Opened 2 years ago

Closed 2 years ago

Last modified 15 months ago

#15083 closed defect (fixed)

Assertion ch->data < &ch->mem[0]+ch->memlen failed

Reported by: poiuty Owned by:
Priority: High Milestone: Tor: 0.2.6.x-final
Component: Core Tor/Tor Version: Tor: 0.2.5.10
Severity: Keywords: 023-backport, 025-backport, 024-backport, tor-relay, CVE-assigned, 2016-bug-retrospective
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Feb 28 06:25:04.000 [notice] Tor 0.2.5.10 (git-43a5f3d91e726291) opening new log file.
Feb 28 09:12:42.000 [notice] Caching new entry debian-tor for debian-tor
Feb 28 09:12:55.000 [notice] Heartbeat: Tor's uptime is 9 days 23:57 hours, with 3628 circuits open. I've sent 2019.68 GB and received 1952.11 GB.
Feb 28 09:12:55.000 [notice] Average packaged cell fullness: 97.211%
Feb 28 09:12:55.000 [notice] TLS write overhead: 3%
Feb 28 09:12:55.000 [notice] Circuit handshake stats since last time: 24992/25002 TAP, 25312/25314 NTor.
Feb 28 15:12:55.000 [notice] Heartbeat: Tor's uptime is 10 days 5:57 hours, with 4022 circuits open. I've sent 2074.91 GB and received 2005.67 GB.
Feb 28 15:12:55.000 [notice] Average packaged cell fullness: 97.253%
Feb 28 15:12:55.000 [notice] TLS write overhead: 3%
Feb 28 15:12:55.000 [notice] Circuit handshake stats since last time: 37526/37526 TAP, 31539/31539 NTor.
Feb 28 15:29:59.000 [err] tor_assertion_failed_(): Bug: ../src/or/buffers.c:2627: assert_buf_ok: Assertion ch->data < &ch->mem[0]+ch->memlen failed; aborting.
Feb 28 15:29:59.000 [err] Bug: Assertion ch->data < &ch->mem[0]+ch->memlen failed in assert_buf_ok at ../src/or/buffers.c:2627. Stack trace:
Feb 28 15:29:59.000 [err] Bug: /usr/bin/tor(log_backtrace+0x41) [0x7fb3e3dd9d01]
Feb 28 15:29:59.000 [err] Bug: /usr/bin/tor(tor_assertion_failed_+0x9f) [0x7fb3e3de59bf]
Feb 28 15:29:59.000 [err] Bug: /usr/bin/tor(assert_buf_ok+0x167) [0x7fb3e3d547f7]
Feb 28 15:29:59.000 [err] Bug: /usr/bin/tor(assert_connection_ok+0xb8) [0x7fb3e3d8de28]
Feb 28 15:29:59.000 [err] Bug: /usr/bin/tor(+0x37617) [0x7fb3e3cfc617]
Feb 28 15:29:59.000 [err] Bug: /usr/lib/x86_64-linux-gnu/libevent-2.0.so.5(event_base_loop+0x414) [0x7fb3e33d3254]
Feb 28 15:29:59.000 [err] Bug: /usr/bin/tor(do_main_loop+0x19d) [0x7fb3e3cfcf4d]
Feb 28 15:29:59.000 [err] Bug: /usr/bin/tor(tor_main+0x1aa5) [0x7fb3e3d000b5]
Feb 28 15:29:59.000 [err] Bug: /lib/x86_64-linux-gnu/libc.so.6(libc_start_main+0xfd) [0x7fb3e25f0ead]
Feb 28 15:29:59.000 [err] Bug: /usr/bin/tor(+0x3465d) [0x7fb3e3cf965d]

Child Tickets

Change History (13)

comment:1 Changed 2 years ago by gk

  • Component changed from - Select a component to Tor
  • Version set to Tor: 0.2.5.10

comment:2 Changed 2 years ago by nickm

  • Keywords 025-backport tor-relay added
  • Milestone set to Tor: 0.2.6.x-final
  • Priority changed from normal to major

comment:3 Changed 2 years ago by nickm

  • Summary changed from tor_assertion_failed_ to Assertion ch->data < &ch->mem[0]+ch->memlen failed

comment:4 Changed 2 years ago by nickm

#15102 was a duplicate of this.

comment:5 Changed 2 years ago by cypherpunks

--- tor-0.2.5.10/src/or/buffers.c	2014-10-10 06:06:24.000000000 -0700
+++ tor-0.2.5.10/src/or/buffers.c.modified	2015-03-03 03:07:20.754704418 -0800
@@ -447,7 +447,7 @@
     size_t n = bytes - dest->datalen;
     src = dest->next;
     tor_assert(src);
-    if (n > src->datalen) {
+    if (n >= src->datalen) {
       memcpy(CHUNK_WRITE_PTR(dest), src->data, src->datalen);
       dest->datalen += src->datalen;
       dest->next = src->next;

comment:6 Changed 2 years ago by nickm

  • Keywords 024-backport added
  • Status changed from new to needs_review

comment:7 Changed 2 years ago by nickm

  • Keywords 023-backport added

I've taken this and another (redundant, I hope!) fix into a branch, "bug15083_023". How do they look?

comment:8 Changed 2 years ago by nickm

I've heard a couple of positive reviews here. More would be appreciated.

comment:9 Changed 2 years ago by nickm

  • Resolution set to fixed
  • Status changed from needs_review to closed

Merged to 0.2.3 and later, though I do not currently anticipate releasing any more 0.2.3s

comment:10 Changed 2 years ago by arma

What's the story with the log_warn in 81a994c? Is there a plan for when to take that out?

comment:11 Changed 2 years ago by nickm

If it ever triggers, we have something to fix. If not, it doesn't hurt to leave it in, so I guess we can take it out ... somedayish?

comment:12 Changed 2 years ago by weasel

  • Keywords CVE-assigned added

CVE-2015-2688

comment:13 Changed 15 months ago by nickm

  • Keywords 2016-bug-retrospective added

Mark more tickets for bug retrospective based on hand-review of changelogs from 0.2.5 onwards.

Note: See TracTickets for help on using tickets.