Opened 7 years ago

Closed 7 years ago

#7756 closed defect (fixed)

SIGSEGV in directory_initiate_command_routerstatus()

Reported by: andrea Owned by:
Priority: High Milestone: Tor: 0.2.4.x-final
Component: Core Tor/Tor Version: Tor: 0.2.4.6-alpha
Severity: Keywords:
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

In git revision 7a99d26c798a2223c8277e6c358eb76195d18dab, one of router_pick_directory_server(), router_pick_trusteddirserver() or router_pick_fallback_dirserver() a bogus pointer to routerstatus_t with value 0x101; directory_initiate_command_routerstatus() uses it and ultimately this leads to a SIGSEGV in node_get_by_id(). Stack trace is:

(gdb) bt
#0 0x00007ffff6a660d0 in memcpy_ssse3 () from /lib64/libc.so.6
#1 0x0000000000417c92 in node_get_mutable_by_id (identity_digest=0x11d <Address 0x11d out of bounds>)

at src/or/nodelist.c:86

#2 0x0000000000417cce in node_get_by_id (identity_digest=0x11d <Address 0x11d out of bounds>) at src/or/nodelist.c:96
#3 0x00000000004ec5df in directory_initiate_command_routerstatus_rend (status=0x101, dir_purpose=19 '\023',

router_purpose=0 '\000', indirection=DIRIND_ONEHOP,
resource=0x19602f0 "d/RxIpu2VOF0FTdsgiccXyUps4lCJD/O0jvCDY8elnlv8-RzVVl5rSA9iSAK7ZCuMePyhE5SaMyGi8olZ5InK+uoQ-R0Pmy59ZRW0IKG6bkqWCrU1YClTN/05D5gMnXa4u/Ns-R0wkmK8kLTPW8DCdofiu66GNeDa5YGNqPp4b2ApZN+s-R1+MPxgA72EE2UmVUnUlU2"...,
payload=0x0, payload_len=0, if_modified_since=0, rend_query=0x0) at src/or/directory.c:571

#4 0x00000000004ec823 in directory_initiate_command_routerstatus (status=0x101, dir_purpose=19 '\023',

router_purpose=0 '\000', indirection=DIRIND_ONEHOP,
resource=0x19602f0 "d/RxIpu2VOF0FTdsgiccXyUps4lCJD/O0jvCDY8elnlv8-RzVVl5rSA9iSAK7ZCuMePyhE5SaMyGi8olZ5InK+uoQ-R0Pmy59ZRW0IKG6bkqWCrU1YClTN/05D5gMnXa4u/Ns-R0wkmK8kLTPW8DCdofiu66GNeDa5YGNqPp4b2ApZN+s-R1+MPxgA72EE2UmVUnUlU2"...,
payload=0x0, payload_len=0, if_modified_since=0) at src/or/directory.c:631

#5 0x00000000004ec392 in directory_get_from_dirserver (dir_purpose=19 '\023', router_purpose=0 '\000',

resource=0x19602f0 "d/RxIpu2VOF0FTdsgiccXyUps4lCJD/O0jvCDY8elnlv8-RzVVl5rSA9iSAK7ZCuMePyhE5SaMyGi8olZ5InK+uoQ-R0Pmy59ZRW0IKG6bkqWCrU1YClTN/05D5gMnXa4u/Ns-R0wkmK8kLTPW8DCdofiu66GNeDa5YGNqPp4b2ApZN+s-R1+MPxgA72EE2UmVUnUlU2"...,
pds_flags=18) at src/or/directory.c:502

#6 0x0000000000457e66 in initiate_descriptor_downloads (source=0x0, purpose=19, digests=0x13ad3a0, lo=828, hi=920,

pds_flags=18) at src/or/routerlist.c:4120

#7 0x00000000004581c3 in launch_descriptor_downloads (purpose=19, downloadable=0x13ad3a0, source=0x0, now=1355881851)

at src/or/routerlist.c:4239

#8 0x00000000004107d8 in update_microdesc_downloads (now=1355881851) at src/or/microdesc.c:694
#9 0x00000000004f1332 in connection_dir_client_reached_eof (conn=0x1469c60) at src/or/directory.c:1833
#10 0x00000000004f3000 in connection_dir_reached_eof (conn=0x1469c60) at src/or/directory.c:2257
#11 0x00000000004cbfbb in connection_reached_eof (conn=0x1469c60) at src/or/connection.c:4071
#12 0x00000000004c95ee in connection_handle_read_impl (conn=0x1469c60) at src/or/connection.c:2847
#13 0x00000000004c9624 in connection_handle_read (conn=0x1469c60) at src/or/connection.c:2860
#14 0x000000000040a22f in conn_read_callback (fd=20, event=2, _conn=0x1469c60) at src/or/main.c:722
#15 0x00007ffff772f930 in event_process_active (base=0x7e3c70, flags=<value optimized out>) at event.c:395
#16 event_base_loop (base=0x7e3c70, flags=<value optimized out>) at event.c:547
#17 0x000000000040cc37 in do_main_loop () at src/or/main.c:1989
#18 0x000000000040e1f7 in tor_main (argc=3, argv=0x7fffffffe668) at src/or/main.c:2701
#19 0x0000000000408804 in main (argc=3, argv=0x7fffffffe668) at src/or/tor_main.c:30

Some other detail:

(gdb) frame 3
#3 0x00000000004ec5df in directory_initiate_command_routerstatus_rend (status=0x101, dir_purpose=19 '\023',

router_purpose=0 '\000', indirection=DIRIND_ONEHOP,
resource=0x19602f0 "d/RxIpu2VOF0FTdsgiccXyUps4lCJD/O0jvCDY8elnlv8-RzVVl5rSA9iSAK7ZCuMePyhE5SaMyGi8olZ5InK+uoQ-R0Pmy5

9ZRW0IKG6bkqWCrU1YClTN/05D5gMnXa4u/Ns-R0wkmK8kLTPW8DCdofiu66GNeDa5YGNqPp4b2ApZN+s-R1+MPxgA72EE2UmVUnUlU2"...,

payload=0x0, payload_len=0, if_modified_since=0, rend_query=0x0) at src/or/directory.c:571

571 node = node_get_by_id(status->identity_digest);
(gdb) print status
$1 = (const routerstatus_t *) 0x101
(gdb) frame 4
#4 0x00000000004ec823 in directory_initiate_command_routerstatus (status=0x101, dir_purpose=19 '\023',

router_purpose=0 '\000', indirection=DIRIND_ONEHOP,
resource=0x19602f0 "d/RxIpu2VOF0FTdsgiccXyUps4lCJD/O0jvCDY8elnlv8-RzVVl5rSA9iSAK7ZCuMePyhE5SaMyGi8olZ5InK+uoQ-R0Pmy5

9ZRW0IKG6bkqWCrU1YClTN/05D5gMnXa4u/Ns-R0wkmK8kLTPW8DCdofiu66GNeDa5YGNqPp4b2ApZN+s-R1+MPxgA72EE2UmVUnUlU2"...,

payload=0x0, payload_len=0, if_modified_since=0) at src/or/directory.c:631

631 directory_initiate_command_routerstatus_rend(status, dir_purpose,
(gdb) print status
$2 = (const routerstatus_t *) 0x101
(gdb) frame 5
#5 0x00000000004ec392 in directory_get_from_dirserver (dir_purpose=19 '\023', router_purpose=0 '\000',

resource=0x19602f0 "d/RxIpu2VOF0FTdsgiccXyUps4lCJD/O0jvCDY8elnlv8-RzVVl5rSA9iSAK7ZCuMePyhE5SaMyGi8olZ5InK+uoQ-R0Pmy5

9ZRW0IKG6bkqWCrU1YClTN/05D5gMnXa4u/Ns-R0wkmK8kLTPW8DCdofiu66GNeDa5YGNqPp4b2ApZN+s-R1+MPxgA72EE2UmVUnUlU2"...,

pds_flags=18) at src/or/directory.c:502

502 directory_initiate_command_routerstatus(rs, dir_purpose,
(gdb) print rs
$3 = (const routerstatus_t *) 0x101

Child Tickets

Change History (1)

comment:1 Changed 7 years ago by nickm

Resolution: fixed
Status: newclosed

Aha! Fixed in 8b5787ec0d99a130ead302f7c6b4a256325ac08f. Thanks for catching this!

Note: See TracTickets for help on using tickets.