Opened 8 years ago

Closed 8 years ago

Last modified 7 years ago

#4343 closed defect (fixed)

Tor seg faults: free(): invalid pointer

Reported by: arma Owned by:
Priority: High Milestone: Tor: 0.2.3.x-final
Component: Core Tor/Tor Version:
Severity: Keywords: tor-relay
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

git master (425e4236c6) crashes on moria5:

*** glibc detected *** ../git/src/or/tor: double free or corruption (out): 0x000
07fefece53320 ***
Segmentation fault

Here's our hint:

Oct 28 15:49:57.000 [warn] Certificate not yet valid: is your system clock set incorrectly?
Oct 28 15:49:57.000 [warn] (certificate lifetime runs from Oct 29 00:49:43 2011 GMT through Oct 28 00:49:43 2012 GMT. Your time is Oct 28 19:49:57 2011 GMT.)
Oct 28 15:49:57.000 [info] command_process_cert_cell(): Received a bad CERT cell from 38.229.70.53:54683: The authentication certificate was not valid
Oct 28 15:49:57.000 [info] command_process_authenticate_cell(): Received a bad AUTHETNICATE cell from 38.229.70.53:54683: We never got a cert cell
Oct 28 15:49:57.000 [warn] Bug: Duplicate call to connection_mark_for_close at command.c:1157 (first at command.c:1026)

Child Tickets

Change History (15)

comment:1 Changed 8 years ago by arma

Also "AUTHETNICATE" should get fixed

comment:2 Changed 8 years ago by arma

Here's a piece of the stack trace from when moria1 died:

#16 0x00007f1d66a8cad6 in malloc_printerr (action=3,
    str=0x7f1d66b40b75 "free(): invalid pointer", ptr=<value optimized out>)
    at malloc.c:6267
#17 0x00007f1d66a9184c in *__GI___libc_free (mem=<value optimized out>)
    at malloc.c:3739
#18 0x00000000004df504 in tor_cert_free (cert=0x7f1d5e843070) at tortls.c:696
#19 0x000000000048efe8 in or_handshake_state_free (state=0x7f1d5c4371e0)
    at connection_or.c:1595
#20 0x000000000048f981 in connection_or_set_state_open (conn=0x7f1d5c9d0530)
    at connection_or.c:1714
#21 0x00000000004711af in command_process_netinfo_cell (cell=0x7f1d5c9d05c8,
    conn=0x7f1d5c9d0530) at command.c:868
#22 command_process_cell (cell=0x7f1d5c9d05c8, conn=0x7f1d5c9d0530)
    at command.c:194
#23 0x000000000049065a in connection_or_process_cells_from_inbuf (
    conn=0x7f1d5c9d0530) at connection_or.c:1822
#24 0x0000000000484a39 in connection_handle_read_impl (conn=0x7f1d5c9d0530)
    at connection.c:2701
#25 connection_handle_read (conn=0x7f1d5c9d0530) at connection.c:2741

Now it dies reliably on startup.

comment:3 Changed 8 years ago by nickm

Can you tell me the value of *cert in the tor_cert_free() there?

comment:4 Changed 8 years ago by arma

#18 0x00000000004df504 in tor_cert_free (cert=0x7f1d5e843070) at tortls.c:696
696       tor_free(cert->encoded);
(gdb) print *cert
$1 = {cert = 0x7f1d5cf602d0, encoded = 0x7f1d5e0d2410 "0", encoded_len = 437, 
  pkey_digests_set = 1, cert_digests = {d = {
      "Zw®\214\065\062/;Ú\224p\213\037\204@Ó\214/\035\030", '\000' <repeats 11 times>, "Ñ\232àUt`\204.\"Ì9ðÞ\022\aÈL³Düý\237\063¡\000R)Ö\033H´p"}}, 
  pkey_digests = {d = {
      "b7+bE\214\"|û%ùRmò7\233\226KQþ", '\000' <repeats 11 times>, 
      "Ç\236\061Ðv\034ð¹_ã1Ç\215\001\006)|\002\036Z!À\214I~ì\221UË\035Ó­"}}}

comment:5 Changed 8 years ago by nickm

Conceivably related to bug #4299 -- at least, the same warning seems to go along with it.

comment:6 Changed 8 years ago by nickm

So, if we've got the same code, the tor_free that's failing is tor_free(encoded) in tor_cert_free (tortls.c line 696)

Note that we haven't freed the cert itself before: if we had, we'd be seeing different output there, since right after that, we say "memset(cert, 0x03, sizeof(cert))". Whoops. That should be sizeof(*cert). But either way, I'm not seeing 8 0x03 bytes anywhere in there, are you?

So something else must have freed cert->encoded. Or I'm analyzing this wrong.

comment:7 in reply to:  description ; Changed 8 years ago by arma

Replying to arma:

Oct 28 15:49:57.000 [warn] Certificate not yet valid: is your system clock set incorrectly?
Oct 28 15:49:57.000 [warn] (certificate lifetime runs from Oct 29 00:49:43 2011 GMT through Oct 28 00:49:43 2012 GMT. Your time is Oct 28 19:49:57 2011 GMT.)

So the cert is only valid after Oct 29 or before Oct 28? Sounds like we have our logic reversed.

comment:8 in reply to:  7 Changed 8 years ago by nickm

Replying to arma:

Replying to arma:

Oct 28 15:49:57.000 [warn] Certificate not yet valid: is your system clock set incorrectly?
Oct 28 15:49:57.000 [warn] (certificate lifetime runs from Oct 29 00:49:43 2011 GMT through Oct 28 00:49:43 2012 GMT. Your time is Oct 28 19:49:57 2011 GMT.)

So the cert is only valid after Oct 29 or before Oct 28? Sounds like we have our logic reversed.

Please don't use this as a catch-all ticket for everything you notice while trying to debug the issue. :)

comment:9 Changed 8 years ago by arma

See #4299 for the earlier 'duplicate mark for close' bug.

comment:10 Changed 8 years ago by nickm

Status: newneeds_review

Possible--nay, likely!-- fix in branch "bug4343" in my public repository.

comment:11 in reply to:  7 Changed 8 years ago by arma

Replying to arma:

Replying to arma:

Oct 28 15:49:57.000 [warn] Certificate not yet valid: is your system clock set incorrectly?
Oct 28 15:49:57.000 [warn] (certificate lifetime runs from Oct 29 00:49:43 2011 GMT through Oct 28 00:49:43 2012 GMT. Your time is Oct 28 19:49:57 2011 GMT.)

So the cert is only valid after Oct 29 or before Oct 28? Sounds like we have our logic reversed.

Opened as #4344.

comment:12 Changed 8 years ago by nickm

Resolution: fixed
Status: needs_reviewclosed

comment:13 Changed 8 years ago by nickm

(merged it)

comment:14 Changed 7 years ago by nickm

Keywords: tor-relay added

comment:15 Changed 7 years ago by nickm

Component: Tor RelayTor
Note: See TracTickets for help on using tickets.