Opened 11 months ago

Closed 3 weeks ago

Last modified 3 weeks ago

#20247 closed defect (fixed)

seccomp2 crash after closing and opening ipv6 DirPort + OrPort

Reported by: toralf Owned by: nickm
Priority: Medium Milestone: Tor: 0.2.9.x-final
Component: Core Tor/Tor Version: Tor: 0.2.8.8
Severity: Normal Keywords: easy, crash, 028-backport, ipv6, review-group-21
Cc: teor Actual Points:
Parent ID: Points: 1
Reviewer: Sponsor:

Description

run this :

/etc/init.d/tor status 2>/dev/null
if [[ $? -eq 0 ]]; then
  sed -i -e 's/^DirPort *\[/#DirPort [/' -e 's/^ORPort *\[/#ORPort [/' /etc/tor/torrc
  /etc/init.d/tor reload
fi

# renew cert
#
/usr/bin/certbot renew --standalone --non-interactive --text --renew-hook RestartJabber --disable-hook-validation &>$log

# reopen Tor ports
#
sed -i -e 's/^#DirPort *\[/DirPort [/' -e 's/^#ORPort *\[/ORPort [/' /etc/tor/torrc
/etc/init.d/tor status 2>/dev/null
if [[ $? -eq 0 ]]; then
  /etc/init.d/tor reload
fi

to get this:

============================================================ T= 1474911552
(Sandbox) Caught a bad syscall attempt (syscall setsockopt)
/usr/bin/tor(+0x15dbc8)[0x1ac72c9bc8]
/lib64/libc.so.6(setsockopt+0xa)[0x30a1fef1a2a]
/lib64/libc.so.6(setsockopt+0xa)[0x30a1fef1a2a]
/usr/bin/tor(+0xee289)[0x1ac725a289]
/usr/bin/tor(retry_all_listeners+0x322)[0x1ac725bb12]
/usr/bin/tor(set_options+0xa7d)[0x1ac724e58d]
/usr/bin/tor(options_init_from_string+0x32e)[0x1ac725020e]
/usr/bin/tor(options_init_from_torrc+0x1e2)[0x1ac7250562]
/usr/bin/tor(+0x425c9)[0x1ac71ae5c9]
/usr/lib64/libevent-2.1.so.5(+0x2443b)[0x30a20e8043b]
/usr/lib64/libevent-2.1.so.5(event_base_loop+0x56f)[0x30a20e812cf]
/usr/bin/tor(do_main_loop+0x235)[0x1ac71acdd5]
/usr/bin/tor(tor_main+0x1bad)[0x1ac71b04cd]
/usr/bin/tor(main+0x2b)[0x1ac71a83ab]
/lib64/libc.so.6(__libc_start_main+0x114)[0x30a1fe1b734]
/usr/bin/tor(_start+0x29)[0x1ac71a83f9]

Child Tickets

Change History (21)

comment:1 Changed 11 months ago by toralf

And disabling Sandbox yields into a different issue:

Sep 26 20:02:25.000 [notice] Received reload signal (hup). Reloading config and resetting internal state.
Sep 26 20:02:25.000 [notice] Read configuration file "/etc/tor/torrc".
Sep 26 20:02:25.000 [notice] Closing no-longer-configured Directory listener on 2a01:4f8:190:514a::2:80
Sep 26 20:02:25.000 [notice] Closing no-longer-configured OR listener on 2a01:4f8:190:514a::2:443
Sep 26 20:02:25.000 [notice] Tor 0.2.8.8 opening log file.
Sep 26 20:02:25.000 [notice] Closing old Directory listener on 2a01:4f8:190:514a::2:80
Sep 26 20:02:25.000 [notice] Closing old OR listener on 2a01:4f8:190:514a::2:443
Sep 26 20:02:25.000 [notice] Your Tor server's identity key fingerprint is 'zwiebeltoralf BE2FA9FCB6242567B93ED99FEC5543FC517C9276'
Sep 26 20:02:26.000 [notice] Received reload signal (hup). Reloading config and resetting internal state.
Sep 26 20:02:26.000 [notice] Read configuration file "/etc/tor/torrc".
Sep 26 20:02:26.000 [notice] Opening Directory listener on [2a01:4f8:190:514a::2]:80
Sep 26 20:02:26.000 [warn] Could not bind to 2a01:4f8:190:514a::2:80: Permission denied
Sep 26 20:02:26.000 [notice] Opening OR listener on [2a01:4f8:190:514a::2]:443
Sep 26 20:02:26.000 [warn] Could not bind to 2a01:4f8:190:514a::2:443: Permission denied
Sep 26 20:02:26.000 [warn] Failed to parse/validate config: Failed to bind one of the listener ports.
Sep 26 20:02:26.000 [err] Reading config failed--see warnings above. For usage, try -h.
Sep 26 20:02:26.000 [warn] Restart failed (config error?). Exiting.

FWIW this is a stable hardened Gentoo Linux with latest kernel and libressl.

comment:2 Changed 11 months ago by nickm

Keywords: crash 028-backport added
Milestone: Tor: 0.2.9.x-final

comment:3 Changed 11 months ago by nickm

Cc: teor added
Keywords: ipv6 added

comment:4 Changed 11 months ago by teor

Status: newneeds_information

In the case where you disable the sandbox, Tor needs to keep CAP_NET_BIND in order to bind to low ports (<1024). If not, it can't bind on reload, so it stops.

In the case where you have the sandbox on, we need to allow setsockopt as a syscall in the sandbox. However, this might simply be another symptom of the above permissions issue on low-numbered ports. I don't know enough about the Linux sandbox to tell.

The required setsockopt calls for all sockets are:

  • setsockopt(sock, SOL_SOCKET, SO_REUSEADDR

And for IPv6:

  • setsockopt(s,IPPROTO_IPV6, IPV6_V6ONLY

And for transproxy:

  • setsockopt(s, SOL_IP, IP_TRANSPARENT

And for constrained socket buffers:

  • setsockopt(sock, SOL_SOCKET, SO_SNDBUF
  • setsockopt(sock, SOL_SOCKET, SO_RCVBUF

comment:5 Changed 10 months ago by nickm

Keywords: nickm-deferred-20161017 added
Milestone: Tor: 0.2.9.x-finalTor: 0.3.0.x-final

Not a regression in 0.2.9, so it waits for 0.3.0. (Is this still needs_information?)

comment:6 Changed 10 months ago by teor

Yes, I don't know whether the issue is a sandbox issue, or a capability issue.
One way of telling the difference is to re-try using ports > 1024.

comment:7 Changed 10 months ago by toralf

with the sandbox enabled Tor crashes too if I use 2380 and 23443 as DIR and OR ports respectively.
Without sandbox enabled I can open and close the ipv6 ports (whilst the ipv4 ports are still at 80 and 443).

comment:8 Changed 10 months ago by teor

Status: needs_informationnew

Ok, it's not a capability issue, it's a sandbox issue. Someone who understands how the Linux sandbox allows IP addresses / ports needs to fix this and test it.

Or maybe the reality is that you can only bind to IPv6 addresses on startup (right after the sandbox is configured as root) with the sandbox active, and we need to document that.

Setting to "new".

comment:9 in reply to:  8 Changed 10 months ago by yawning

Replying to teor:

Ok, it's not a capability issue, it's a sandbox issue. Someone who understands how the Linux sandbox allows IP addresses / ports needs to fix this and test it.

This function: https://gitweb.torproject.org/tor.git/tree/src/common/sandbox.c#n682

Add the appropriate rules to allow this one: `setsockopt(s,IPPROTO_IPV6, IPV6_V6ONLY

Or maybe the reality is that you can only bind to IPv6 addresses on startup (right after the sandbox is configured as root) with the sandbox active, and we need to document that.

That's how it is right now, without the changes. But that's terrible, so there should be changes.

comment:10 Changed 10 months ago by teor

Keywords: easy added
Points: 1

Now that we know what the issue is here, this one is easy to fix.

comment:11 Changed 8 months ago by dgoulet

Keywords: triage-out-030-201612 added
Milestone: Tor: 0.3.0.x-finalTor: 0.3.1.x-final

Triaged out on December 2016 from 030 to 031.

comment:12 Changed 5 months ago by nickm

Keywords: triaged-out-20170308 added
Milestone: Tor: 0.3.1.x-finalTor: unspecified

Deferring all 0.3.1 tickets with status == new, owner == nobody, sponsor == nobody, points > 0.5, and priority < high.

I'd still take patches for most of these -- there's just nobody currently lined up to work on them in this timeframe.

comment:13 Changed 3 months ago by nickm

Keywords: triage-out-030-201612 removed

comment:14 Changed 3 months ago by nickm

Keywords: nickm-deferred-20161017 triaged-out-20170308 removed

comment:15 Changed 6 weeks ago by nickm

Owner: set to nickm
Status: newaccepted
Summary: crash after closing and opening ipv6 DirPort + OrPortseccomp2 crash after closing and opening ipv6 DirPort + OrPort

comment:16 Changed 6 weeks ago by nickm

Milestone: Tor: unspecifiedTor: 0.3.2.x-final

comment:17 Changed 6 weeks ago by nickm

Status: acceptedneeds_review

Trivial fix in branch bug20247_029

comment:18 Changed 5 weeks ago by nickm

Keywords: review-group-21 added

comment:19 Changed 3 weeks ago by ahf

Status: needs_reviewmerge_ready

LGTM!

comment:20 Changed 3 weeks ago by nickm

Resolution: fixed
Status: merge_readyclosed

Merged!

comment:21 Changed 3 weeks ago by nickm

Milestone: Tor: 0.3.2.x-finalTor: 0.2.9.x-final
Note: See TracTickets for help on using tickets.