0xb7591309]
tor(rend_config_services+0xb25)[0xb75939a5]
tor(+0xc19aa)[0xb76009aa]
tor(options_trial_assign+0xb4)[0xb7605384]
tor(+0xe49c1)[0xb76239c1]
tor(connection_control_process_inbuf+0x6e4)[0xb7627a34]
tor(+0xca584)[0xb7609584]
tor(connection_handle_read+0x7c7)[0xb760fbf7]
tor(+0x28d51)[0xb7567d51]
/usr/lib/libevent-2.0.so.5(event_base_loop+0x209)[0xb7489ce9]
tor(do_main_loop+0x1bb)[0xb756873b]
tor(tor_main+0x1f6d)[0xb756c0fd]
tor(main+0x33)[0xb75649a3]
/lib/i386-linux-gnu/libc.so.6(__libc_start_main+0xf3)[0xb70c44d3]
tor(+0x259ed)[0xb75649ed]
======= Memory map: ========
b6dd8000-b6f3a000 r--p 00000000 08:01 33163734   /tmp/tor_test/cached-microdescs
b7086000-b70a2000 r-xp 00000000 08:01 31589205   /lib/i386-linux-gnu/libgcc_s.so.1
b70a2000-b70a3000 r--p 0001b000 08:01 31589205   /lib/i386-linux-gnu/libgcc_s.so.1
b70a3000-b70a4000 rw-p 0001c000 08:01 31589205   /lib/i386-linux-gnu/libgcc_s.so.1
b70a4000-b70a6000 rw-p 00000000 00:00 0 
b70a6000-b70a9000 r-xp 00000000 08:01 31589145   /lib/i386-linux-gnu/libdl-2.15.so
b70a9000-b70aa000 r--p 00002000 08:01 31589145   /lib/i386-linux-gnu/libdl-2.15.so
b70aa000-b70ab000 rw-p 00003000 08:01 31589145   /lib/i386-linux-gnu/libdl-2.15.so
b70ab000-b724f000 r-xp 00000000 08:01 31589158   /lib/i386-linux-gnu/libc-2.15.so
b724f000-b7251000 r--p 001a4000 08:01 31589158   /lib/i386-linux-gnu/libc-2.15.so
b7251000-b7252000 rw-p 001a6000 08:01 31589158   /lib/i386-linux-gnu/libc-2.15.so
b7252000-b7256000 rw-p 00000000 00:00 0 
b7256000-b725d000 r-xp 00000000 08:01 31589154   /lib/i386-linux-gnu/librt-2.15.so
b725d000-b725e000 r--p 00006000 08:01 31589154   /lib/i386-linux-gnu/librt-2.15.so
b725e000-b725f000 rw-p 00007000 08:01 31589154   /lib/i386-linux-gnu/librt-2.15.so
b725f000-b7276000 r-xp 00000000 08:01 31589152   /lib/i386-linux-gnu/libpthread-2.15.so
b7276000-b7277000 r--p 00016000 08:01 31589152   /lib/i386-linux-gnu/libpthread-2.15.so
b7277000-b7278000 rw-p 00017000 08:01 31589152   /lib/i386-linux-gnu/libpthread-2.15.so
b7278000-b727a000 rw-p 00000000 00:00 0 
b727a000-b740c000 r-xp 00000000 08:01 31588647   /lib/i386-linux-gnu/libcrypto.so.1.0.0
b740c000-b741b000 r--p 00192000 08:01 31588647   /lib/i386-linux-gnu/libcrypto.so.1.0.0
b741b000-b7422000 rw-p 001a1000 08:01 31588647   /lib/i386-linux-gnu/libcrypto.so.1.0.0
b7422000-b7425000 rw-p 00000000 00:00 0 
b7425000-b7476000 r-xp 00000000 08:01 31588643   /lib/i386-linux-gnu/libssl.so.1.0.0
b7476000-b7477000 ---p 00051000 08:01 31588643   /lib/i386-linux-gnu/libssl.so.1.0.0
b7477000-b7479000 r--p 00051000 08:01 31588643   /lib/i386-linux-gnu/libssl.so.1.0.0
b7479000-b747d000 rw-p 00053000 08:01 31588643   /lib/i386-linux-gnu/libssl.so.1.0.0
b747d000-b74c1000 r-xp 00000000 08:01 27527944   /usr/lib/libevent-2.0.so.5.1.4
b74c1000-b74c2000 r--p 00043000 08:01 27527944   /usr/lib/libevent-2.0.so.5.1.4
b74c2000-b74c3000 rw-p 00044000 08:01 27527944   /usr/lib/libevent-2.0.so.5.1.4
b74c3000-b74c4000 rw-p 00000000 00:00 0 
b74c4000-b74ee000 r-xp 00000000 08:01 31589148   /lib/i386-linux-gnu/libm-2.15.so
b74ee000-b74ef000 r--p 00029000 08:01 31589148   /lib/i386-linux-gnu/libm-2.15.so
b74ef000-b74f0000 rw-p 0002a000 08:01 31589148   /lib/i386-linux-gnu/libm-2.15.so
b74f0000-b7504000 r-xp 00000000 08:01 31589295   /lib/i386-linux-gnu/libz.so.1.2.3.4
b7504000-b7505000 r--p 00013000 08:01 31589295   /lib/i386-linux-gnu/libz.so.1.2.3.4
b7505000-b7506000 rw-p 00014000 08:01 31589295   /lib/i386-linux-gnu/libz.so.1.2.3.4
b7519000-b751c000 rw-p 00000000 00:00 0 
b751c000-b751d000 r-xp 00000000 00:00 0          [vdso]
b751d000-b753d000 r-xp 00000000 08:01 31589142   /lib/i386-linux-gnu/ld-2.15.so
b753d000-b753e000 r--p 0001f000 08:01 31589142   /lib/i386-linux-gnu/ld-2.15.so
b753e000-b753f000 rw-p 00020000 08:01 31589142   /lib/i386-linux-gnu/ld-2.15.so
b753f000-b770a000 r-xp 00000000 00:13 13501034   /home/atagar/Desktop/tor/tor/src/or/tor
b770a000-b770c000 r--p 001ca000 00:13 13501034   /home/atagar/Desktop/tor/tor/src/or/tor
b770c000-b7710000 rw-p 001cc000 00:13 13501034   /home/atagar/Desktop/tor/tor/src/or/tor
b7710000-b7714000 rw-p 00000000 00:00 0 
b8dcd000-b9502000 rw-p 00000000 00:00 0          [heap]
bfada000-bfafb000 rw-p 00000000 00:00 0          [stack]
Aborted

comment:4 in reply to: ↑ 2 Changed 2 years ago by arma

Replying to arma:

==13438== Invalid write of size 1
==13438== at 0x168973: rend_config_services (rendservice.c:407)

That line is

    result->unix_addr[0] = '\0';

And unix_addr is

char unix_addr[FLEXIBLE_ARRAY_MEMBER];

What, you might ask, is FLEXIBLE_ARRAY_MEMBER?

I don't know either, but my orconfig.h says it is

/* Define to nothing if C supports flexible array members, and to 1 if it does
   not. That way, with a declaration like `struct s { int n; double
   d[FLEXIBLE_ARRAY_MEMBER]; };', the struct hack can be used with pre-C99
   compilers. When computing the size of such an object, don't use 'sizeof
   (struct s)' as it overestimates the size. Use 'offsetof (struct s, d)'
   instead. Don't use 'offsetof (struct s, d[0])', as this doesn't work with
   MSVC and with C++ compilers. */
#define FLEXIBLE_ARRAY_MEMBER /**/

So it is nothing at all.

comment:5 Changed 2 years ago by arma

Ok, now I've learned about FLEXIBLE_ARRAY_MEMBERs.

It looks like we're not mallocing result to be big enough here, in rend_service_port_config_new().

comment:6 Changed 2 years ago by arma

rend_service_port_config_new(const char *socket_path)
{
  if (!socket_path)
    return tor_malloc_zero(sizeof(rend_service_port_config_t));

Looks like it wants a +1 along with that sizeof, to have space for the \0

comment:7 Changed 2 years ago by arma

  • Cc andrea added

Bug comes from commit 656429160, as part of #12585.

comment:8 Changed 2 years ago by atagar

Sebastian and Roger have a fix. Making the following change...

http://paste.debian.net/plain/144631

... the tests now pass. Thanks all!

comment:9 Changed 2 years ago by Sebastian

  • Milestone set to Tor: 0.2.6.x-final
  • Status changed from new to needs_review

arma and parallely came up with the same fix, it's in branch bug14803 in my repo.

comment:10 Changed 2 years ago by arma

  • Resolution set to fixed
  • Status changed from needs_review to closed

merged. closing. still good if nickm or andrea becomes aware of this ticket to be sure.

Note: See TracTickets for help on using tickets.