Opened 3 months ago

Closed 3 months ago

#30773 closed defect (fixed)

New bug class: Accessing rend_data/hs_ident after marking for close a circuit

Reported by: asn Owned by:
Priority: High Milestone: Tor: 0.4.1.x-final
Component: Core Tor/Tor Version:
Severity: Normal Keywords: tor-hs bug 041-must stability
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

See #30771 for an example of this issue:

     circuit_mark_for_close(TO_CIRCUIT(circ), END_CIRC_REASON_FINISHED);
 
     /* close any other intros launched in parallel */
    rend_client_close_other_intros(rend_data_get_pk_digest(circ->rend_data,
                                                           NULL));

It seems to be caused by a bad interaction between #29034 and #28780, plus some naughty v2 code. The v2 code marks the circuit as closed and then tries to access rend_data out of it, but because of #28780 the mark for close repurposes the circuit to a padding circuit instead, and then because #29034 we also clean its rend_data. This causes the crash.

We should make sure that this pattern is impossible in other parts of the code, so that we don't assert out again, or even worse access freed memory.

Child Tickets

TicketStatusOwnerSummaryComponent
#30771closedrend_data_get_pk_digest: Assertion rend_data failed; aborting.Core Tor/Tor
#30775closedCrash in close_or_reextend_intro_circ() (not released)Core Tor/Tor

Change History (2)

comment:1 Changed 3 months ago by nickm

Keywords: 041-must stability added
Priority: MediumHigh

comment:2 Changed 3 months ago by nickm

Resolution: fixed
Status: newclosed

The replacment for #29034 should take care of this class of bug.

Note: See TracTickets for help on using tickets.