Opened 6 weeks ago

Closed 4 weeks ago

#31375 closed defect (fixed)

hs: Crash in token_bucket_ctr_refill() of the INTRO2 DoS defense

Reported by: dgoulet Owned by:
Priority: Very High Milestone: Tor: 0.4.2.x-final
Component: Core Tor/Tor Version:
Severity: Normal Keywords: tor-hs, crash, regression, nickm-merge
Cc: asn Actual Points:
Parent ID: Points:
Reviewer: asn Sponsor: Sponsor27-must

Description

Ran my relay for some minutes with master (merged #15516) and the HS DoS defenses enabled. Relay died with this:

Tor 0.4.2.0-alpha-dev (git-0acfd7dcee2a4473) died: Caught signal 8
/home/tor/git/tor/src/app/tor(+0x20d359)[0x5594030b1359]
/home/tor/git/tor/src/app/tor(token_bucket_ctr_refill+0x3b)[0x55940304c33b]
/home/tor/git/tor/src/app/tor(token_bucket_ctr_refill+0x3b)[0x55940304c33b]
/home/tor/git/tor/src/app/tor(hs_dos_can_send_intro2+0x45)[0x559402fb6ba5]
/home/tor/git/tor/src/app/tor(rend_mid_introduce_legacy+0x136)[0x559402ff7096]
/home/tor/git/tor/src/app/tor(hs_intro_received_introduce1+0x2ce)[0x5594030457ee]
/home/tor/git/tor/src/app/tor(rend_process_relay_cell+0x1bf)[0x559402ff643f]
/home/tor/git/tor/src/app/tor(+0xb9105)[0x559402f5d105]
/home/tor/git/tor/src/app/tor(+0xb9b60)[0x559402f5db60]
/home/tor/git/tor/src/app/tor(circuit_receive_relay_cell+0x490)[0x559402f5f590]
/home/tor/git/tor/src/app/tor(command_process_cell+0x3f8)[0x559402f40ed8]
/home/tor/git/tor/src/app/tor(channel_tls_handle_cell+0x39b)[0x559402f2078b]
/home/tor/git/tor/src/app/tor(+0xa5a9c)[0x559402f49a9c]
/home/tor/git/tor/src/app/tor(connection_handle_read+0xa0d)[0x559402f0dd0d]
/home/tor/git/tor/src/app/tor(+0x6ef1e)[0x559402f12f1e]
/usr/lib/x86_64-linux-gnu/libevent-2.1.so.6(+0x1e8f8)[0x7f15b29208f8]
/usr/lib/x86_64-linux-gnu/libevent-2.1.so.6(event_base_loop+0x53f)[0x7f15b292133f]
/home/tor/git/tor/src/app/tor(do_main_loop+0xd9)[0x559402f14209]
/home/tor/git/tor/src/app/tor(tor_run_main+0x128d)[0x559402f01d9d]
/home/tor/git/tor/src/app/tor(tor_main+0x3a)[0x559402eff1da]
/home/tor/git/tor/src/app/tor(main+0x19)[0x559402efed69]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xe7)[0x7f15b1bbbb97]

Child Tickets

Change History (7)

comment:1 Changed 6 weeks ago by dgoulet

Summary: hs: Crasg in token_bucket_ctr_refill() of the INTRO2 DoS defensehs: Crash in token_bucket_ctr_refill() of the INTRO2 DoS defense

comment:2 Changed 6 weeks ago by nickm

Keywords: regression added

comment:3 Changed 5 weeks ago by dgoulet

Ok... this is embarrassing but the reason we got there is because the INTRO2 bucket is _not_ initialized for a legacy intro point (v2)...

We only init() in handle_verified_establish_intro_cell() which is v3 only.

Fortunately, we did not release this bug _and_ the HS DoS defense is not enabled by default.

comment:4 Changed 5 weeks ago by dgoulet

Reviewer: asn
Status: newneeds_review

Branch: ticket31375_042_01
PR: https://github.com/torproject/tor/pull/1225

comment:5 Changed 5 weeks ago by asn

Status: needs_reviewmerge_ready

LGTM!

comment:6 Changed 5 weeks ago by dgoulet

Keywords: nickm-merge added

comment:7 Changed 4 weeks ago by nickm

Resolution: fixed
Status: merge_readyclosed

merged!

Note: See TracTickets for help on using tickets.