#27708: Heap use-after-free on git master dbb0abc9f1a174efdb65d581f5dbe46dbad2ebb5 ------------------------------+-------------------------------- Reporter: dgoulet | Owner: (none) Type: defect | Status: new Priority: Medium | Milestone: Tor: 0.3.5.x-final Component: Core Tor/Tor | Version: Severity: Normal | Keywords: regression, crash Actual Points: | Parent ID: Points: | Reviewer: Sponsor: | ------------------------------+-------------------------------- I found this issue by setting an invalid `HiddenServiceDir` containing 2 level of directories for tor to create for which it can't do it leading to `options_act()` returning -1.
{{{ HiddenServiceDir /tmp/level1/level2 }}} Here is the ASAN output: {{{ ==10573==ERROR: AddressSanitizer: heap-use-after-free on address 0x61d000002948 at pc 0x55741b1f88d1 bp 0x7ffe0d70bc10 sp 0x7ffe0d70bc00 READ of size 8 at 0x61d000002948 thread T0 #0 0x55741b1f88d0 in or_options_free_ src/app/config/config.c:1005 #1 0x55741b2009af in config_free_all src/app/config/config.c:1034 #2 0x55741ad38034 in tor_free_all src/core/mainloop/main.c:3693 #3 0x55741ad38b6e in tor_run_main src/core/mainloop/main.c:4277 #4 0x55741ad2286b in tor_main src/feature/api/tor_api.c:164 #5 0x55741ad1d7cb in main src/app/main/tor_main.c:32 #6 0x7fc43440109a in __libc_start_main (/lib/x86_64-linux- gnu/libc.so.6+0x2409a) #7 0x55741ad219e9 in _start (/home/dgoulet/Documents/git/tor/src/app/tor+0x9119e9) 0x61d000002948 is located 200 bytes inside of 2264-byte region [0x61d000002880,0x61d000003158) freed by thread T0 here: #0 0x7fc43614cb70 in free (/usr/lib/x86_64-linux- gnu/libasan.so.5+0xedb70) #1 0x55741b23e3e7 in config_free_ src/app/config/confparse.c:871 #2 0x55741b1f8548 in or_options_free_ src/app/config/config.c:1026 #3 0x55741b22bbcc in options_init_from_string src/app/config/config.c:5487 #4 0x55741b22d540 in options_init_from_torrc src/app/config/config.c:5233 #5 0x55741ad37098 in tor_init src/core/mainloop/main.c:3540 #6 0x55741ad389c0 in tor_run_main src/core/mainloop/main.c:4275 #7 0x55741ad2286b in tor_main src/feature/api/tor_api.c:164 #8 0x55741ad1d7cb in main src/app/main/tor_main.c:32 #9 0x7fc43440109a in __libc_start_main (/lib/x86_64-linux- gnu/libc.so.6+0x2409a) previously allocated by thread T0 here: #0 0x7fc43614cf30 in __interceptor_malloc (/usr/lib/x86_64-linux- gnu/libasan.so.5+0xedf30) #1 0x55741b3b378a in tor_malloc_ src/lib/malloc/malloc.c:45 #2 0x55741b3b3821 in tor_malloc_zero_ src/lib/malloc/malloc.c:71 #3 0x55741b22b294 in options_init_from_string src/app/config/config.c:5336 #4 0x55741b22d540 in options_init_from_torrc src/app/config/config.c:5233 #5 0x55741ad37098 in tor_init src/core/mainloop/main.c:3540 #6 0x55741ad389c0 in tor_run_main src/core/mainloop/main.c:4275 #7 0x55741ad2286b in tor_main src/feature/api/tor_api.c:164 #8 0x55741ad1d7cb in main src/app/main/tor_main.c:32 #9 0x7fc43440109a in __libc_start_main (/lib/x86_64-linux- gnu/libc.so.6+0x2409a) SUMMARY: AddressSanitizer: heap-use-after-free src/app/config/config.c:1005 in or_options_free_ }}} Logs shows: {{{ Sep 14 10:20:00.000 [warn] Error creating directory /tmp/level1/level2: No such file or directory Sep 14 10:20:00.000 [warn] Error loading rendezvous service keys Sep 14 10:20:00.000 [err] set_options(): Bug: Acting on config options left us in a broken state. Dying. (on Tor 0.3.5.0-alpha-dev dbb0abc9f1a174ef) }}} What I can tell is that if `options_act()` returns -1, we'll inevitably end up in this situation so this isn't HS only. Kind of difficult to follow the stacktrace as the use-after-free points to a free(). I know that the pointer there is NULL at that time... -- Ticket URL: <https://trac.torproject.org/projects/tor/ticket/27708> Tor Bug Tracker & Wiki <https://trac.torproject.org/> The Tor Project: anonymity online
_______________________________________________ tor-bugs mailing list tor-bugs@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs