Re: curl/w3m https request with torsocks core dump at exit

Jeremie Courreges-Anglas Tue, 24 Apr 2018 02:27:59 -0700

On Sat, Apr 21 2018, Solene Rapenne <sol...@perso.pw> wrote:
>>Synopsis:     <synopsis of the problem (one line)>
>>Category:     <PR category (one line)>
>>Environment:
>       System      : OpenBSD 6.3
>       Details     : OpenBSD 6.3-current (GENERIC) #53: Thu Apr 19 11:07:26 
> MDT 2018
>                        
> dera...@macppc.openbsd.org:/usr/src/sys/arch/macppc/compile/GENERIC
>
>       Architecture: OpenBSD.macppc
>       Machine     : macppc
>>Description:
>         When I use torsocks to proxy an https request with curl or w3m,
>         they (w3m or curl) works correctly but exit with segmentation
>         fault and produce a core dump
>
>>How-To-Repeat:
>       pkg_add tor torsocks curl
>       rcctl enable tor
>         rcctl start tor
>
>         torsocks curl https://openbsd.org
>         or
>         torsocks w3m https://openbsd.org | cat -
>
>>Fix:
>
> I don't know but please find backtrace of core dumps of curl and w3m
>
> CURL CORE DUMP :
>
> Core was generated by `curl'.
> Program terminated with signal 11, Segmentation fault.
> (no debugging symbols found)
> Loaded symbols for /usr/local/bin/curl
> Reading symbols from /usr/local/lib/torsocks/libtorsocks.so.1.0...(no
> debugging symbols found)...done.
> Loaded symbols for /usr/local/lib/torsocks/libtorsocks.so.1.0
> Reading symbols from /usr/local/lib/libcurl.so.25.15...done.
> Loaded symbols for /usr/local/lib/libcurl.so.25.15
> Reading symbols from /usr/local/lib/libnghttp2.so.0.13...done.
> Loaded symbols for /usr/local/lib/libnghttp2.so.0.13
> Reading symbols from /usr/lib/libssl.so.45.1...done.
> Loaded symbols for /usr/lib/libssl.so.45.1
> Reading symbols from /usr/lib/libcrypto.so.43.1...gdbdone.
> Loaded symbols for /usr/lib/libcrypto.so.43.1
> Reading symbols from /usr/lib/libz.so.5.0...done.
> Loaded symbols for /usr/lib/libz.so.5.0
> Reading symbols from /usr/lib/libpthread.so.25.1...done.
> Loaded symbols for /usr/lib/libpthread.so.25.1
> Reading symbols from /usr/lib/libc.so.92.3...done.
> Loaded symbols for /usr/lib/libc.so.92.3
> Reading symbols from /usr/libexec/ld.so...done.
> Loaded symbols for /usr/libexec/ld.so
> #0  0xa5f97afc in BIO_write (b=0xd997ec00, in=0xc3dcec00, inl=24) at
> /usr/src/lib/libcrypto/bio/bio_lib.c:289
> 289             if ((b->method == NULL) || (b->method->bwrite == NULL))
> {
> (gdb) bt
> #0  0xa5f97afc in BIO_write (b=0xd997ec00, in=0xc3dcec00, inl=24) at
> /usr/src/lib/libcrypto/bio/bio_lib.c:289
> #1  0xa5f97aac in BIO_write (b=0xd997ec00, in=0xc3dcec00, inl=24) at
> /usr/src/lib/libcrypto/bio/bio_lib.c:281
> #2  0xa5f97aac in BIO_write (b=0xd997ec00, in=0xc3dcec00, inl=24) at
> /usr/src/lib/libcrypto/bio/bio_lib.c:281
> #3  0xa5f97aac in BIO_write (b=0xd997ec00, in=0xc3dcec00, inl=24) at
> /usr/src/lib/libcrypto/bio/bio_lib.c:281
> #4  0xa5f97aac in BIO_write (b=0xd997ec00, in=0xc3dcec00, inl=24) at
> /usr/src/lib/libcrypto/bio/bio_lib.c:281
> #5  0xa5f97aac in BIO_write (b=0xd997ec00, in=0xc3dcec00, inl=24) at
> /usr/src/lib/libcrypto/bio/bio_lib.c:281
> #6  0xa5f97aac in BIO_write (b=0xd997ec00, in=0xc3dcec00, inl=24) at
> /usr/src/lib/libcrypto/bio/bio_lib.c:281
> #7  0xa5f97aac in BIO_write (b=0xd997ec00, in=0xc3dcec00, inl=24) at
> /usr/src/lib/libcrypto/bio/bio_lib.c:281
> Previous frame inner to this frame (corrupt stack?)


We took a quick look yesterday, the crash happens in dtors, the cause of
the crash looks like a use after free.  I'm not a BIO_* hacker, here's
a stack trace on amd64, curl rebuilt with DEBUG=-g:

Program received signal SIGBUS, Bus error.
p 0x000005738701c2d7 in BIO_write (b=0x5735f58b080, in=0x573e9a05400, inl=24) 
at /usr/src/lib/libcrypto/bio/bio_lib.c:289
289             if ((b->method == NULL) || (b->method->bwrite == NULL)) {
(gdb) p *b
$1 = {method = 0xdfdfdfdfdfdfdfdf, callback = 0xdfdfdfdfdfdfdfdf, cb_arg = 
0xdfdfdfdfdfdfdfdf <error: Cannot access memory at address 0xdfdfdfdfdfdfdfdf>, 
init = -538976289, shutdown = -538976289, flags = -538976289,
  retry_reason = -538976289, num = -538976289, ptr = 0xdfdfdfdfdfdfdfdf, 
next_bio = 0xdfdfdfdfdfdfdfdf, prev_bio = 0xdfdfdfdfdfdfdfdf, references = 
-538976289, num_read = 16131858542891098079,
  num_write = 16131858542891098079, ex_data = {sk = 0xdfdfdfdfdfdfdfdf}}
(gdb) bt
#0  0x000005738701c2d7 in BIO_write (b=0x5735f58b080, in=0x573e9a05400, inl=24) 
at /usr/src/lib/libcrypto/bio/bio_lib.c:289
#1  0x00000573bd3467ab in __sflush (fp=0x573bd5b9410 <usual>) at 
/usr/src/lib/libc/stdio/fflush.c:80
#2  0x00000573bd34aa5f in _fwalk (function=0x573bd346740 <__sflush>) at 
/usr/src/lib/libc/stdio/fwalk.c:50
#3  0x00000573bd2ffd8c in _libc___cxa_finalize (dso=0x0) at 
/usr/src/lib/libc/stdlib/atexit.c:177
#4  0x00000573bd2ea9f1 in _libc_exit (status=0) at 
/usr/src/lib/libc/stdlib/exit.c:54
#5  0x00000570ee100b0d in _start ()
(gdb)


-- 
jca | PGP : 0x1524E7EE / 5135 92C1 AD36 5293 2BDF  DDCC 0DFA 74AE 1524 E7EE

Re: curl/w3m https request with torsocks core dump at exit

Reply via email to