Opened 3 months ago

Closed 3 months ago

Last modified 3 months ago

#30771 closed defect (fixed)

rend_data_get_pk_digest: Assertion rend_data failed; aborting.

Reported by: nickm Owned by:
Priority: High Milestone: Tor: 0.4.1.x-final
Component: Core Tor/Tor Version:
Severity: Normal Keywords: 041-regression crash 041-must
Cc: Actual Points: 0.1
Parent ID: #30773 Points: 0.1
Reviewer: dgoulet Sponsor:

Description

Found with chutney.

Jun 05 10:09:47.372 [info] circpad_deliver_recognized_relay_cell_events(): Got p
adding cell on origin circuit 39.
Jun 05 10:09:47.372 [info] rend_client_introduction_acked(): Received ack. Telli
ng rend circ...
Jun 05 10:09:47.372 [info] circpad_marked_circuit_for_padding(): Circuit 39 is not marked for close because of a  pending padding machine.
Jun 05 10:09:47.372 [err] tor_assertion_failed_(): Bug: src/feature/hs/hs_common.c:566: rend_data_get_pk_digest: Assertion rend_data failed; aborting. (on Tor 0.4.1.2-alpha 7f341d64828d48eb)
Jun 05 10:09:47.375 [err] Bug: Assertion rend_data failed in rend_data_get_pk_digest at src/feature/hs/hs_common.c:566: . Stack trace: (on Tor 0.4.1.2-alpha 7f341d64828d48eb)
Jun 05 10:09:47.375 [err] Bug:     /lib64/libasan.so.5(+0x6ce90) [0x7f3cf5573e90] (on Tor 0.4.1.2-alpha 7f341d64828d48eb)
Jun 05 10:09:47.375 [err] Bug:     /home/nickm/src/tor/src/app/tor(log_backtrace_impl+0x4d) [0x55a10e4f5e1d] (on Tor 0.4.1.2-alpha 7f341d64828d48eb)
Jun 05 10:09:47.375 [err] Bug:     /home/nickm/src/tor/src/app/tor(tor_assertion_failed_+0x296) [0x55a10e4eb876] (on Tor 0.4.1.2-alpha 7f341d64828d48eb)
Jun 05 10:09:47.375 [err] Bug:     /home/nickm/src/tor/src/app/tor(rend_data_get_pk_digest+0x92) [0x55a10e2dc092] (on Tor 0.4.1.2-alpha 7f341d64828d48eb)
Jun 05 10:09:47.375 [err] Bug:     /home/nickm/src/tor/src/app/tor(rend_client_introduction_acked+0x2ef) [0x55a10e3790bf] (on Tor 0.4.1.2-alpha 7f341d64828d48eb)
Jun 05 10:09:47.375 [err] Bug:     /home/nickm/src/tor/src/app/tor(hs_client_receive_introduce_ack+0x29e) [0x55a10e2d982e] (on Tor 0.4.1.2-alpha 7f341d64828d48eb)
Jun 05 10:09:47.375 [err] Bug:     /home/nickm/src/tor/src/app/tor(rend_process_relay_cell+0x210) [0x55a10e37ead0] (on Tor 0.4.1.2-alpha 7f341d64828d48eb)
Jun 05 10:09:47.375 [err] Bug:     /home/nickm/src/tor/src/app/tor(+0x29bb6e) [0x55a10e220b6e] (on Tor 0.4.1.2-alpha 7f341d64828d48eb)
Jun 05 10:09:47.375 [err] Bug:     /home/nickm/src/tor/src/app/tor(circuit_receive_relay_cell+0xa3b) [0x55a10e22743b] (on Tor 0.4.1.2-alpha 7f341d64828d48eb)
Jun 05 10:09:47.375 [err] Bug:     /home/nickm/src/tor/src/app/tor(command_process_cell+0x7c8) [0x55a10e1e00b8] (on Tor 0.4.1.2-alpha 7f341d64828d48eb)
Jun 05 10:09:47.375 [err] Bug:     /home/nickm/src/tor/src/app/tor(channel_tls_handle_cell+0x5cf) [0x55a10e192b3f] (on Tor 0.4.1.2-alpha 7f341d64828d48eb)
Jun 05 10:09:47.375 [err] Bug:     /home/nickm/src/tor/src/app/tor(+0x270964) [0x55a10e1f5964] (on Tor 0.4.1.2-alpha 7f341d64828d48eb)
Jun 05 10:09:47.375 [err] Bug:     /home/nickm/src/tor/src/app/tor(connection_handle_read+0x1ac2) [0x55a10e16ed82] (on Tor 0.4.1.2-alpha 7f341d64828d48eb)
Jun 05 10:09:47.375 [err] Bug:     /home/nickm/src/tor/src/app/tor(+0x1f5b85) [0x55a10e17ab85] (on Tor 0.4.1.2-alpha 7f341d64828d48eb)

Child Tickets

Change History (5)

comment:1 Changed 3 months ago by asn

     circuit_mark_for_close(TO_CIRCUIT(circ), END_CIRC_REASON_FINISHED);
 
     /* close any other intros launched in parallel */
    rend_client_close_other_intros(rend_data_get_pk_digest(circ->rend_data,
                                                           NULL));

This seems to be caused by a bad interaction between #29034 and #28780, plus some naughty v2 code. The v2 code marks the circuit as closed and then tries to access rend_data out of it, but because of #28780 the mark for close repurposes the circuit to a padding circuit instead, and then because #29034 we also clean its rend_data. This causes the crash.

A temporary bandaid can be found here that allows the HS connection to go through: https://github.com/torproject/tor/pull/1074

However this is a problematic pattern and we should look into this. I opened a new ticket at #30773.

comment:2 Changed 3 months ago by asn

Status: newneeds_review

comment:3 Changed 3 months ago by dgoulet

Actual Points: 0.1
Points: 0.1
Reviewer: dgoulet
Status: needs_reviewmerge_ready

LGTM!

CI still feeding...

comment:4 Changed 3 months ago by nickm

Resolution: fixed
Status: merge_readyclosed

Merged.

comment:5 Changed 3 months ago by asn

Parent ID: #30773
Note: See TracTickets for help on using tickets.