Opened 7 years ago

Closed 6 years ago

#6267 closed defect (wontfix)

SIGSEGV in obfs2_circuit_free when chroot() is used

Reported by: dazo Owned by: asn
Priority: Medium Milestone:
Component: Archived/Obfsproxy Version:
Severity: Keywords: chroot
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

When using the --chroot feature from trac #6264 on a SL6.2 x86_64 box, I get the following SEGV:

Server side with --chroot

Program received signal SIGSEGV, Segmentation fault.
obfs2_circuit_free (circuit=0x7ffff8214870) at src/protocols/obfs2.c:303
303	  obfs2_destroy(obfs2_circuit->state);
(gdb) bt
#0  obfs2_circuit_free (circuit=0x7ffff8214870) at src/protocols/obfs2.c:303
#1  0x00007ffff7b9bb26 in bufferevent_writecb (fd=14, event=<value optimized out>, arg=0x7ffff82144d0) at bufferevent_sock.c:244
#2  0x00007ffff7b93b0c in event_process_active_single_queue (base=0x7ffff8212fd0, flags=0) at event.c:1340
#3  event_process_active (base=0x7ffff8212fd0, flags=0) at event.c:1407
#4  event_base_loop (base=0x7ffff8212fd0, flags=0) at event.c:1604
#5  0x00007ffff7ff8f3c in launch_external_proxy (begin=<value optimized out>) at src/external.c:90
#6  0x00007ffff7fecbf8 in obfs_main (argc=<value optimized out>, argv=0x7fffffffe648) at src/main.c:646
#7  0x00007ffff705ccdd in __libc_start_main () from /lib64/libc.so.6
#8  0x00007ffff7febcd9 in _start ()
(gdb) print circuit
$1 = (circuit_t *) 0x7ffff8214870
(gdb) print *circuit
$2 = {upstream = 0x7ffff8214840, downstream = 0x7ffff8214080, socks_state = 0x0, is_open = 1, is_flushing = 0}
(gdb) print *circuit->upstream
$3 = {cfg = 0x0, peername = 0x7ffff8214dc0 "\360M!\370\377\177", circuit = 0x0, buffer = 0x7ffff82144d0, mode = LSN_SIMPLE_SERVER}
(gdb) print *circuit->downstream
$4 = {cfg = 0x7ffff82143e0, peername = 0x7ffff8214060 "\260M!\370\377\177", circuit = 0x0, buffer = 0x7ffff82140b0, mode = LSN_SIMPLE_SERVER}
(gdb)

Client side with --chroot

Program received signal SIGSEGV, Segmentation fault.
obfs2_circuit_free (circuit=0x7ffff8214470) at src/protocols/obfs2.c:303
303	src/protocols/obfs2.c: No such file or directory.
	in src/protocols/obfs2.c
Missing separate debuginfos, use: debuginfo-install glibc-2.12-1.47.el6_2.12.x86_64 openssl-1.0.0-20.el6_2.5.x86_64 zlib-1.2.3-27.el6.x86_64
(gdb) bt
#0  obfs2_circuit_free (circuit=0x7ffff8214470) at src/protocols/obfs2.c:303
#1  0x00007ffff7fefb8a in pending_socks_cb (bev=0x7ffff8214b00, what=<value optimized out>, arg=<value optimized out>) at src/network.c:994
#2  0x00007ffff7b9bb26 in bufferevent_writecb (fd=13, event=<value optimized out>, arg=0x7ffff8214b00) at bufferevent_sock.c:244
#3  0x00007ffff7b93b0c in event_process_active_single_queue (base=0x7ffff8212f70, flags=0) at event.c:1340
#4  event_process_active (base=0x7ffff8212f70, flags=0) at event.c:1407
#5  event_base_loop (base=0x7ffff8212f70, flags=0) at event.c:1604
#6  0x00007ffff7ff8f3c in launch_external_proxy (begin=<value optimized out>) at src/external.c:90
#7  0x00007ffff7fecbf8 in obfs_main (argc=<value optimized out>, argv=0x7fffffffe608) at src/main.c:646
#8  0x00007ffff705ccdd in __libc_start_main () from /lib64/libc.so.6
#9  0x00007ffff7febcd9 in _start ()
(gdb) print *circuit
$1 = {upstream = 0x7ffff8214020, downstream = 0x7ffff8214e70, socks_state = 0x0, is_open = 1, is_flushing = 0}
(gdb) print *circuit->upstream
$2 = {cfg = 0x7ffff8214380, peername = 0x7ffff8214000 "\220N!\370\377\177", circuit = 0x0, buffer = 0x7ffff8214050, mode = LSN_SOCKS_CLIENT}
(gdb) print *circuit->upstream->cfg
$3 = {vtable = 0x340}
(gdb) print *circuit->upstream->buffer
$4 = {ev_base = 0x7ffff73c9ed8, be_ops = 0x7ffff73c9ed8, ev_read = {ev_active_next = {tqe_next = 0x0, tqe_prev = 0x0}, ev_next = {
      tqe_next = 0x0, tqe_prev = 0x0}, ev_timeout_pos = {ev_next_with_common_timeout = {tqe_next = 0x0, tqe_prev = 0x0}, min_heap_idx = 0}, 
    ev_fd = 0, ev_base = 0x0, _ev = {ev_io = {ev_io_next = {tqe_next = 0x0, tqe_prev = 0x0}, ev_timeout = {tv_sec = 0, 
          tv_usec = 140737341327456}}, ev_signal = {ev_signal_next = {tqe_next = 0x0, tqe_prev = 0x0}, ev_ncalls = 0, 
        ev_pncalls = 0x7ffff73c8860}}, ev_events = -1, ev_res = -1, ev_flags = 2, ev_pri = 0 '\000', ev_closure = 0 '\000', ev_timeout = {
      tv_sec = 0, tv_usec = 0}, ev_callback = 0x7ffff8214130, ev_arg = 0xffffffffffffffff}, ev_write = {ev_active_next = {tqe_next = 0x0, 
      tqe_prev = 0x7ffff8214140}, ev_next = {tqe_next = 0x0, tqe_prev = 0x7ffff8214ba8}, ev_timeout_pos = {ev_next_with_common_timeout = {
        tqe_next = 0xffffffff, tqe_prev = 0x0}, min_heap_idx = -1}, ev_fd = 12, ev_base = 0x7ffff8212f70, _ev = {ev_io = {ev_io_next = {
          tqe_next = 0x7ffff73c7500, tqe_prev = 0x0}, ev_timeout = {tv_sec = 0, tv_usec = 0}}, ev_signal = {ev_signal_next = {
          tqe_next = 0x7ffff73c7500, tqe_prev = 0x0}, ev_ncalls = 0, ev_pncalls = 0x0}}, ev_events = 0, ev_res = 0, ev_flags = 0, 
    ev_pri = 0 '\000', ev_closure = 0 '\000', ev_timeout = {tv_sec = 0, tv_usec = 0}, ev_callback = 0, ev_arg = 0x0}, input = 0x0, 
  output = 0x0, wm_read = {low = 0, high = 0}, wm_write = {low = 0, high = 0}, readcb = 0, writecb = 0, errorcb = 0, cbarg = 0x0, 
  timeout_read = {tv_sec = 0, tv_usec = 0}, timeout_write = {tv_sec = 0, tv_usec = 0}, enabled = 6}
(gdb) print *circuit->downstream 
$5 = {cfg = 0x7ffff8214010, peername = 0x7ffff8214f30 "\360?!\370\377\177", circuit = 0x0, buffer = 0x7ffff8214b00, mode = LSN_SOCKS_CLIENT}
(gdb) print *circuit->downstream->cfg
$6 = {vtable = 0x0}
(gdb) print *circuit->downstream->buffer 
$7 = {ev_base = 0x7ffff8212f70, be_ops = 0x7ffff7dc5040, ev_read = {ev_active_next = {tqe_next = 0x0, tqe_prev = 0x0}, ev_next = {
      tqe_next = 0x0, tqe_prev = 0x7ffff8214ba8}, ev_timeout_pos = {ev_next_with_common_timeout = {tqe_next = 0xffffffff, tqe_prev = 0x0}, 
      min_heap_idx = -1}, ev_fd = 13, ev_base = 0x7ffff8212f70, _ev = {ev_io = {ev_io_next = {tqe_next = 0x0, tqe_prev = 0x7ffff8214bd8}, 
        ev_timeout = {tv_sec = 0, tv_usec = 0}}, ev_signal = {ev_signal_next = {tqe_next = 0x0, tqe_prev = 0x7ffff8214bd8}, ev_ncalls = 0, 
        ev_pncalls = 0x0}}, ev_events = 18, ev_res = 0, ev_flags = 130, ev_pri = 0 '\000', ev_closure = 2 '\002', ev_timeout = {tv_sec = 0, 
      tv_usec = 0}, ev_callback = 0x7ffff7b9bc40 <bufferevent_readcb>, ev_arg = 0x7ffff8214b00}, ev_write = {ev_active_next = {
      tqe_next = 0x0, tqe_prev = 0x7ffff82133a0}, ev_next = {tqe_next = 0x7ffff8214b10, tqe_prev = 0x7ffff8213f60}, ev_timeout_pos = {
      ev_next_with_common_timeout = {tqe_next = 0xffffffff, tqe_prev = 0x0}, min_heap_idx = -1}, ev_fd = 13, ev_base = 0x7ffff8212f70, 
    _ev = {ev_io = {ev_io_next = {tqe_next = 0x7ffff8214b10, tqe_prev = 0x7ffff8214f10}, ev_timeout = {tv_sec = 0, tv_usec = 0}}, 
      ev_signal = {ev_signal_next = {tqe_next = 0x7ffff8214b10, tqe_prev = 0x7ffff8214f10}, ev_ncalls = 0, ev_pncalls = 0x0}}, 
    ev_events = 20, ev_res = 4, ev_flags = 130, ev_pri = 0 '\000', ev_closure = 2 '\002', ev_timeout = {tv_sec = 0, tv_usec = 0}, 
    ev_callback = 0x7ffff7b9b9d0 <bufferevent_writecb>, ev_arg = 0x7ffff8214b00}, input = 0x7ffff8214d00, output = 0x7ffff8214da0, 
  wm_read = {low = 0, high = 0}, wm_write = {low = 0, high = 0}, readcb = 0, writecb = 0, errorcb = 0, cbarg = 0x0, timeout_read = {
    tv_sec = 0, tv_usec = 0}, timeout_write = {tv_sec = 0, tv_usec = 0}, enabled = 6}
(gdb) 

These faults doesn't seem to be related to chroot() itself, but the chroot()ing seems to trigger some other issues in obfsproxy.

The command lines I used to trigger this were:

Server:

obfsproxy --log-file=/var/log/obfsproxyd --chroot /var/chroot/obfsproxy --log-min-severity=info --user=nobody obfs2 --dest=127.0.0.1:45442  --shared-secret=abcdefghijklmnopqrstuvwxyz server 0.0.0.0:65442

Client:

obfsproxy --chroot=/var/chroot/obfsproxy --user=nobody --log-min-severity=debug  obfs2 --shared-secret=abcdefghijklmnopqrstuvwxyz socks 127.0.0.1:1050 

The crash happens when a socks client tries to connect to the service on the server side. I've been using OpenVPN to trigger this.

The git HEAD for my environment is commit 94ebc4c3edf1e3e5f313444e59981ac557578df5 (v0.1.4) with the --daemon, --pid-file, --user/--group and --chroot patches applied on top of that. The --daemon and --pid-file patches can be found in Trac ticket #5130 and --user/--group and --chroot patches are from #6264.

Child Tickets

Change History (1)

comment:1 Changed 6 years ago by asn

Resolution: wontfix
Status: newclosed

This ticket is about the old C-based obfsproxy. Closing.

Note: See TracTickets for help on using tickets.