Opened 10 months ago

Closed 9 months ago

Last modified 9 months ago

#29040 closed defect (fixed)

Tor crashes if ClientOnionAuthDir contains more than one private key for a hidden service

Reported by: demfloro Owned by: haxxpop
Priority: Medium Milestone: Tor: 0.3.5.x-final
Component: Core Tor/Tor Version: Tor: 0.3.5.7
Severity: Major Keywords: 040-proposed, tor-hs, crash, 035-backport
Cc: dgoulet, asn Actual Points:
Parent ID: Points:
Reviewer: dgoulet Sponsor:

Description

OS: Arch Linux,

Minimum torrc to reproduce problem:

ClientOnionAuthDir /var/lib/tor/auth

In /var/lib/tor/auth place a file, for example "key1.auth_private" with:

squlj76moawedtuiixydwlzj65323e6k232bpogd4xrrsz4bgcunyqad:descriptor:x25519:XX5M5YQVTGCXPS3E6G6AGOUZYFISOLMSXLD2E3BTL22DUQZLHK4Q

then do

# cp /var/lib/tor/auth/key1.auth_private /var/lib/tor/auth/key2.auth_private
# tor -f /etc/tor/torrc

This yields the traceback:

Jan 10 03:57:29.597 [notice] Tor 0.3.5.7 running on Linux with Libevent 2.1.8-stable, OpenSSL 1.1.1a, Zlib 1.2.11, Liblzma 5.2.4, and Libzstd 1.3.7.
Jan 10 03:57:29.598 [notice] Tor can't help you if you use it wrong! Learn how to be safe at https://www.torproject.org/download/download#warning
Jan 10 03:57:29.598 [notice] Read configuration file "/etc/tor/torrc".
Jan 10 03:57:29.612 [err] tor_assertion_failed_(): Bug: src/app/config/config.c:890: get_options_mutable: Assertion global_options failed; aborting. (on Tor 0.3.5.7 )
Jan 10 03:57:29.614 [err] Bug: Assertion global_options failed in get_options_mutable at src/app/config/config.c:890. Stack trace: (on Tor 0.3.5.7 )
Jan 10 03:57:29.614 [err] Bug:     tor(log_backtrace_impl+0x48) [0x571747260a18] (on Tor 0.3.5.7 )
Jan 10 03:57:29.614 [err] Bug:     tor(tor_assertion_failed_+0x97) [0x57174725bee7] (on Tor 0.3.5.7 )
Jan 10 03:57:29.614 [err] Bug:     tor(get_options_mutable+0x60) [0x5717471dc1d0] (on Tor 0.3.5.7 )
Jan 10 03:57:29.614 [err] Bug:     tor(safe_str_client+0x22) [0x5717471dc552] (on Tor 0.3.5.7 )
Jan 10 03:57:29.614 [err] Bug:     tor(hs_config_client_authorization+0x5a0) [0x571747168e10] (on Tor 0.3.5.7 )
Jan 10 03:57:29.614 [err] Bug:     tor(hs_config_client_auth_all+0x30) [0x5717471fa7f0] (on Tor 0.3.5.7 )
Jan 10 03:57:29.614 [err] Bug:     tor(+0x1798ab) [0x5717471e38ab] (on Tor 0.3.5.7 )
Jan 10 03:57:29.614 [err] Bug:     tor(options_init_from_string+0x364) [0x5717471e7d34] (on Tor 0.3.5.7 )
Jan 10 03:57:29.614 [err] Bug:     tor(options_init_from_torrc+0x376) [0x5717471e82f6] (on Tor 0.3.5.7 )
Jan 10 03:57:29.614 [err] Bug:     tor(tor_init+0x32a) [0x5717470bd7ba] (on Tor 0.3.5.7 )
Jan 10 03:57:29.614 [err] Bug:     tor(tor_run_main+0xcd) [0x5717470be54d] (on Tor 0.3.5.7 )
Jan 10 03:57:29.614 [err] Bug:     tor(tor_main+0x3b) [0x5717470bc62b] (on Tor 0.3.5.7 )
Jan 10 03:57:29.614 [err] Bug:     tor(main+0x1a) [0x5717470bc1ba] (on Tor 0.3.5.7 )
Jan 10 03:57:29.614 [err] Bug:     /usr/lib/libc.so.6(__libc_start_main+0xf3) [0x74f0206a9223] (on Tor 0.3.5.7 )
Jan 10 03:57:29.614 [err] Bug:     tor(_start+0x2e) [0x5717470bc21e] (on Tor 0.3.5.7 )

Child Tickets

Attachments (2)

core.tor.lz4 (284.4 KB) - added by demfloro 10 months ago.
Tor coredump
core.tor.debug.lz4 (284.7 KB) - added by demfloro 10 months ago.
Coredump of binary with debug info

Download all attachments as: .zip

Change History (21)

Changed 10 months ago by demfloro

Attachment: core.tor.lz4 added

Tor coredump

Changed 10 months ago by demfloro

Attachment: core.tor.debug.lz4 added

Coredump of binary with debug info

comment:1 Changed 10 months ago by demfloro

Couldn't attach binary with debug info, so only posting traceback:

Reading symbols from /usr/bin/tor...done.
[New LWP 763]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/usr/lib/libthread_db.so.1".
Core was generated by `tor -f /etc/tor/torrc'.
Program terminated with signal SIGABRT, Aborted.
#0  0x00007c3c62d21d7f in raise () from /usr/lib/libc.so.6
(gdb) bt
#0  0x00007c3c62d21d7f in raise () from /usr/lib/libc.so.6
#1  0x00007c3c62d0c672 in abort () from /usr/lib/libc.so.6
#2  0x0000594aa16de1d6 in get_options_mutable () at src/app/config/config.c:890
#3  get_options_mutable () at src/app/config/config.c:887
#4  0x0000594aa16de552 in get_options () at src/app/config/config.c:1089
#5  safe_str_client (address=address@entry=0x20 <error: Cannot access memory at address 0x20>) at src/app/config/config.c:1089
#6  0x0000594aa166ae10 in hs_config_client_authorization (options=options@entry=0x594aa2021e30, validate_only=validate_only@entry=1)
    at src/feature/hs/hs_client.c:1622
#7  0x0000594aa16fc7f0 in hs_config_client_auth_all (options=options@entry=0x594aa2021e30, validate_only=validate_only@entry=1)
    at src/feature/hs/hs_config.c:688
#8  0x0000594aa16e58ab in options_validate (old_options=old_options@entry=0x0, options=options@entry=0x594aa2021e30,
    default_options=default_options@entry=0x594aa2023390, from_setconf=<optimized out>, from_setconf@entry=0, msg=msg@entry=0x7ffc70649498)
    at src/app/config/config.c:4381
#9  0x0000594aa16e9d34 in options_init_from_string (cf_defaults=cf_defaults@entry=0x594aa2021dd0 "",
    cf=cf@entry=0x594aa2018a00 "ClientOnionAuthDir /var/lib/tor/auth\n", command=command@entry=0, command_arg=command_arg@entry=0x0,
    msg=msg@entry=0x7ffc70649498) at src/app/config/config.c:5496
#10 0x0000594aa16ea2f6 in options_init_from_torrc (argc=argc@entry=3, argv=argv@entry=0x594aa1ffacd0) at src/app/config/config.c:5272
#11 0x0000594aa15bf7ba in tor_init (argc=argc@entry=3, argv=argv@entry=0x594aa1ffacd0) at src/app/main/main.c:640
#12 0x0000594aa15c054d in tor_run_main (tor_cfg=tor_cfg@entry=0x594aa1ffa290) at src/app/main/main.c:1454
#13 0x0000594aa15be62b in tor_main (argc=3, argv=0x7ffc70649858) at src/feature/api/tor_api.c:164
#14 0x0000594aa15be1ba in main (argc=<optimized out>, argv=<optimized out>) at src/app/main/tor_main.c:32

comment:2 Changed 10 months ago by teor

Keywords: 040-proposed tor-hs crash added
Milestone: Tor: 0.4.0.x-final
Severity: NormalMajor

comment:3 Changed 10 months ago by demfloro

Summary: Tor crashes if ClientOnionAuthDir contains more than one public key for a hidden serviceTor crashes if ClientOnionAuthDir contains more than one private key for a hidden service

comment:4 Changed 10 months ago by nickm

Cc: dgoulet asn added
Keywords: 035-backport added

comment:5 Changed 9 months ago by haxxpop

Owner: set to haxxpop
Status: newassigned

comment:6 Changed 9 months ago by haxxpop

Status: assignedneeds_review

comment:8 Changed 9 months ago by asn

Reviewer: dgoulet

comment:9 Changed 9 months ago by dgoulet

Status: needs_reviewmerge_ready

This lgtm;

That safe_str_client() fix is a good catch also.

comment:10 Changed 9 months ago by nickm

Should this also get fixed in 0.3.5? If so I want to rebase before merging.

comment:11 in reply to:  10 ; Changed 9 months ago by haxxpop

Replying to nickm:

Should this also get fixed in 0.3.5? If so I want to rebase before merging.

Yes.

comment:12 in reply to:  11 ; Changed 9 months ago by dgoulet

Replying to haxxpop:

Replying to nickm:

Should this also get fixed in 0.3.5? If so I want to rebase before merging.

Yes.

@haxxpop, this means the branch needs to be based on 035 and not master so we can then merge forward. You think you can quickly give us an 035 branch? Thanks!

comment:13 in reply to:  12 Changed 9 months ago by haxxpop

Replying to dgoulet:

Replying to haxxpop:

Replying to nickm:

Should this also get fixed in 0.3.5? If so I want to rebase before merging.

Yes.

@haxxpop, this means the branch needs to be based on 035 and not master so we can then merge forward. You think you can quickly give us an 035 branch? Thanks!

Isn't it already based on 035?

$ git log --oneline --graph 
* 3d635653e hs-v3: add an option param to safe log functions
* 3842ebac7 hs-v3: fix use after free in client auth config
*   f8dac5c90 Merge branch 'maint-0.3.5'
|\  
| *   94a799815 Merge remote-tracking branch 'tlyu-github/ticket28731-035' into maint-0.3.5
| |\  
| | * 1b855af5e Log bootstrap tag names
* | |   69264f96f Merge branch 'dormant_persist_squashed'
|\ \ \  

Is this one correct?

comment:14 Changed 9 months ago by nickm

When I do "git log maint-0.3.5..ticket29040_1", I get hundreds of commits.

The fact that there is a commit message saying "Merge branch maint-0.3.5" means that your branch is based on a branch where maint-0.3.5 has been merged into it -- not on maint-0.3.5 itself.

comment:15 in reply to:  14 Changed 9 months ago by haxxpop

Replying to nickm:

When I do "git log maint-0.3.5..ticket29040_1", I get hundreds of commits.

The fact that there is a commit message saying "Merge branch maint-0.3.5" means that your branch is based on a branch where maint-0.3.5 has been merged into it -- not on maint-0.3.5 itself.

solved :)

comment:16 Changed 9 months ago by nickm

Looks good now. Could I please have a changes file?

comment:17 Changed 9 months ago by nickm

Resolution: fixed
Status: merge_readyclosed

Added a changes file and merged to 0.3.5 and forward.

comment:18 Changed 9 months ago by nickm

Milestone: Tor: 0.4.0.x-finalTor: 0.3.5.x-final

comment:19 Changed 9 months ago by haxxpop

Oh I forgot about this. So sorry.

Note: See TracTickets for help on using tickets.