Opened 2 years ago

Closed 2 years ago

#17874 closed defect (fixed)

ERROR: AddressSanitizer: heap-use-after-free

Reported by: cypherpunks Owned by:
Priority: Very High Milestone: Tor: 0.2.8.x-final
Component: Core Tor/Tor Version: Tor: unspecified
Severity: Major Keywords:
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:


==12345==ERROR: AddressSanitizer: heap-use-after-free on address 0x613000cf5472 at pc 0x55d4620d3245 bp 0x7ffcc0089a50 sp 0x7ffcc0089a48
READ of size 2 at 0x613000cf5472 thread T0

#0 0x55d4620d3244 (/home/cypherpunks/tor-browser_en-US/Browser/TorBrowser/Tor/tor+0xef4244)
#1 0x55d461ef26bb (/home/cypherpunks/tor-browser_en-US/Browser/TorBrowser/Tor/tor+0xd136bb)
#2 0x55d461ef244f (/home/cypherpunks/tor-browser_en-US/Browser/TorBrowser/Tor/tor+0xd1344f)
#3 0x55d461dc997e (/home/cypherpunks/tor-browser_en-US/Browser/TorBrowser/Tor/tor+0xbea97e)
#4 0x55d4619255d2 (/home/cypherpunks/tor-browser_en-US/Browser/TorBrowser/Tor/tor+0x7465d2)
#5 0x55d461917088 (/home/cypherpunks/tor-browser_en-US/Browser/TorBrowser/Tor/tor+0x738088)
#6 0x55d461f23213 (/home/cypherpunks/tor-browser_en-US/Browser/TorBrowser/Tor/tor+0xd44213)
#7 0x55d461f1b081 (/home/cypherpunks/tor-browser_en-US/Browser/TorBrowser/Tor/tor+0xd3c081)
#8 0x55d461d15dd7 (/home/cypherpunks/tor-browser_en-US/Browser/TorBrowser/Tor/tor+0xb36dd7)
#9 0x55d461d4c147 (/home/cypherpunks/tor-browser_en-US/Browser/TorBrowser/Tor/tor+0xb6d147)
#10 0x55d462126fef (/home/cypherpunks/tor-browser_en-US/Browser/TorBrowser/Tor/tor+0xf47fef)
#11 0x55d4621231f2 (/home/cypherpunks/tor-browser_en-US/Browser/TorBrowser/Tor/tor+0xf441f2)
#12 0x55d46209db6b (/home/cypherpunks/tor-browser_en-US/Browser/TorBrowser/Tor/tor+0xebeb6b)
#13 0x55d46206a166 (/home/cypherpunks/tor-browser_en-US/Browser/TorBrowser/Tor/tor+0xe8b166)
#14 0x55d4620679cf (/home/cypherpunks/tor-browser_en-US/Browser/TorBrowser/Tor/tor+0xe889cf)
#15 0x55d46176ef18 (/home/cypherpunks/tor-browser_en-US/Browser/TorBrowser/Tor/tor+0x58ff18)
#16 0x7fb0858abc58 (/home/cypherpunks/tor-browser_en-US/Browser/TorBrowser/Tor/
#17 0x7fb0858a7d01 (/home/cypherpunks/tor-browser_en-US/Browser/TorBrowser/Tor/
#18 0x55d461793edf (/home/cypherpunks/tor-browser_en-US/Browser/TorBrowser/Tor/tor+0x5b4edf)
#19 0x55d461780a36 (/home/cypherpunks/tor-browser_en-US/Browser/TorBrowser/Tor/tor+0x5a1a36)
#20 0x55d46177c946 (/home/cypherpunks/tor-browser_en-US/Browser/TorBrowser/Tor/tor+0x59d946)
#21 0x55d461786c29 (/home/cypherpunks/tor-browser_en-US/Browser/TorBrowser/Tor/tor+0x5a7c29)
#22 0x55d46176c52a (/home/cypherpunks/tor-browser_en-US/Browser/TorBrowser/Tor/tor+0x58d52a)
#23 0x7fb0844afb44 (/lib/x86_64-linux-gnu/
#24 0x55d4616c1216 (/home/cypherpunks/tor-browser_en-US/Browser/TorBrowser/Tor/tor+0x4e2216)

0x613000cf5472 is located 114 bytes inside of 328-byte region [0x613000cf5400,0x613000cf5548)
freed by thread T0 here:

#0 0x55d461747f32 (/home/cypherpunks/tor-browser_en-US/Browser/TorBrowser/Tor/tor+0x568f32)
#1 0x55d462034722 (/home/cypherpunks/tor-browser_en-US/Browser/TorBrowser/Tor/tor+0xe55722)
#2 0x55d46202a6cd (/home/cypherpunks/tor-browser_en-US/Browser/TorBrowser/Tor/tor+0xe4b6cd)
#3 0x55d46179c7cf (/home/cypherpunks/tor-browser_en-US/Browser/TorBrowser/Tor/tor+0x5bd7cf)
#4 0x55d4617a0bea (/home/cypherpunks/tor-browser_en-US/Browser/TorBrowser/Tor/tor+0x5c1bea)
#5 0x55d46179b4c8 (/home/cypherpunks/tor-browser_en-US/Browser/TorBrowser/Tor/tor+0x5bc4c8)
#6 0x55d46176f81d (/home/cypherpunks/tor-browser_en-US/Browser/TorBrowser/Tor/tor+0x59081d)
#7 0x7fb0858abc58 (/home/cypherpunks/tor-browser_en-US/Browser/TorBrowser/Tor/

previously allocated by thread T0 here:

#0 0x55d461748212 (/home/cypherpunks/tor-browser_en-US/Browser/TorBrowser/Tor/tor+0x569212)
#1 0x55d4625ba9af (/home/cypherpunks/tor-browser_en-US/Browser/TorBrowser/Tor/tor+0x13db9af)
#2 0x55d4625bac68 (/home/cypherpunks/tor-browser_en-US/Browser/TorBrowser/Tor/tor+0x13dbc68)
#3 0x55d4620264ca (/home/cypherpunks/tor-browser_en-US/Browser/TorBrowser/Tor/tor+0xe474ca)
#4 0x55d4620280ba (/home/cypherpunks/tor-browser_en-US/Browser/TorBrowser/Tor/tor+0xe490ba)
#5 0x55d462094402 (/home/cypherpunks/tor-browser_en-US/Browser/TorBrowser/Tor/tor+0xeb5402)
#6 0x55d4620683ca (/home/cypherpunks/tor-browser_en-US/Browser/TorBrowser/Tor/tor+0xe893ca)
#7 0x55d4620679cf (/home/cypherpunks/tor-browser_en-US/Browser/TorBrowser/Tor/tor+0xe889cf)
#8 0x55d46176ef18 (/home/cypherpunks/tor-browser_en-US/Browser/TorBrowser/Tor/tor+0x58ff18)
#9 0x7fb0858abc58 (/home/cypherpunks/tor-browser_en-US/Browser/TorBrowser/Tor/

Shadow bytes around the buggy address:

0x0c2680196a30: fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa
0x0c2680196a40: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c2680196a50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c2680196a60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c2680196a70: 00 fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

=>0x0c2680196a80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd[fd]fd

0x0c2680196a90: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c2680196aa0: fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa
0x0c2680196ab0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c2680196ac0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c2680196ad0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Shadow byte legend (one shadow byte represents 8 application bytes):

Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb



Child Tickets

Change History (8)

comment:1 Changed 2 years ago by nickm

Milestone: Tor: 0.2.???Tor: 0.2.8.x-final
Priority: MediumVery High
Severity: NormalMajor

comment:2 Changed 2 years ago by nickm

Is there any chance of getting debugging symbols there, or using gdb to figure out what those locations in the code actually are?

comment:3 Changed 2 years ago by gk

Is this still happening with the current hardened Tor Browser and even better with the one which is about to get released (

comment:4 Changed 2 years ago by nickm

gk: The version they gave is tor-, which means they have git ID a03469a, which means they're on git master as of ~yesterday. So unless you've started shipping git master, this isn't your bug. :)

comment:5 Changed 2 years ago by gk

Maybe. Hopefully. :)

comment:6 Changed 2 years ago by cypherpunks

0000000000ef3750 <connection_ap_attach_pending>:
0000000000ef17e0 <connection_ap_rescan_and_attach_pending>:
0000000000d05960 <circuit_build_needed_circs>:
00000000005b5980 <run_scheduled_events>:
000000000059f6a0 <second_elapsed_callback>:
000000000180cdc0 <periodic_timer_cb>:
00000000005b44a0 <run_main_loop_once>:
00000000005a1900 <run_main_loop_until_done>:
000000000059c470 <do_main_loop>:
00000000005a73a0 <tor_main>:
000000000058d2b0 <main>:
00000000004e21ee <_start>:

0000000000568ea0 <interceptor_free>:
0000000000e4bd90 <connection_free_>:
0000000000e4a570 <connection_free>:
00000000005bc5d0 <connection_unlink>:
00000000005bd850 <conn_close_if_marked>:
00000000005bbd50 <close_closeable_connections>:
000000000058f940 <conn_read_callback>:

0000000000569180 <interceptor_malloc>:
00000000013db780 <tor_malloc_>:
00000000013dbb10 <tor_malloc_zero_>:
0000000000e472b0 <entry_connection_new>:
0000000000e48a60 <connection_new>:
0000000000eb2f30 <connection_handle_listener_read>:
0000000000e88ab0 <connection_handle_read_impl>:
0000000000e88870 <connection_handle_read>:
000000000058f940 <conn_read_callback>:

gdb indicated "No stack"

comment:7 Changed 2 years ago by nickm

Great, just what I needed. I think this is the explanation for #17752, and maybe #17659 as well.

Now, let's see about a fix....

comment:8 Changed 2 years ago by nickm

Resolution: fixed
Status: newclosed

I think I got it maybe? #17876 was the root bug here. The commits that fix this bug are, I think:


Please let me know if this recurs.

(Checking a couple of other things before I close this.)

Note: See TracTickets for help on using tickets.