Opened 10 years ago

Closed 9 years ago

Last modified 7 years ago

#983 closed defect (user disappeared)

Abort crash in libcrypto malloc during onion handshake

Reported by: neoeinstein Owned by:
Priority: Medium Milestone:
Component: Core Tor/Tor Version: 0.2.1.14-rc
Severity: Keywords:
Cc: neoeinstein, nickm, Sebastian Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description (last modified by nickm)

Occurred after ~15 hours of uptime on an x86_64 box.
I keep all cores archived, so if you have requests for me
to run against the core, let me know.

"""
GNU gdb 6.8-debian
Copyright (C) 2008 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu"...

warning: Can't read pathname for load map: Input/output error.
Reading symbols from /lib/libz.so.1...done.
Loaded symbols for /lib/libz.so.1
Reading symbols from /usr/lib/libevent-1.3e.so.1...done.
Loaded symbols for /usr/lib/libevent-1.3e.so.1
Reading symbols from /lib/libssl.so.0.9.8...done.
Loaded symbols for /lib/libssl.so.0.9.8
Reading symbols from /lib/libcrypto.so.0.9.8...done.
Loaded symbols for /lib/libcrypto.so.0.9.8
Reading symbols from /lib/libpthread.so.0...done.
Loaded symbols for /lib/libpthread.so.0
Reading symbols from /lib/libdl.so.2...done.
Loaded symbols for /lib/libdl.so.2
Reading symbols from /lib/libc.so.6...done.
Loaded symbols for /lib/libc.so.6
Reading symbols from /lib/libnsl.so.1...done.
Loaded symbols for /lib/libnsl.so.1
Reading symbols from /lib/librt.so.1...done.
Loaded symbols for /lib/librt.so.1
Reading symbols from /lib/libresolv.so.2...done.
Loaded symbols for /lib/libresolv.so.2
Reading symbols from /lib/ld-linux-x86-64.so.2...done.
Loaded symbols for /lib64/ld-linux-x86-64.so.2
Reading symbols from /lib/libnss_compat.so.2...done.
Loaded symbols for /lib/libnss_compat.so.2
Reading symbols from /lib/libnss_nis.so.2...done.
Loaded symbols for /lib/libnss_nis.so.2
Reading symbols from /lib/libnss_files.so.2...done.
Loaded symbols for /lib/libnss_files.so.2
Reading symbols from /lib/libnss_mdns4_minimal.so.2...done.
Loaded symbols for /lib/libnss_mdns4_minimal.so.2
Reading symbols from /lib/libnss_dns.so.2...done.
Loaded symbols for /lib/libnss_dns.so.2
Reading symbols from /lib/libgcc_s.so.1...done.
Loaded symbols for /lib/libgcc_s.so.1
Core was generated by `/usr/sbin/tor'.
Program terminated with signal 6, Aborted.
[New process 3611]
[New process 19395]
[New process 3612]
[New process 3614]
[New process 3613]
#0 0x00007fd0ea7cbfb5 in raise () from /lib/libc.so.6
(gdb) bt
#0 0x00007fd0ea7cbfb5 in raise () from /lib/libc.so.6
#1 0x00007fd0ea7cdbc3 in abort () from /lib/libc.so.6
#2 0x00007fd0ea80b228 in ?? () from /lib/libc.so.6
#3 0x00007fd0ea811b2c in ?? () from /lib/libc.so.6
#4 0x00007fd0ea8138f1 in ?? () from /lib/libc.so.6
#5 0x00007fd0ea815828 in malloc () from /lib/libc.so.6
#6 0x00007fd0eaf91f33 in CRYPTO_malloc () from /lib/libcrypto.so.0.9.8
#7 0x00007fd0eafbc18f in BN_mod_exp_mont_consttime () from /lib/libcrypto.so.0.9.8
#8 0x00007fd0eafd8925 in ?? () from /lib/libcrypto.so.0.9.8
#9 0x00007fd0eafd92ab in ?? () from /lib/libcrypto.so.0.9.8
#10 0x00000000004b1786 in crypto_pk_private_decrypt (env=<value optimized out>, to=<value optimized out>, from=0x8 <Address 0x8 out of bounds>,

fromlen=518, padding=<value optimized out>, warnOnFailure=0) at crypto.c:762

#11 0x00000000004b2a7e in crypto_pk_private_hybrid_decrypt (env=0x16207c0, to=0x7fd0e9633c30 "",

from=0x7fd0e9633e70 "s\214\235½aNàÇå¯\030\adlf\233\021\206
+\035\203{h ëÈâ\203AÉ®?\225Ï¢éôA\232ÙREC¨ÿÚÜí>¨\003\226ÚÔCd0¢1\211û~ÎMÖ\213W\t¿WB\223põ\024Ï3>è:rÆ\036\234.\233Á(2C3É\224ìÅ&.
\237ÝÑ\017I\r/⸺\207\032\225\002\205á_}0\206o\005JÊÆ\216\234Ò]÷ÿ\231Ïß¡¾çWz\223\213\215j®\026ÐY<ç/µ<½\037âón¨\026ôÚfZBc4\031\b\221±ál\217Ùõ8Ç}\032ägæÂ{*", fromlen=186, padding=60002, warnOnFailure=0) at crypto.c:989

#12 0x0000000000466b85 in onion_skin_server_handshake (

onion_skin=0x7fd0e9633e70 "s\214\235½aNàÇå¯\030\adlf\233\021\206
+\035\203{h ëÈâ\203AÉ®?\225Ï¢éôA\232ÙREC¨ÿÚÜí>¨\003\226ÚÔCd0¢1\211û~ÎMÖ\213W\t¿WB\223põ\024Ï3>è:rÆ\036\234.\233Á(2C3É\224ìÅ&.
\237ÝÑ\017I\r/⸺\207\032\225\002\205á_}0\206o\005JÊÆ\216\234Ò]÷ÿ\231Ïß¡¾çWz\223\213\215j®\026ÐY<ç/µ<½\037âón¨\026ôÚfZBc4\031\b\221±ál\217Ùõ8Ç}\032ägæÂ{*", private_key=0x16207c0, prev_private_key=0x0,
handshake_reply_out=0x7fd0e9633f30 "å\002õ\006(Gf.%1|cÛL? IÜ\204g\031\036Å\016½\217\234µå9\215uEàCʨ¾Íá©xð\201)\f\233Ó\020ÃÎ\037¶\0041Z",
key_out=0x7fd0e9633fd0 "ãJ(v|ÈßBdð-3v\005QÛ\202±\211\022\205J&\0247öI\233\027G¥\034ƶÇ\022,#ÆïDJ*þ®,\vRú\217ûU\005$s>=MtßWßõò²ú\022\217:ÍHú",
key_out_len=72) at onion.c:232

#13 0x000000000044062a in cpuworker_main (data=<value optimized out>) at cpuworker.c:273
#14 0x00000000004a6ab5 in tor_pthread_helper_fn (_data=0x1620220) at compat.c:1694
#15 0x00007fd0ead163ba in start_thread () from /lib/libpthread.so.0
#16 0x00007fd0ea87efcd in clone () from /lib/libc.so.6
#17 0x0000000000000000 in ?? ()
"""

[Automatically added by flyspray2trac: Operating System: Other Linux]

Child Tickets

Change History (5)

comment:1 Changed 10 years ago by nickm

Hm. If that's an assertion failure inside malloc(), we've probably stomped on the heap somewhere.

comment:2 Changed 9 years ago by nickm

Priority: majornormal

Did this ever happen again? Odds seem decent that it's a case of some other heap-corruption bug--possibly one that either got fixed, or diagnosed more usefully.

As things stand, there's not a very good chance that we'll be able to figure this one out from the information available. The best time to detect heap-corruption is (unfortunately) when it happens, not when there's a crash. If this crash *does* recur, our best bet is to see if we can get you running with dmalloc or valgrind or some other runtime debugging tool.

comment:3 Changed 9 years ago by nickm

Probably related to bug #982.

comment:4 Changed 9 years ago by nickm

Description: modified (diff)
Resolution: Noneuser disappeared
Status: newclosed

Can't resolve this without more information; closing as "user disappeared". :(

Please comment or reopen if anybody can get this to happen with a more recent version of Tor, or reproduce it under dmalloc or valgrind.

comment:5 Changed 7 years ago by nickm

Component: Tor RelayTor
Note: See TracTickets for help on using tickets.