On Sat, Apr 21 2018, Solene Rapenne <sol...@perso.pw> wrote: >>Synopsis: <synopsis of the problem (one line)> >>Category: <PR category (one line)> >>Environment: > System : OpenBSD 6.3 > Details : OpenBSD 6.3-current (GENERIC) #53: Thu Apr 19 11:07:26 > MDT 2018 > > dera...@macppc.openbsd.org:/usr/src/sys/arch/macppc/compile/GENERIC > > Architecture: OpenBSD.macppc > Machine : macppc >>Description: > When I use torsocks to proxy an https request with curl or w3m, > they (w3m or curl) works correctly but exit with segmentation > fault and produce a core dump > >>How-To-Repeat: > pkg_add tor torsocks curl > rcctl enable tor > rcctl start tor > > torsocks curl https://openbsd.org > or > torsocks w3m https://openbsd.org | cat - > >>Fix: > > I don't know but please find backtrace of core dumps of curl and w3m > > CURL CORE DUMP : > > Core was generated by `curl'. > Program terminated with signal 11, Segmentation fault. > (no debugging symbols found) > Loaded symbols for /usr/local/bin/curl > Reading symbols from /usr/local/lib/torsocks/libtorsocks.so.1.0...(no > debugging symbols found)...done. > Loaded symbols for /usr/local/lib/torsocks/libtorsocks.so.1.0 > Reading symbols from /usr/local/lib/libcurl.so.25.15...done. > Loaded symbols for /usr/local/lib/libcurl.so.25.15 > Reading symbols from /usr/local/lib/libnghttp2.so.0.13...done. > Loaded symbols for /usr/local/lib/libnghttp2.so.0.13 > Reading symbols from /usr/lib/libssl.so.45.1...done. > Loaded symbols for /usr/lib/libssl.so.45.1 > Reading symbols from /usr/lib/libcrypto.so.43.1...gdbdone. > Loaded symbols for /usr/lib/libcrypto.so.43.1 > Reading symbols from /usr/lib/libz.so.5.0...done. > Loaded symbols for /usr/lib/libz.so.5.0 > Reading symbols from /usr/lib/libpthread.so.25.1...done. > Loaded symbols for /usr/lib/libpthread.so.25.1 > Reading symbols from /usr/lib/libc.so.92.3...done. > Loaded symbols for /usr/lib/libc.so.92.3 > Reading symbols from /usr/libexec/ld.so...done. > Loaded symbols for /usr/libexec/ld.so > #0 0xa5f97afc in BIO_write (b=0xd997ec00, in=0xc3dcec00, inl=24) at > /usr/src/lib/libcrypto/bio/bio_lib.c:289 > 289 if ((b->method == NULL) || (b->method->bwrite == NULL)) > { > (gdb) bt > #0 0xa5f97afc in BIO_write (b=0xd997ec00, in=0xc3dcec00, inl=24) at > /usr/src/lib/libcrypto/bio/bio_lib.c:289 > #1 0xa5f97aac in BIO_write (b=0xd997ec00, in=0xc3dcec00, inl=24) at > /usr/src/lib/libcrypto/bio/bio_lib.c:281 > #2 0xa5f97aac in BIO_write (b=0xd997ec00, in=0xc3dcec00, inl=24) at > /usr/src/lib/libcrypto/bio/bio_lib.c:281 > #3 0xa5f97aac in BIO_write (b=0xd997ec00, in=0xc3dcec00, inl=24) at > /usr/src/lib/libcrypto/bio/bio_lib.c:281 > #4 0xa5f97aac in BIO_write (b=0xd997ec00, in=0xc3dcec00, inl=24) at > /usr/src/lib/libcrypto/bio/bio_lib.c:281 > #5 0xa5f97aac in BIO_write (b=0xd997ec00, in=0xc3dcec00, inl=24) at > /usr/src/lib/libcrypto/bio/bio_lib.c:281 > #6 0xa5f97aac in BIO_write (b=0xd997ec00, in=0xc3dcec00, inl=24) at > /usr/src/lib/libcrypto/bio/bio_lib.c:281 > #7 0xa5f97aac in BIO_write (b=0xd997ec00, in=0xc3dcec00, inl=24) at > /usr/src/lib/libcrypto/bio/bio_lib.c:281 > Previous frame inner to this frame (corrupt stack?)
We took a quick look yesterday, the crash happens in dtors, the cause of the crash looks like a use after free. I'm not a BIO_* hacker, here's a stack trace on amd64, curl rebuilt with DEBUG=-g: Program received signal SIGBUS, Bus error. p 0x000005738701c2d7 in BIO_write (b=0x5735f58b080, in=0x573e9a05400, inl=24) at /usr/src/lib/libcrypto/bio/bio_lib.c:289 289 if ((b->method == NULL) || (b->method->bwrite == NULL)) { (gdb) p *b $1 = {method = 0xdfdfdfdfdfdfdfdf, callback = 0xdfdfdfdfdfdfdfdf, cb_arg = 0xdfdfdfdfdfdfdfdf <error: Cannot access memory at address 0xdfdfdfdfdfdfdfdf>, init = -538976289, shutdown = -538976289, flags = -538976289, retry_reason = -538976289, num = -538976289, ptr = 0xdfdfdfdfdfdfdfdf, next_bio = 0xdfdfdfdfdfdfdfdf, prev_bio = 0xdfdfdfdfdfdfdfdf, references = -538976289, num_read = 16131858542891098079, num_write = 16131858542891098079, ex_data = {sk = 0xdfdfdfdfdfdfdfdf}} (gdb) bt #0 0x000005738701c2d7 in BIO_write (b=0x5735f58b080, in=0x573e9a05400, inl=24) at /usr/src/lib/libcrypto/bio/bio_lib.c:289 #1 0x00000573bd3467ab in __sflush (fp=0x573bd5b9410 <usual>) at /usr/src/lib/libc/stdio/fflush.c:80 #2 0x00000573bd34aa5f in _fwalk (function=0x573bd346740 <__sflush>) at /usr/src/lib/libc/stdio/fwalk.c:50 #3 0x00000573bd2ffd8c in _libc___cxa_finalize (dso=0x0) at /usr/src/lib/libc/stdlib/atexit.c:177 #4 0x00000573bd2ea9f1 in _libc_exit (status=0) at /usr/src/lib/libc/stdlib/exit.c:54 #5 0x00000570ee100b0d in _start () (gdb) -- jca | PGP : 0x1524E7EE / 5135 92C1 AD36 5293 2BDF DDCC 0DFA 74AE 1524 E7EE