Opened 11 months ago

Closed 11 months ago

Last modified 7 months ago

#27893 closed defect (fixed)

memory leak in dump_config()

Reported by: nickm Owned by: nickm
Priority: Very High Milestone: Tor: 0.3.5.x-final
Component: Core Tor/Tor Version:
Severity: Normal Keywords: 035-must
Cc: Actual Points: .2
Parent ID: Points:
Reviewer: dgoulet Sponsor:

Description

I build with AddressSanitizer and run ./src/app/tor --dump-config non-builtin. This gives me:

Direct leak of 39 byte(s) in 2 object(s) allocated from:
    #0 0x7fc058908c48 in malloc (/lib64/libasan.so.5+0xeec48)
    #1 0x7fc055a14c37 in __GI___vasprintf_chk (/lib64/libc.so.6+0x10ac37)

Direct leak of 17 byte(s) in 1 object(s) allocated from:
    #0 0x7fc058855320 in strdup (/lib64/libasan.so.5+0x3b320)
    #1 0x55c6f60d7780 in tor_strdup_ src/lib/malloc/malloc.c:165
    #2 0x55c6f5f5b327 in validate_data_directories src/app/config/config.c:7856
    #3 0x55c6f5f5b327 in options_validate src/app/config/config.c:3385
    #4 0x55c6f5f6c3d5 in options_validate_cb src/app/config/config.c:3146
    #5 0x55c6f5f8df68 in config_dump src/app/config/confparse.c:964
    #6 0x55c6f5a43cda in do_dump_config src/app/main/main.c:950
    #7 0x55c6f5a43cda in tor_run_main src/app/main/main.c:1502
    #8 0x55c6f5a3baab in tor_main src/feature/api/tor_api.c:164
    #9 0x55c6f5a361eb in main src/app/main/tor_main.c:32
    #10 0x7fc05592d11a in __libc_start_main (/lib64/libc.so.6+0x2311a)

Direct leak of 16 byte(s) in 1 object(s) allocated from:
    #0 0x7fc058908c48 in malloc (/lib64/libasan.so.5+0xeec48)
    #1 0x55c6f60d74da in tor_malloc_ src/lib/malloc/malloc.c:45
    #2 0x55c6f60d3115 in smartlist_new src/lib/smartlist_core/smartlist_core.c:28
    #3 0x55c6f5f6294c in options_validate_scheduler src/app/config/config.c:3239
    #4 0x55c6f5f6294c in options_validate src/app/config/config.c:4533
    #5 0x55c6f5f6c3d5 in options_validate_cb src/app/config/config.c:3146
    #6 0x55c6f5f8df68 in config_dump src/app/config/confparse.c:964
    #7 0x55c6f5a43cda in do_dump_config src/app/main/main.c:950
    #8 0x55c6f5a43cda in tor_run_main src/app/main/main.c:1502
    #9 0x55c6f5a3baab in tor_main src/feature/api/tor_api.c:164
    #10 0x55c6f5a361eb in main src/app/main/tor_main.c:32
    #11 0x7fc05592d11a in __libc_start_main (/lib64/libc.so.6+0x2311a)

Indirect leak of 128 byte(s) in 1 object(s) allocated from:
    #0 0x7fc058908c48 in malloc (/lib64/libasan.so.5+0xeec48)
    #1 0x55c6f60d74da in tor_malloc_ src/lib/malloc/malloc.c:45
    #2 0x55c6f60d7571 in tor_malloc_zero_ src/lib/malloc/malloc.c:71
    #3 0x55c6f60d31c9 in smartlist_new src/lib/smartlist_core/smartlist_core.c:31
    #4 0x55c6f5f6294c in options_validate_scheduler src/app/config/config.c:3239
    #5 0x55c6f5f6294c in options_validate src/app/config/config.c:4533
    #6 0x55c6f5f6c3d5 in options_validate_cb src/app/config/config.c:3146
    #7 0x55c6f5f8df68 in config_dump src/app/config/confparse.c:964
    #8 0x55c6f5a43cda in do_dump_config src/app/main/main.c:950
    #9 0x55c6f5a43cda in tor_run_main src/app/main/main.c:1502
    #10 0x55c6f5a3baab in tor_main src/feature/api/tor_api.c:164
    #11 0x55c6f5a361eb in main src/app/main/tor_main.c:32
    #12 0x7fc05592d11a in __libc_start_main (/lib64/libc.so.6+0x2311a)

Indirect leak of 4 byte(s) in 1 object(s) allocated from:
    #0 0x7fc058908c48 in malloc (/lib64/libasan.so.5+0xeec48)
    #1 0x55c6f60d74da in tor_malloc_ src/lib/malloc/malloc.c:45
    #2 0x55c6f60d7571 in tor_malloc_zero_ src/lib/malloc/malloc.c:71
    #3 0x55c6f5f62bc3 in options_validate_scheduler src/app/config/config.c:3243
    #4 0x55c6f5f62bc3 in options_validate src/app/config/config.c:4533
    #5 0x55c6f5f6c3d5 in options_validate_cb src/app/config/config.c:3146
    #6 0x55c6f5f8df68 in config_dump src/app/config/confparse.c:964
    #7 0x55c6f5a43cda in do_dump_config src/app/main/main.c:950
    #8 0x55c6f5a43cda in tor_run_main src/app/main/main.c:1502
    #9 0x55c6f5a3baab in tor_main src/feature/api/tor_api.c:164
    #10 0x55c6f5a361eb in main src/app/main/tor_main.c:32
    #11 0x7fc05592d11a in __libc_start_main (/lib64/libc.so.6+0x2311a)

Indirect leak of 4 byte(s) in 1 object(s) allocated from:
    #0 0x7fc058908c48 in malloc (/lib64/libasan.so.5+0xeec48)
    #1 0x55c6f60d74da in tor_malloc_ src/lib/malloc/malloc.c:45
    #2 0x55c6f60d7571 in tor_malloc_zero_ src/lib/malloc/malloc.c:71
    #3 0x55c6f5f62a65 in options_validate_scheduler src/app/config/config.c:3251
    #4 0x55c6f5f62a65 in options_validate src/app/config/config.c:4533
    #5 0x55c6f5f6c3d5 in options_validate_cb src/app/config/config.c:3146
    #6 0x55c6f5f8df68 in config_dump src/app/config/confparse.c:964
    #7 0x55c6f5a43cda in do_dump_config src/app/main/main.c:950
    #8 0x55c6f5a43cda in tor_run_main src/app/main/main.c:1502
    #9 0x55c6f5a3baab in tor_main src/feature/api/tor_api.c:164
    #10 0x55c6f5a361eb in main src/app/main/tor_main.c:32
    #11 0x7fc05592d11a in __libc_start_main (/lib64/libc.so.6+0x2311a)

Indirect leak of 4 byte(s) in 1 object(s) allocated from:
    #0 0x7fc058908c48 in malloc (/lib64/libasan.so.5+0xeec48)
    #1 0x55c6f60d74da in tor_malloc_ src/lib/malloc/malloc.c:45
    #2 0x55c6f60d7571 in tor_malloc_zero_ src/lib/malloc/malloc.c:71
    #3 0x55c6f5f63318 in options_validate_scheduler src/app/config/config.c:3247
    #4 0x55c6f5f63318 in options_validate src/app/config/config.c:4533
    #5 0x55c6f5f6c3d5 in options_validate_cb src/app/config/config.c:3146
    #6 0x55c6f5f8df68 in config_dump src/app/config/confparse.c:964
    #7 0x55c6f5a43cda in do_dump_config src/app/main/main.c:950
    #8 0x55c6f5a43cda in tor_run_main src/app/main/main.c:1502
    #9 0x55c6f5a3baab in tor_main src/feature/api/tor_api.c:164
    #10 0x55c6f5a361eb in main src/app/main/tor_main.c:32
    #11 0x7fc05592d11a in __libc_start_main (/lib64/libc.so.6+0x2311a)

I think this is happening because options_validate is called from config_dump(), but config_dump() frees defaults_tmp using config_free instead of or_options_free.

Child Tickets

Change History (8)

comment:1 Changed 11 months ago by nickm

dump_config() only leaks here in the or_options_t case, only from control.c and main.c. I would vote "no backport" here.

comment:2 Changed 11 months ago by nickm

Actually, it can only happen in the --dump-config case, since all the other cases use OPTIONS_DUMP_MINIMAL, which doesn't leak.

comment:3 Changed 11 months ago by nickm

Status: assignedneeds_review

See branch bug27893 with PR at https://github.com/torproject/tor/pull/377 .

comment:4 Changed 11 months ago by nickm

Keywords: 035-must added

Add the 035-must tag to some assertion failures, hangs, ci-blockers, etc.

comment:5 Changed 11 months ago by nickm

Priority: MediumVery High

Mark all 035-must tickets as "very high"

comment:6 Changed 11 months ago by dgoulet

Reviewer: dgoulet
Status: needs_reviewmerge_ready

lgtm;

comment:7 Changed 11 months ago by nickm

Resolution: fixed
Status: merge_readyclosed

Merged!

comment:8 Changed 7 months ago by nickm

Actual Points: .2
Note: See TracTickets for help on using tickets.