Opened 3 years ago

Last modified 2 years ago

#19931 needs_information defect

curve25519-donna runtime math errors on armhf

Reported by: chadmiller Owned by:
Priority: Medium Milestone: Tor: unspecified
Component: Core Tor/Tor Version: Tor: 0.2.8.6
Severity: Normal Keywords: regression, integer-overflow, 029-proposed, arm, armhf, wrapf compiler build
Cc: Actual Points:
Parent ID: Points: 0.5
Reviewer: Sponsor:

Description

On a rasppi3, run Ubuntu Core,

http://people.canonical.com/~mvo/all-snaps/16/all-snaps-pi2.img.xz

unxz, dd to card. boot. ubuntu/ubuntu username and password.

Install the tor-middle-relay snap, which was compiled with --enable-expensive-hardening and --enable-gcc-warnings: 'sudo snap install tor-middle-relay'

It will run, and emit to /var/log/syslog

src/ext/curve25519_donna/curve25519-donna.c:310:25: runtime error: left shift of negative value -54871
src/ext/curve25519_donna/curve25519-donna.c:300:23: runtime error: left shift of negative value -34426
src/ext/curve25519_donna/curve25519-donna.c:218:27: runtime error: left shift of negative value -1052007405335134
src/ext/curve25519_donna/curve25519-donna.c:219:27: runtime error: left shift of negative value -1052007405335134
src/ext/curve25519_donna/curve25519-donna.c:224:27: runtime error: left shift of negative value -3270924659300114
src/ext/curve25519_donna/curve25519-donna.c:225:27: runtime error: left shift of negative value -3270924659300114
src/ext/curve25519_donna/curve25519-donna.c:230:27: runtime error: left shift of negative value -1471294915178450
src/ext/curve25519_donna/curve25519-donna.c:231:27: runtime error: left shift of negative value -1471294915178450
src/ext/curve25519_donna/curve25519-donna.c:209:27: runtime error: left shift of negative value -829694144934512
src/ext/curve25519_donna/curve25519-donna.c:210:27: runtime error: left shift of negative value -829694144934512
src/ext/curve25519_donna/curve25519-donna.c:212:27: runtime error: left shift of negative value -2269747493562282
src/ext/curve25519_donna/curve25519-donna.c:213:27: runtime error: left shift of negative value -2269747493562282
src/ext/curve25519_donna/curve25519-donna.c:215:27: runtime error: left shift of negative value -2894814430932928
src/ext/curve25519_donna/curve25519-donna.c:216:27: runtime error: left shift of negative value -2894814430932928
src/ext/curve25519_donna/curve25519-donna.c:221:27: runtime error: left shift of negative value -3930039718593350
src/ext/curve25519_donna/curve25519-donna.c:222:27: runtime error: left shift of negative value -3930039718593350
src/ext/curve25519_donna/curve25519-donna.c:227:27: runtime error: left shift of negative value -7442567708082396
src/ext/curve25519_donna/curve25519-donna.c:228:27: runtime error: left shift of negative value -7442567708082396
src/ext/curve25519_donna/curve25519-donna.c:233:27: runtime error: left shift of negative value -1428303790038902
src/ext/curve25519_donna/curve25519-donna.c:234:27: runtime error: left shift of negative value -1428303790038902
src/ext/curve25519_donna/curve25519-donna.c:314:27: runtime error: left shift of negative value -79097269
src/ext/curve25519_donna/curve25519-donna.c:315:27: runtime error: left shift of negative value -79097269
src/ext/curve25519_donna/curve25519-donna.c:324:23: runtime error: left shift of negative value -22
src/ext/curve25519_donna/curve25519-donna.c:461:10: runtime error: left shift of negative value -21802520
src/ext/curve25519_donna/curve25519-donna.c:462:10: runtime error: left shift of 1352663040 by 8 places cannot be represented in type 'int'

src/ext/curve25519_donna/curve25519-donna.c:463:10: runtime error: left shift of 1073741824 by 4 places cannot be represented in type 'int'

src/ext/curve25519_donna/curve25519-donna.c:599:12: runtime error: left shift of 34457694 by 6 places cannot be represented in type 'int'
src/ext/curve25519_donna/curve25519-donna.c:464:10: runtime error: left shift of negative value -2147483648
src/ext/curve25519_donna/curve25519-donna.c:465:10: runtime error: left shift of negative value -2147483648

which seems bad. It doesn't happen on amd64 snap.

Child Tickets

Change History (13)

comment:1 Changed 3 years ago by teor

Keywords: regression integer-overflow 029-proposed added
Milestone: Tor: 0.2.???
Points: 0.5

These errors are a known issue. They are C undefined behaviour that the source code author has declined to fix, see #13538. We thought we'd fixed it in #17983 by compiling that particular file with -fwrapv.

But clearly something has gone wrong.
How does your compiler implement -fwrapv?

Which compiler was used?
What version of the compiler?

Just to confirm:

  • this is Tor 0.2.8.6?
  • Tor runs fine, but continues to log runtime errors? (rather than, say, crashing?)

comment:2 Changed 3 years ago by chadmiller

Here's the package build-log. It's kind of noisy. Sorry.

https://launchpadlibrarian.net/276525002/buildlog_snap_ubuntu_xenial_armhf_tor-middle-relay_BUILDING.txt.gz

Yes, Tor 0.2.8.6.

g++-5, gcc-5 armhf 5.4.0-6ubuntu1~16.04.1

./configure --prefix= --disable-asciidoc --enable-expensive-hardening --enable-gcc-warnings

checking whether the compiler accepts -fstack-protector-all... yes
checking whether the compiler accepts -Wstack-protector... yes
checking whether the compiler accepts -fwrapv... yes
checking whether the compiler accepts --param ssp-buffer-size=1... yes
checking whether the compiler accepts -fPIE... yes
checking whether the linker accepts -pie... yes
checking whether the compiler accepts -fsanitize=address... yes
checking whether the compiler accepts -fsanitize=undefined... yes
checking whether the compiler accepts -fno-omit-frame-pointer... yes
checking whether the linker accepts -z relro -z now... yes
checking whether the linker accepts -rdynamic... yes
checking whether the compiler accepts -fomit-frame-pointer... yes
checking whether the compiler accepts -fasynchronous-unwind-tables... yes
...
checking whether we can use curve25519-donna-c64... no
checking crypto_scalarmult_curve25519.h usability... no
checking crypto_scalarmult_curve25519.h presence... no
checking for crypto_scalarmult_curve25519.h... no
checking nacl/crypto_scalarmult_curve25519.h usability... no
checking nacl/crypto_scalarmult_curve25519.h presence... no
checking for nacl/crypto_scalarmult_curve25519.h... no
checking for nacl compiled with a fast curve25519 implementation... no
...

comment:3 Changed 3 years ago by chadmiller

Aug 17 20:40:59 localhost ubuntu-core-launcher[2581]: Aug 17 20:40:59.897 [notice] Tor v0.2.8.6 (git-4d217548e3f05569) running on Linux with Libevent 2.0.22-stable, OpenSSL 1.0.2g-fips and Zlib 1.2.8.
Aug 17 20:40:59 localhost ubuntu-core-launcher[2581]: Aug 17 20:40:59.898 [notice] Tor can't help you if you use it wrong! Learn how to be safe at https://www.torproject.org/download/download#warning
Aug 17 20:40:59 localhost ubuntu-core-launcher[2581]: Aug 17 20:40:59.899 [notice] Read configuration file "/snap/tor-middle-relay/59/torrc-defaults".
Aug 17 20:40:59 localhost ubuntu-core-launcher[2581]: Aug 17 20:40:59.899 [warn] Unable to open configuration file "/var/snap/tor-middle-relay/59/configuration".
Aug 17 20:41:00 localhost ubuntu-core-launcher[2581]: Aug 17 20:41:00.105 [notice] Your ContactInfo config option is not set. Please consider setting it, so we can contact you if your server is misconfigured or something else goes wrong.
Aug 17 20:41:00 localhost ubuntu-core-launcher[2581]: Aug 17 20:41:00.107 [notice] Based on detected system memory, MaxMemInQueues is set to 690 MB. You can override this by setting MaxMemInQueues by hand.
Aug 17 20:41:00 localhost ubuntu-core-launcher[2581]: Aug 17 20:41:00.152 [warn] You are running Tor as root. You don't need to, and you probably shouldn't.
Aug 17 20:41:04 localhost ubuntu-core-launcher[2581]: Aug 17 20:41:04.635 [notice] You are running a new relay. Thanks for helping the Tor network! If you wish to know what will happen in the upcoming weeks regarding its usage, have a look at https://blog.torproject.org/blog/lifecycle-of-a-new-relay
Aug 17 20:41:04 localhost ubuntu-core-launcher[2581]: Aug 17 20:41:04.637 [notice] It looks like I need to generate and sign a new medium-term signing key, because I don't have one. To do that, I need to load (or create) the permanent master identity key.
Aug 17 20:41:09 localhost ubuntu-core-launcher[2581]: Aug 17 20:41:09.082 [notice] Your Tor server's identity key fingerprint is 'UbuntuCore59 D961B58542AE498E0D8584DD3BFCD49172679958'
Aug 17 20:41:09 localhost ubuntu-core-launcher[2581]: src/ext/curve25519_donna/curve25519-donna.c:310:25: runtime error: left shift of negative value -54871
Aug 17 20:41:09 localhost ubuntu-core-launcher[2581]: src/ext/curve25519_donna/curve25519-donna.c:300:23: runtime error: left shift of negative value -34426
Aug 17 20:41:10 localhost ubuntu-core-launcher[2581]: src/ext/curve25519_donna/curve25519-donna.c:218:27: runtime error: left shift of negative value -1052007405335134
Aug 17 20:41:10 localhost ubuntu-core-launcher[2581]: src/ext/curve25519_donna/curve25519-donna.c:219:27: runtime error: left shift of negative value -1052007405335134
Aug 17 20:41:10 localhost ubuntu-core-launcher[2581]: src/ext/curve25519_donna/curve25519-donna.c:224:27: runtime error: left shift of negative value -3270924659300114
Aug 17 20:41:10 localhost ubuntu-core-launcher[2581]: src/ext/curve25519_donna/curve25519-donna.c:225:27: runtime error: left shift of negative value -3270924659300114
Aug 17 20:41:10 localhost ubuntu-core-launcher[2581]: src/ext/curve25519_donna/curve25519-donna.c:230:27: runtime error: left shift of negative value -1471294915178450
Aug 17 20:41:10 localhost ubuntu-core-launcher[2581]: src/ext/curve25519_donna/curve25519-donna.c:231:27: runtime error: left shift of negative value -1471294915178450
Aug 17 20:41:10 localhost ubuntu-core-launcher[2581]: src/ext/curve25519_donna/curve25519-donna.c:209:27: runtime error: left shift of negative value -829694144934512
Aug 17 20:41:10 localhost ubuntu-core-launcher[2581]: src/ext/curve25519_donna/curve25519-donna.c:210:27: runtime error: left shift of negative value -829694144934512
Aug 17 20:41:10 localhost ubuntu-core-launcher[2581]: src/ext/curve25519_donna/curve25519-donna.c:212:27: runtime error: left shift of negative value -2269747493562282
Aug 17 20:41:10 localhost ubuntu-core-launcher[2581]: src/ext/curve25519_donna/curve25519-donna.c:213:27: runtime error: left shift of negative value -2269747493562282
Aug 17 20:41:10 localhost ubuntu-core-launcher[2581]: src/ext/curve25519_donna/curve25519-donna.c:215:27: runtime error: left shift of negative value -2894814430932928
Aug 17 20:41:10 localhost ubuntu-core-launcher[2581]: src/ext/curve25519_donna/curve25519-donna.c:216:27: runtime error: left shift of negative value -2894814430932928
Aug 17 20:41:10 localhost ubuntu-core-launcher[2581]: src/ext/curve25519_donna/curve25519-donna.c:221:27: runtime error: left shift of negative value -3930039718593350
Aug 17 20:41:10 localhost ubuntu-core-launcher[2581]: src/ext/curve25519_donna/curve25519-donna.c:222:27: runtime error: left shift of negative value -3930039718593350
Aug 17 20:41:10 localhost ubuntu-core-launcher[2581]: src/ext/curve25519_donna/curve25519-donna.c:227:27: runtime error: left shift of negative value -7442567708082396
Aug 17 20:41:10 localhost ubuntu-core-launcher[2581]: src/ext/curve25519_donna/curve25519-donna.c:228:27: runtime error: left shift of negative value -7442567708082396
Aug 17 20:41:10 localhost ubuntu-core-launcher[2581]: src/ext/curve25519_donna/curve25519-donna.c:233:27: runtime error: left shift of negative value -1428303790038902
Aug 17 20:41:10 localhost ubuntu-core-launcher[2581]: src/ext/curve25519_donna/curve25519-donna.c:234:27: runtime error: left shift of negative value -1428303790038902
Aug 17 20:41:10 localhost ubuntu-core-launcher[2581]: src/ext/curve25519_donna/curve25519-donna.c:314:27: runtime error: left shift of negative value -79097269
Aug 17 20:41:10 localhost ubuntu-core-launcher[2581]: src/ext/curve25519_donna/curve25519-donna.c:315:27: runtime error: left shift of negative value -79097269
Aug 17 20:41:10 localhost ubuntu-core-launcher[2581]: src/ext/curve25519_donna/curve25519-donna.c:324:23: runtime error: left shift of negative value -22
Aug 17 20:41:10 localhost ubuntu-core-launcher[2581]: src/ext/curve25519_donna/curve25519-donna.c:461:10: runtime error: left shift of negative value -21802520
Aug 17 20:41:10 localhost ubuntu-core-launcher[2581]: src/ext/curve25519_donna/curve25519-donna.c:462:10: runtime error: left shift of 1352663040 by 8 places cannot be represented in type 'int'
Aug 17 20:41:20 localhost ubuntu-core-launcher[2581]: src/ext/curve25519_donna/curve25519-donna.c:465:10: runtime error: left shift of negative value -2147483648
Aug 17 20:41:22 localhost ubuntu-core-launcher[2581]: Aug 17 20:41:22.030 [warn] Unable to open configuration file "/var/snap/tor-middle-relay/59/configuration".

Aug 17 20:41:22 localhost Tor[2581]: Unable to open configuration file "/var/snap/tor-middle-relay/59/configuration".
Aug 17 20:41:22 localhost Tor[2581]: You are running Tor as root. You don't need to, and you probably shouldn't.
Aug 17 20:41:23 localhost Tor[2581]: Your Tor server's identity key fingerprint is 'UbuntuCore59 D961B58542AE498E0D8584DD3BFCD49172679958'
Aug 17 20:41:23 localhost Tor[2581]: Bootstrapped 0%: Starting
Aug 17 20:41:24 localhost Tor[2581]: Guessed our IP address as 71.47.67.195 (source: 86.59.21.38).
Aug 17 20:51:34 localhost Tor[2581]: Bootstrapped 80%: Connecting to the Tor network
Aug 17 20:52:04 localhost Tor[2581]: Bootstrapped 85%: Finishing handshake with first hop
Aug 17 20:52:23 localhost Tor[2581]: Bootstrapped 90%: Establishing a Tor circuit
Aug 17 20:52:23 localhost rsyslogd-2007: action 'action 11' suspended, next retry is Wed Aug 17 20:53:23 2016 [v8.16.0 try http://www.rsyslog.com/e/2007 ]
Aug 17 20:52:25 localhost Tor[2581]: Tor has successfully opened a circuit. Looks like client functionality is working.
Aug 17 20:52:25 localhost Tor[2581]: Bootstrapped 100%: Done
Aug 17 20:52:25 localhost Tor[2581]: Now checking whether ORPort 71.47.67.195:34839 is reachable... (this may take up to 20 minutes -- look for log messages indicating success)
Aug 17 20:52:28 localhost Tor[2581]: Our clock is 7 minutes, 35 seconds behind the time published in the consensus network status document (2016-08-17 21:00:00 UTC). Tor needs an accurate clock to work correctly. Please check your time and date settings!
Aug 17 20:52:30 localhost Tor[2581]: Self-testing indicates your ORPort is reachable from the outside. Excellent. Publishing server descriptor.
Aug 17 20:52:34 localhost Tor[2581]: Performing bandwidth self-test...done.
Aug 17 21:41:29 localhost Tor[2581]: Heartbeat: Tor's uptime is 0:57 hours, with 11 circuits open. I've sent 1.35 MB and received 10.53 MB.

comment:4 Changed 3 years ago by teor

This looks like a gcc bug where it doesn't implement -fwrapv correctly on your platform. (Or, at least, it implements it in a way that still results in warnings.)

But it looks like curve25519 is still giving you the correct results. Please run the tor unit tests using 'make test' as an extra check that you are getting the correct results from curve25519.

And here are your options:

  • ignore the errors
  • turn the error logging off for tor (or for your kernel)
  • find and use the compiler option that actually makes your compiler implement -fwrapv semantics without logging those warnings. If you find it, please tell us.
  • use another library that implements curve25519:
    checking crypto_scalarmult_curve25519.h usability... no
    checking crypto_scalarmult_curve25519.h presence... no
    checking for crypto_scalarmult_curve25519.h... no
    checking nacl/crypto_scalarmult_curve25519.h usability... no
    checking nacl/crypto_scalarmult_curve25519.h presence... no
    checking for nacl/crypto_scalarmult_curve25519.h... no
    checking for nacl compiled with a fast curve25519 implementation... no
    

Also, as an aside, please run ntpdate every few hours to set your clock. (Or run the ntp daemon. It's more accurate, but it's also another network service, which has security and resource implications.)

Aug 17 20:52:28 localhost Tor[2581]: Our clock is 7 minutes, 35 seconds behind the time published in the consensus network status document (2016-08-17 21:00:00 UTC). Tor needs an accurate clock to work correctly. Please check your time and date settings!

comment:5 in reply to:  4 Changed 3 years ago by cypherpunks

@chadmiller:
If you run your build with "make V=1", you get to see the actual compiler options. fwrapv might not be passed to the compiler.

Last edited 3 years ago by cypherpunks (previous) (diff)

comment:6 Changed 3 years ago by nickm

Keywords: 029-nickm-says-no added

comment:7 Changed 3 years ago by teor

Status: newneeds_information

comment:8 Changed 3 years ago by chadmiller

cypherpunks, I verified compiler options do include -fwrapv .

https://launchpadlibrarian.net/281589091/buildlog_snap_ubuntu_xenial_armhf_tor-middle-relay_BUILDING.txt.gz

My TO-DO before marking "new" again: 1) Run tests to verify sanity. 2) find the compiler option that actually makes armhf gcc5 implement -fwrapv semantics without logging those warnings.

comment:9 Changed 3 years ago by teor

Milestone: Tor: 0.2.???Tor: 0.3.???

Milestone renamed

comment:10 Changed 3 years ago by nickm

Keywords: tor-03-unspecified-201612 added
Milestone: Tor: 0.3.???Tor: unspecified

Finally admitting that 0.3.??? was a euphemism for Tor: unspecified all along.

comment:11 Changed 2 years ago by nickm

Keywords: tor-03-unspecified-201612 removed

Remove an old triaging keyword.

comment:12 Changed 2 years ago by nickm

Keywords: 029-nickm-says-no removed

comment:13 Changed 2 years ago by nickm

Keywords: arm armhf wrapf compiler build added
Note: See TracTickets for help on using tickets.