Opened 5 months ago

Closed 6 days ago

#25440 closed defect (fixed)

Broken openat syscall in Sandbox mode

Reported by: ageisp0lis Owned by: nickm
Priority: Medium Milestone: Tor: 0.3.5.x-final
Component: Core Tor/Tor Version: Tor: 0.3.3.3-alpha
Severity: Normal Keywords: sandbox, 033-must, regression, 033-triage-20180326, 033-included-20180326, 033-backport, AffectsTails, 034-deferred-20180602, 035-removed-20180711 029-backport 032-backport
Cc: nickm, intrigeri, danielpinto52@… Actual Points:
Parent ID: Points:
Reviewer: nickm Sponsor:

Description

My version is 0.3.3.2-alpha (git-7b1d356bdb76607d).

If relevant, I am running under Debian buster/sid amd64 KVM VPS with a 4.14.24 kernel patched with grsecurity, and AppArmor enabled.

Mar 06 10:14:36.024 [notice] Tor 0.3.3.2-alpha (git-7b1d356bdb76607d) running on Linux with Libevent 2.1.8-stable, OpenSSL 1.1.0g, Zlib 1.2.8, Liblzma 5.2.2, and Libzstd 1.3.3.
Mar 06 10:14:36.025 [notice] Tor can't help you if you use it wrong! Learn how to be safe at https://www.torproject.org/download/download#warning
Mar 06 10:14:36.025 [notice] This version is not a stable Tor release. Expect more bugs than usual.
Mar 06 10:14:36.025 [notice] Read configuration file "/etc/tor/torrc".
Mar 06 10:14:36.029 [notice] Scheduler type KIST has been enabled.
Mar 06 10:14:36.029 [notice] Opening Socks listener on 127.0.0.1:9050
Mar 06 10:14:36.029 [notice] Opening DNS listener on 127.0.0.1:5353
Mar 06 10:14:36.029 [notice] Opening Transparent pf/netfilter listener on 127.0.0.1:9040
Mar 06 10:14:36.029 [notice] Opening Control listener on 127.0.0.1:9051

============================================================ T= 1520360077
(Sandbox) Caught a bad syscall attempt (syscall openat)
tor(+0x1a57ea)[0x20b99917ea]
/lib/x86_64-linux-gnu/libpthread.so.0(open64+0x4b)[0x38f248203ab]
/lib/x86_64-linux-gnu/libpthread.so.0(open64+0x4b)[0x38f248203ab]
tor(tor_open_cloexec+0x40)[0x20b9977a00]
tor(start_writing_to_file+0x17a)[0x20b998b2ea]
tor(+0x19f3cb)[0x20b998b3cb]
tor(+0x19f518)[0x20b998b518]
tor(or_state_save+0x15b)[0x20b98aa27b]
tor(+0x5488b)[0x20b984088b]
/usr/lib/x86_64-linux-gnu/libevent-2.1.so.6(+0x229ba)[0x38f25cbe9ba]
/usr/lib/x86_64-linux-gnu/libevent-2.1.so.6(event_base_loop+0x5a7)[0x38f25cbf537]
tor(do_main_loop+0x2b4)[0x20b9841604]
tor(tor_run_main+0x1025)[0x20b9843ad5]
tor(tor_main+0x3a)[0x20b983c09a]
tor(main+0x19)[0x20b983be29]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xe7)[0x38f24272a87]
tor(_start+0x2a)[0x20b983be7a]

It is possible this error is either due to Tor, or it could be security hardening applied to my server. Let me know in any case... Could commit ea8e9f17f52877cc795f1792acb81d7fdaff6baf be relevant?

Child Tickets

Attachments (3)

tor.log (3.4 KB) - added by Jigsaw52 4 months ago.
strace.log (191.7 KB) - added by Jigsaw52 4 months ago.
orconfig.h (23.2 KB) - added by Jigsaw52 4 months ago.

Download all attachments as: .zip

Change History (30)

comment:1 Changed 5 months ago by cypherpunks

Hey ageis (<3 your hardening guide), in the cc it's nickm not nickw ;)

comment:2 Changed 5 months ago by arma

Cc: nickm added; nickw removed

comment:3 Changed 5 months ago by arma

#24454 and #24400 look very related.

comment:4 Changed 5 months ago by cypherpunks

Component: Core TorCore Tor/Tor

comment:5 Changed 5 months ago by nickm

Keywords: 033-must regression added
Milestone: Tor: 0.3.3.x-final
Owner: set to nickm
Status: newaccepted

comment:6 Changed 5 months ago by nickm

Keywords: 033-triage-20180326 added

Second batch of triage for 0.3.3: tickets that we didn't cover the first time.

comment:7 Changed 5 months ago by nickm

Keywords: 033-included-20180326 added

Marking 033-must tickets as included. Round 2.

comment:8 Changed 5 months ago by nickm

Status: acceptedneeds_information

Hi! I've been staring at this for a few weeks, and I think we might actually have a way to progress.

So, openat() has to be happening within the start_writing_to_file() in the stack, which is happening inside write_str_to_file() in or_state_save(). And start_writing_to_file calls tor_open_cloexec, which always calls sandbox_intern_string().

The sandbox_intern_string() function will log a warning if the string wasn't interned. We didn't see that warning, so the string was indeed interned.

Question 1: Can you tell me, what version of libc exactly does your system use? I am wondering if maybe we have a problem in our implementation of libc_uses_openat_for_everything, which checks for a version later than 2.26.

Question 2: And if you're building Tor from source, could you attach the orconfig.h file that is generated when you run "configure" to build tor?

comment:9 Changed 5 months ago by intrigeri

I see a very similar startup failure on the development version of Tails based on Debian 10 (Buster); to r is 0.3.2.10-1, libc6 is 2.27-2 (both from Debian testing).

[notice] Tor 0.3.2.10 (git-0edaa32732ec8930) running on Linux with Libevent 2.1.8-stable, OpenSSL 1.1.0h, Zlib 1.2.8, Liblzma 5.2.2, and Libzstd 1.3.3.
[notice] Tor can't help you if you use it wrong! Learn how to be safe at https://www.torproject.org/download/download#warning
[notice] Read configuration file "/usr/share/tor/tor-service-defaults-torrc".
[notice] Read configuration file "/etc/tor/torrc".
[warn] Skipping obsolete configuration option 'ControlListenAddress'
[warn] Skipping obsolete configuration option 'TransListenAddress'
[warn] Skipping obsolete configuration option 'WarnUnsafeSocks'
lid
[notice] Tor 0.3.2.10 (git-0edaa32732ec8930) running on Linux with Libevent 2.1.8-stable, OpenSSL 1.1.0h, Zlib 1.2.8, Liblzma 5.2.2, and Libzstd 1.3.3.
[notice] Tor can't help you if you use it wrong! Learn how to be safe at https://www.torproject.org/download/download#warning
[notice] Read configuration file "/usr/share/tor/tor-service-defaults-torrc".
[notice] Read configuration file "/etc/tor/torrc".
[warn] Skipping obsolete configuration option 'ControlListenAddress'
[warn] Skipping obsolete configuration option 'TransListenAddress'
[warn] Skipping obsolete configuration option 'WarnUnsafeSocks'
[notice] Scheduler type KIST has been enabled.
[notice] Opening Socks listener on 127.0.0.1:9050
[notice] Opening Socks listener on 127.0.0.1:9062
[notice] Opening Socks listener on 127.0.0.1:9150
[notice] Opening DNS listener on 127.0.0.1:5353
[notice] Opening Transparent pf/netfilter listener on 127.0.0.1:9040
[notice] Opening Control listener on 127.0.0.1:9052
============================================================ T= 1522412451
(Sandbox) Caught a bad syscall attempt (syscall openat)
/usr/bin/tor(+0x1a2f3a)[0x5fe2178aff3a]
/lib/x86_64-linux-gnu/libpthread.so.0(open64+0x4b)[0x7b392350d3ab]
/usr/bin/tor(tor_open_cloexec+0x40)[0x5fe217896260]
/usr/bin/tor(start_writing_to_file+0x17a)[0x5fe2178a9a3a]
/usr/bin/tor(+0x19cb1b)[0x5fe2178a9b1b]
/usr/bin/tor(+0x19cc68)[0x5fe2178a9c68]
/usr/bin/tor(networkstatus_set_current_consensus+0xc99)[0x5fe21776c3e9]
/usr/bin/tor(connection_dir_reached_eof+0x14cb)[0x5fe217841ccb]
/usr/bin/tor(+0x10c9d9)[0x5fe2178199d9]
/usr/bin/tor(+0x52a1e)[0x5fe21775fa1e]
/usr/lib/x86_64-linux-gnu/libevent-2.1.so.6(+0x229ba)[0x7b39249ac9ba]
/usr/lib/x86_64-linux-gnu/libevent-2.1.so.6(event_base_loop+0x5a7)[0x7b39249ad537]
/usr/bin/tor(do_main_loop+0x28d)[0x5fe21776096d]
/usr/bin/tor(tor_main+0xe1d)[0x5fe21776378d]
/usr/bin/tor(main+0x19)[0x5fe21775c1b9]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xe7)[0x7b3922f5fa87]
/usr/bin/tor(_start+0x2a)[0x5fe21775c20a]

comment:10 Changed 5 months ago by intrigeri

Cc: intrigeri added
Keywords: AffectsTails added

comment:11 Changed 4 months ago by nickm

Keywords: 033-backport added; AffectsTails removed
Milestone: Tor: 0.3.3.x-finalTor: 0.3.4.x-final

We're not going to figure this out on schedule for 0.3.3, but maybe we can backport if the fix isn't too complicated.

comment:12 in reply to:  8 Changed 4 months ago by ageisp0lis

Question 1: Can you tell me, what version of libc exactly does your system use? I am wondering if maybe we have a problem in our implementation of libc_uses_openat_for_everything, which checks for a version later than 2.26.

Thought I had replied to you already but didn't see it on the ticket! Oops. Pretty sure I was using 2.27.

Question 2: And if you're building Tor from source, could you attach the orconfig.h file that is generated when you run "configure" to build tor?

Was running official binaries from your apt repository, in the 'buster' distribution, not built from source.

comment:13 Changed 4 months ago by intrigeri

Keywords: AffectsTails added

(Assuming removing the AffectsTails keyword was a mistake. Sorry if it was not :)

comment:14 Changed 4 months ago by Jigsaw52

I believe I am experiencing the same issue, with the master branch, on Ubuntu 18.04 64bits, which uses libc 2.27.

I can confirm the string is being interned correctly: I have checked the pointers on the sandbox initialization and on the failing syscall and they are the same.

I have tor run under strace and greped for openat calls and noticed something: the openat call that kills tor has and extra argument which all the others do not.
I believe the cause of this problem could be related to this.

I have attached my logs and my orconfig.h file.

Changed 4 months ago by Jigsaw52

Attachment: tor.log added

Changed 4 months ago by Jigsaw52

Attachment: strace.log added

Changed 4 months ago by Jigsaw52

Attachment: orconfig.h added

comment:15 Changed 4 months ago by Jigsaw52

Cc: danielpinto52@… added

comment:16 Changed 4 months ago by Jigsaw52

I was wrong. The number of parameters is just strace pretty printing the call. The syscall is exactly the same on both cases.

The problem is related to the constant AT_FDCWD.
The changes on this branch fixed the problem on my machine:

https://github.com/Jigsaw52/tor/tree/quick-fix-25440

It does not work if I only change SCMP_CMP_STR to SCMP_CMP. The cast for uint32_t is needed. I do not know why and I think it will break on other machines but it seems like a good starting point for a better solution.

Last edited 4 months ago by Jigsaw52 (previous) (diff)

comment:17 Changed 4 months ago by Jigsaw52

The problem is related to AT_FDCWD being a negative constant and libseccomp using uint64_t for parameters.

See https://github.com/seccomp/libseccomp/issues/69#issuecomment-273805980

comment:18 Changed 4 months ago by cypherpunks

This is also a problem on the soon to be released (2018-04-26) Ubuntu 18.04 (libc 2.27) with tor 0.3.2.10.

Last edited 4 months ago by cypherpunks (previous) (diff)

comment:19 Changed 2 months ago by nickm

Keywords: 034-deferred-20180602 added
Milestone: Tor: 0.3.4.x-finalTor: 0.3.5.x-final

Deferring non-must tickets to 0.3.5

comment:20 Changed 5 weeks ago by nickm

Keywords: 035-removed-20180711 added
Milestone: Tor: 0.3.5.x-finalTor: unspecified

These tickets are being triaged out of 0.3.5. The ones marked "035-roadmap-proposed" may return.

comment:21 Changed 10 days ago by Jigsaw52

After looking at this again, I think my fix will not ruin anyone's day.
My fix would only cause problems if AT_FDCWD is a 64bits value. As far as I know, there is no system currently using 64bits values for this constant.

I've rebased my branch with the current master and wrote a better commit message:

https://github.com/Jigsaw52/tor/tree/fix-25440

comment:22 Changed 9 days ago by nickm

Milestone: Tor: unspecifiedTor: 0.3.5.x-final
Status: needs_informationneeds_review

comment:23 Changed 8 days ago by asn

Reviewer: nickm

comment:24 Changed 8 days ago by nickm

What would you think about using "unsigned int" instead of "uint32_t"? That way, if the "int fd" argument to openat() ever becomes 64-bit, the unsigned cast should still do the right thing.

comment:25 Changed 8 days ago by nickm

Keywords: 029-backport 032-backport added

(Otherwise this looks fine to me. It appears that the bug is present in 0.2.9 and later, so we'll want to backport to maint-0.2.9 when we take it.)

comment:26 Changed 7 days ago by Jigsaw52

It's a good idea. I've tested it just to be sure it works and it does. I've updated my branch.

Last edited 7 days ago by Jigsaw52 (previous) (diff)

comment:27 Changed 6 days ago by nickm

Resolution: fixed
Status: needs_reviewclosed

Thanks! Cherry-picked to 0.2.9 as a350f216b30c5841b8eb0303c9c3fd32a2b2245b; added a changes file as 27a2a6cb9b8a590a88c479539efae7bd31a4102f; and merged forward.

Note: See TracTickets for help on using tickets.