Opened 2 months ago

Closed 10 days ago

#27708 closed defect (fixed)

Heap use-after-free on git master dbb0abc9f1a174efdb65d581f5dbe46dbad2ebb5

Reported by: dgoulet Owned by: nickm
Priority: Medium Milestone: Tor: 0.3.3.x-final
Component: Core Tor/Tor Version:
Severity: Normal Keywords: regression, crash, 033-backport 034-backport
Cc: Actual Points:
Parent ID: Points:
Reviewer: dgoulet Sponsor:

Description

I found this issue by setting an invalid HiddenServiceDir containing 2 level of directories for tor to create for which it can't do it leading to options_act() returning -1.

HiddenServiceDir /tmp/level1/level2

Here is the ASAN output:

==10573==ERROR: AddressSanitizer: heap-use-after-free on address 0x61d000002948 at pc 0x55741b1f88d1 bp 0x7ffe0d70bc10 sp 0x7ffe0d70bc00
READ of size 8 at 0x61d000002948 thread T0
    #0 0x55741b1f88d0 in or_options_free_ src/app/config/config.c:1005
    #1 0x55741b2009af in config_free_all src/app/config/config.c:1034
    #2 0x55741ad38034 in tor_free_all src/core/mainloop/main.c:3693
    #3 0x55741ad38b6e in tor_run_main src/core/mainloop/main.c:4277
    #4 0x55741ad2286b in tor_main src/feature/api/tor_api.c:164
    #5 0x55741ad1d7cb in main src/app/main/tor_main.c:32
    #6 0x7fc43440109a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2409a)
    #7 0x55741ad219e9 in _start (/home/dgoulet/Documents/git/tor/src/app/tor+0x9119e9)

0x61d000002948 is located 200 bytes inside of 2264-byte region [0x61d000002880,0x61d000003158)
freed by thread T0 here:
    #0 0x7fc43614cb70 in free (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xedb70)
    #1 0x55741b23e3e7 in config_free_ src/app/config/confparse.c:871
    #2 0x55741b1f8548 in or_options_free_ src/app/config/config.c:1026
    #3 0x55741b22bbcc in options_init_from_string src/app/config/config.c:5487
    #4 0x55741b22d540 in options_init_from_torrc src/app/config/config.c:5233
    #5 0x55741ad37098 in tor_init src/core/mainloop/main.c:3540
    #6 0x55741ad389c0 in tor_run_main src/core/mainloop/main.c:4275
    #7 0x55741ad2286b in tor_main src/feature/api/tor_api.c:164
    #8 0x55741ad1d7cb in main src/app/main/tor_main.c:32
    #9 0x7fc43440109a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2409a)

previously allocated by thread T0 here:
    #0 0x7fc43614cf30 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xedf30)
    #1 0x55741b3b378a in tor_malloc_ src/lib/malloc/malloc.c:45
    #2 0x55741b3b3821 in tor_malloc_zero_ src/lib/malloc/malloc.c:71
    #3 0x55741b22b294 in options_init_from_string src/app/config/config.c:5336
    #4 0x55741b22d540 in options_init_from_torrc src/app/config/config.c:5233
    #5 0x55741ad37098 in tor_init src/core/mainloop/main.c:3540
    #6 0x55741ad389c0 in tor_run_main src/core/mainloop/main.c:4275
    #7 0x55741ad2286b in tor_main src/feature/api/tor_api.c:164
    #8 0x55741ad1d7cb in main src/app/main/tor_main.c:32
    #9 0x7fc43440109a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2409a)

SUMMARY: AddressSanitizer: heap-use-after-free src/app/config/config.c:1005 in or_options_free_

Logs shows:

Sep 14 10:20:00.000 [warn] Error creating directory /tmp/level1/level2: No such file or directory
Sep 14 10:20:00.000 [warn] Error loading rendezvous service keys
Sep 14 10:20:00.000 [err] set_options(): Bug: Acting on config options left us in a broken state. Dying. (on Tor 0.3.5.0-alpha-dev dbb0abc9f1a174ef)

What I can tell is that if options_act() returns -1, we'll inevitably end up in this situation so this isn't HS only. Kind of difficult to follow the stacktrace as the use-after-free points to a free(). I know that the pointer there is NULL at that time...

Child Tickets

Change History (5)

comment:1 Changed 2 months ago by nickm

Owner: set to nickm
Status: newaccepted

comment:2 Changed 2 months ago by nickm

Keywords: 033-backport 034-backport added
Status: acceptedneeds_review

See branch bug27708_033, PR at https://github.com/torproject/tor/pull/336

The problem was caused by my restart-in-process changes: once we started returning -1 after a failed options_act(), we were leaving the global_options variable in an inconsistent state.

comment:3 Changed 2 months ago by dgoulet

Reviewer: dgoulet
Status: needs_reviewmerge_ready

ACK. I confirm the problem is fixed.

comment:4 Changed 2 months ago by nickm

Milestone: Tor: 0.3.5.x-finalTor: 0.3.3.x-final

merged to 0.3.3 and forward.

comment:5 Changed 10 days ago by nickm

Resolution: fixed
Status: merge_readyclosed
Note: See TracTickets for help on using tickets.