Opened 6 years ago

Closed 6 years ago

#6984 closed defect (fixed)

use after free crash after "eventdns rejected address [scrubbed]"

Reported by: dhill Owned by:
Priority: High Milestone: Tor: 0.2.2.x-final
Component: Core Tor/Tor Version: Tor: 0.2.2.39
Severity: Keywords: tor-relay
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Running multiple tor nodes, they crash multiple times per day. The only thing in the logfile is:

Sep 27 12:08:34.784 [warn] eventdns rejected address [scrubbed]

I enabled debugging and MALLOC_OPTIONS on OpenBSD and got the following:

Sep 27 12:08:34.783 [debug] int connection_edge_process_relay_cell(cell_t *, circuit_t *, edge_connection_t *, crypt_path_t *)(): circ-level sendme at non-o
, packagewindow 526.
Sep 27 12:08:34.783 [debug] void circuit_resume_edge_reading(circuit_t *, crypt_path_t *)(): resuming
Sep 27 12:08:34.783 [debug] int connection_or_process_cells_from_inbuf(or_connection_t *)(): 53: starting, inbuf_datalen 0 (0 pending in tls object).
Sep 27 12:08:34.783 [debug] void conn_write_callback(int, short, void *)(): socket 1117 wants to write.
Sep 27 12:08:34.784 [debug] int flush_chunk_tls(tor_tls_t *, buf_t *, chunk_t *, size_t, size_t *)(): flushed 512 bytes, 0 ready to flush, 0 remain.
Sep 27 12:08:34.784 [debug] int connection_handle_write_impl(connection_t *, int)(): After TLS write of 512: 0 read, 586 written
Sep 27 12:08:34.784 [debug] int connection_or_flush_from_first_active_circuit(or_connection_t *, int, time_t)(): Made a circuit inactive.
Sep 27 12:08:34.784 [debug] void conn_read_callback(int, short, void *)(): socket 53 wants to read.
Sep 27 12:08:34.784 [debug] int connection_read_to_buf(connection_t *, ssize_t *, int *)(): 53: starting, inbuf_datalen 0 (0 pending in tls object). at_most
4.
Sep 27 12:08:34.784 [debug] int connection_read_to_buf(connection_t *, ssize_t *, int *)(): After TLS read of 512: 549 read, 0 written
Sep 27 12:08:34.784 [debug] int connection_or_process_cells_from_inbuf(or_connection_t *)(): 53: starting, inbuf_datalen 512 (0 pending in tls object).
Sep 27 12:08:34.784 [debug] int circuit_receive_relay_cell(cell_t *, circuit_t *, cell_direction_t)(): Sending away from origin.
Sep 27 12:08:34.784 [debug] int connection_edge_process_relay_cell(cell_t *, circuit_t *, edge_connection_t *, crypt_path_t *)(): Now seen 33189527 relay ce
ere (command 1, stream 39854).
Sep 27 12:08:34.784 [debug] int connection_exit_begin_conn(cell_t *, circuit_t *)(): Creating new exit connection.
Sep 27 12:08:34.784 [debug] int connection_exit_begin_conn(cell_t *, circuit_t *)(): about to start the dns_resolve().
Sep 27 12:08:34.784 [debug] int dns_resolve_impl(edge_connection_t *, int, or_circuit_t *, char )(): Launching [scrubbed].
Sep 27 12:08:34.784 [info] int launch_resolve(edge_connection_t *)(): Launching eventdns request for [scrubbed]
Sep 27 12:08:34.784 [info] eventdns: Resolve requested.
Sep 27 12:08:34.784 [warn] eventdns rejected address [scrubbed].
Sep 27 12:08:34.784 [debug] void dns_cancel_pending_resolve(const char *)(): Failing all connections waiting on DNS resolve of [scrubbed]
Sep 27 12:08:34.784 [debug] int connection_edge_end(edge_connection_t *, uint8_t)(): No circ to send end on conn (fd -1).
Sep 27 12:08:34.784 [debug] int relay_send_command_from_edge(streamid_t, circuit_t *, uint8_t, const char *, size_t, crypt_path_t *)(): delivering 3 cell ba
d.
Sep 27 12:08:34.784 [debug] void append_cell_to_circuit_queue(circuit_t *, or_connection_t *, cell_t *, cell_direction_t, streamid_t)(): Made a circuit acti
Sep 27 12:08:34.784 [debug] void append_cell_to_circuit_queue(circuit_t *, or_connection_t *, cell_t *, cell_direction_t, streamid_t)(): Primed a buffer.
Sep 27 12:08:34.784 [debug] int connection_or_flush_from_first_active_circuit(or_connection_t *, int, time_t)(): Made a circuit inactive.
Sep 27 12:08:34.784 [debug] int connection_or_process_cells_from_inbuf(or_connection_t *)(): 53: starting, inbuf_datalen 0 (0 pending in tls object).
Sep 27 12:08:34.784 [debug] void conn_write_callback(int, short, void *)(): socket 1117 wants to write.
tor in free(): error: chunk is already free 0x202974900
Abort trap

I do not have a core.

Child Tickets

Change History (6)

comment:1 Changed 6 years ago by nickm

Milestone: Tor: 0.2.2.x-final

Mentioned this on IRC -- mentioning it here too so that it won't get forgotten.

Roger thinks this might be related to #6472, which was fixed in 0.2.3 but not backported.

If upgrading a couple nodes to 0.2.3 fixes this, that's great.

The logs alone don't seem to tell me where the double-free is coming from: if you could possibly get a stack trace , that would probably help more.

comment:2 Changed 6 years ago by nickm

Another pseudonymous irc report thinks that this is #6480

comment:3 Changed 6 years ago by nickm

Keywords: tor-relay added

comment:4 Changed 6 years ago by nickm

Component: Tor RelayTor

comment:5 Changed 6 years ago by dhill

I have not experienced this crash since moving to 0.2.3.22.

I'll leave this ticket for the developers to close incase they may want to backport what they think the fix was.

comment:6 Changed 6 years ago by nickm

Resolution: fixed
Status: newclosed

Okay, it apparently looks like this is fixed and/or a duplicate of #6480.

Note: See TracTickets for help on using tickets.