Opened 6 years ago

Closed 6 years ago

#8833 closed defect (fixed)

Crash on directory authority in dirserv_query_measured_bw_cache_kb

Reported by: nickm Owned by:
Priority: Very High Milestone: Tor: 0.2.4.x-final
Component: Core Tor/Tor Version: Tor: 0.2.4.12-alpha
Severity: Keywords: tor-auth crash
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Roger reports:

#0  digestmap_get (map=0x1467b60, key=0x2c <Address 0x2c out of bounds>)
    at src/common/container.c:1155
1155      memcpy(&search.key, key, DIGEST_LEN);

Happens when moria1 tried to vote after being off for a few days. 

--Roger

#0  digestmap_get (map=0x1467b60, key=0x2c <Address 0x2c out of bounds>)
    at src/common/container.c:1155
#1  0x00000000004c50e8 in dirserv_query_measured_bw_cache_kb (
    node_id=<value optimized out>, bw_kb_out=0x0, as_of_out=0x0)
    at src/or/dirserv.c:2166
#2  0x00000000004c6406 in router_counts_toward_thresholds (node=0x2920a40,
    now=44, omit_as_sybil=0x0, require_mbw=1) at src/or/dirserv.c:1892
#3  0x00000000004c6730 in dirserv_compute_performance_thresholds (
    rl=<value optimized out>, omit_as_sybil=0x2013610) at src/or/dirserv.c:1959
#4  0x00000000004cbdf1 in dirserv_generate_networkstatus_vote_obj (
    private_key=<value optimized out>, cert=<value optimized out>)
    at src/or/dirserv.c:3022
#5  0x00000000004d603b in dirvote_perform_vote (options=0x14659e0,
    now=1367744169) at src/or/dirvote.c:2741
#6  dirvote_act (options=0x14659e0, now=1367744169) at src/or/dirvote.c:2658
#7  0x000000000040cf3b in run_scheduled_events (timer=<value optimized out>,
    arg=<value optimized out>) at src/or/main.c:1454
#8  second_elapsed_callback (timer=<value optimized out>,
    arg=<value optimized out>) at src/or/main.c:1684
#9  0x00007f9a47435344 in event_base_loop () from /usr/lib/libevent-1.4.so.2
#10 0x0000000000409fc1 in do_main_loop () at src/or/main.c:1980
#11 0x000000000040a2fd in tor_main (argc=<value optimized out>,
    argv=0x7fff0d4ccbd8) at src/or/main.c:2696
#12 0x00007f9a466e6c8d in __libc_start_main (main=<value optimized out>,
    argc=<value optimized out>, ubp_av=<value optimized out>,
    init=<value optimized out>, fini=<value optimized out>,
    rtld_fini=<value optimized out>, stack_end=0x7fff0d4ccbc8)
    at libc-start.c:228
#13 0x0000000000408789 in _start ()

(gdb) print search
$1 = {node = {hte_next = 0x145a3e0, hte_hash = 1436908804}, val = 0x1,
  key = "E^\025òx\214\211\206ÿSÂ\214q#\201A·ßzì"}

(gdb) up
#1  0x00000000004c50e8 in dirserv_query_measured_bw_cache_kb (
    node_id=<value optimized out>, bw_kb_out=0x0, as_of_out=0x0)
    at src/or/dirserv.c:2166
2166        v = digestmap_get(mbw_cache, node_id);

Child Tickets

Change History (5)

comment:1 Changed 6 years ago by nickm

Looks like router_counts_toward_thresholds is calling dirserv_query_measured_bw_cache_kb with a bogus identity, probably because the node's ri field isn't set.

Possibly we didn't find this in testing because our compilers correctly determined that we can postpone the computation until later when we know we'll need its result.

Fixing now...

comment:2 Changed 6 years ago by nickm

Status: newneeds_review

See branch "bug8833" in my public repo. Fix is very simple; please review?

comment:3 Changed 6 years ago by arma

patch looks plausible.

i've been trying to reproduce the crash on moria1 in order to test the new code, but i have failed to reproduce the crash so far. i assume i need to start with the old datadir (i still have it) at the :50-to-:55 mark; haven't tried that yet.

comment:4 Changed 6 years ago by andrea

Looks okay to me; I'll go ahead and merge it.

comment:5 Changed 6 years ago by andrea

Resolution: fixed
Status: needs_reviewclosed

Merged into maint-0.2.4 and master now.

Note: See TracTickets for help on using tickets.