Re: [tor-bugs] #20103 [Core Tor/Tor]: Crash on OpenBSD: tor invoked from Tor Browser 6.0.4

[Tor Bug Tracker & Wiki]

#20103: Crash on OpenBSD: tor invoked from Tor Browser 6.0.4
-+-
 Reporter:  attila   |  Owner:  nickm
 Type:  defect   | Status:
 |  accepted
 Priority:  High |  Milestone:  Tor:
 |  0.2.8.x-final
Component:  Core Tor/Tor |Version:  Tor:
 |  0.2.8.7
 Severity:  Normal   | Resolution:
 Keywords:  bug regression 028-backport  |  Actual Points:  1
  TorCoreTeam201609  |
Parent ID:   | Points:
 Reviewer:   |Sponsor:
-+-
Changes (by nickm):

 * keywords:  bug regression 028-backport => bug regression 028-backport
 TorCoreTeam201609
 * status:  needs_review => accepted
 * milestone:  Tor: 0.2.9.x-final => Tor: 0.2.8.x-final
 * owner:   => nickm
 * actualpoints:   => 1


--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #20103 [Core Tor/Tor]: Crash on OpenBSD: tor invoked from Tor Browser 6.0.4

[Tor Bug Tracker & Wiki]

#20103: Crash on OpenBSD: tor invoked from Tor Browser 6.0.4
-+-
 Reporter:  attila   |  Owner:  nickm
 Type:  defect   | Status:  closed
 Priority:  High |  Milestone:  Tor:
 |  0.2.8.x-final
Component:  Core Tor/Tor |Version:  Tor:
 |  0.2.8.7
 Severity:  Normal   | Resolution:  fixed
 Keywords:  bug regression 028-backport  |  Actual Points:  1
  TorCoreTeam201609  |
Parent ID:   | Points:
 Reviewer:   |Sponsor:
-+-
Changes (by nickm):

 * status:  accepted => closed
 * resolution:   => fixed


--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #20103 [Core Tor/Tor]: Crash on OpenBSD: tor invoked from Tor Browser 6.0.4

[Tor Bug Tracker & Wiki]

#20103: Crash on OpenBSD: tor invoked from Tor Browser 6.0.4
-+-
 Reporter:  attila   |  Owner:
 Type:  defect   | Status:  needs_review
 Priority:  High |  Milestone:  Tor:
 |  0.2.9.x-final
Component:  Core Tor/Tor |Version:  Tor: 0.2.8.7
 Severity:  Normal   | Resolution:
 Keywords:  bug regression 028-backport  |  Actual Points:
Parent ID:   | Points:
 Reviewer:   |Sponsor:
-+-

Comment (by nickm):

 I've created #20191 to track the "make this code safer" task.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #20103 [Core Tor/Tor]: Crash on OpenBSD: tor invoked from Tor Browser 6.0.4

[Tor Bug Tracker & Wiki]

#20103: Crash on OpenBSD: tor invoked from Tor Browser 6.0.4
-+-
 Reporter:  attila   |  Owner:
 Type:  defect   | Status:  needs_review
 Priority:  High |  Milestone:  Tor:
 |  0.2.9.x-final
Component:  Core Tor/Tor |Version:  Tor: 0.2.8.7
 Severity:  Normal   | Resolution:
 Keywords:  bug regression 028-backport  |  Actual Points:
Parent ID:   | Points:
 Reviewer:   |Sponsor:
-+-

Comment (by nickm):

 (Merged the patch above to 0.2.8 and master.)

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #20103 [Core Tor/Tor]: Crash on OpenBSD: tor invoked from Tor Browser 6.0.4

[Tor Bug Tracker & Wiki]

#20103: Crash on OpenBSD: tor invoked from Tor Browser 6.0.4
-+-
 Reporter:  attila   |  Owner:
 Type:  defect   | Status:  needs_review
 Priority:  High |  Milestone:  Tor:
 |  0.2.9.x-final
Component:  Core Tor/Tor |Version:  Tor: 0.2.8.7
 Severity:  Normal   | Resolution:
 Keywords:  bug regression 028-backport  |  Actual Points:
Parent ID:   | Points:
 Reviewer:   |Sponsor:
-+-

Comment (by nickm):

 What if we updated all the nodes to point to the new consensus _before_ we
 freed the old one?

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #20103 [Core Tor/Tor]: Crash on OpenBSD: tor invoked from Tor Browser 6.0.4

[Tor Bug Tracker & Wiki]

#20103: Crash on OpenBSD: tor invoked from Tor Browser 6.0.4
-+-
 Reporter:  attila   |  Owner:
 Type:  defect   | Status:  needs_review
 Priority:  High |  Milestone:  Tor:
 |  0.2.9.x-final
Component:  Core Tor/Tor |Version:  Tor: 0.2.8.7
 Severity:  Normal   | Resolution:
 Keywords:  bug regression 028-backport  |  Actual Points:
Parent ID:   | Points:
 Reviewer:   |Sponsor:
-+-

Comment (by teor):

 The patch looks sensible to me. And it has received some testing on
 OpenBSD, so that's good.

 Replying to [comment:23 nickm]:
 > >are  there things we should do to remove this trap for future
 developers?
 >
 > +1 on those, but let's call it another ticket.

 Don't we have a handle abstraction sitting around somewhere?
 Isn't it exactly what we want here?
 (Of course, that means re-writing every rs access, right?)

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #20103 [Core Tor/Tor]: Crash on OpenBSD: tor invoked from Tor Browser 6.0.4

[Tor Bug Tracker & Wiki]

#20103: Crash on OpenBSD: tor invoked from Tor Browser 6.0.4
-+-
 Reporter:  attila   |  Owner:
 Type:  defect   | Status:  needs_review
 Priority:  High |  Milestone:  Tor:
 |  0.2.9.x-final
Component:  Core Tor/Tor |Version:  Tor: 0.2.8.7
 Severity:  Normal   | Resolution:
 Keywords:  bug regression 028-backport  |  Actual Points:
Parent ID:   | Points:
 Reviewer:   |Sponsor:
-+-

Comment (by nickm):

 >are  there things we should do to remove this trap for future developers?

 +1 on those, but let's call it another ticket.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #20103 [Core Tor/Tor]: Crash on OpenBSD: tor invoked from Tor Browser 6.0.4

[Tor Bug Tracker & Wiki]

#20103: Crash on OpenBSD: tor invoked from Tor Browser 6.0.4
-+-
 Reporter:  attila   |  Owner:
 Type:  defect   | Status:  needs_review
 Priority:  High |  Milestone:  Tor:
 |  0.2.9.x-final
Component:  Core Tor/Tor |Version:  Tor: 0.2.8.7
 Severity:  Normal   | Resolution:
 Keywords:  bug regression 028-backport  |  Actual Points:
Parent ID:   | Points:
 Reviewer:   |Sponsor:
-+-

Comment (by arma):

 I looked over the patch very briefly and it looks plausible (and also
 complicated in its effects).

 Assuming for the moment that it is the right patch though: are there
 things we should do to remove this trap for future developers? Maybe a
 huge comment would be an easy first step? And maybe "precompute the answer
 to what that macro was about, and locate where in the code the answer
 might change, and only change it then" as another step?

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #20103 [Core Tor/Tor]: Crash on OpenBSD: tor invoked from Tor Browser 6.0.4

[Tor Bug Tracker & Wiki]

#20103: Crash on OpenBSD: tor invoked from Tor Browser 6.0.4
-+-
 Reporter:  attila   |  Owner:
 Type:  defect   | Status:  needs_review
 Priority:  High |  Milestone:  Tor:
 |  0.2.9.x-final
Component:  Core Tor/Tor |Version:  Tor: 0.2.8.7
 Severity:  Normal   | Resolution:
 Keywords:  bug regression 028-backport  |  Actual Points:
Parent ID:   | Points:
 Reviewer:   |Sponsor:
-+-
Changes (by nickm):

 * status:  new => needs_review


Comment:

 Okay.  I've cleaned it up into a `bug20103_028_v3` branch, with a real
 commit message and a big pile of analysis.  Needs code review!

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #20103 [Core Tor/Tor]: Crash on OpenBSD: tor invoked from Tor Browser 6.0.4

[Tor Bug Tracker & Wiki]

#20103: Crash on OpenBSD: tor invoked from Tor Browser 6.0.4
-+-
 Reporter:  attila   |  Owner:
 Type:  defect   | Status:  new
 Priority:  High |  Milestone:  Tor:
 |  0.2.9.x-final
Component:  Core Tor/Tor |Version:  Tor: 0.2.8.7
 Severity:  Normal   | Resolution:
 Keywords:  bug regression 028-backport  |  Actual Points:
Parent ID:   | Points:
 Reviewer:   |Sponsor:
-+-

Comment (by rubiate):

 I think that did it. Been running in a start-stop loop for over 45 minutes
 on Debian and OpenBSD with no crash. Without the latest patch it crashes
 within a few minutes, so looks promising.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #20103 [Core Tor/Tor]: Crash on OpenBSD: tor invoked from Tor Browser 6.0.4

[Tor Bug Tracker & Wiki]

#20103: Crash on OpenBSD: tor invoked from Tor Browser 6.0.4
-+-
 Reporter:  attila   |  Owner:
 Type:  defect   | Status:  new
 Priority:  High |  Milestone:  Tor:
 |  0.2.9.x-final
Component:  Core Tor/Tor |Version:  Tor: 0.2.8.7
 Severity:  Normal   | Resolution:
 Keywords:  bug regression 028-backport  |  Actual Points:
Parent ID:   | Points:
 Reviewer:   |Sponsor:
-+-

Comment (by nickm):

 closer and closer.  Try bug20103_028_v2 again ? I just pushed another
 commit.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #20103 [Core Tor/Tor]: Crash on OpenBSD: tor invoked from Tor Browser 6.0.4

[Tor Bug Tracker & Wiki]

#20103: Crash on OpenBSD: tor invoked from Tor Browser 6.0.4
-+-
 Reporter:  attila   |  Owner:
 Type:  defect   | Status:  new
 Priority:  High |  Milestone:  Tor:
 |  0.2.9.x-final
Component:  Core Tor/Tor |Version:  Tor: 0.2.8.7
 Severity:  Normal   | Resolution:
 Keywords:  bug regression 028-backport  |  Actual Points:
Parent ID:   | Points:
 Reviewer:   |Sponsor:
-+-

Comment (by rubiate):

 The same, but different:

 {{{
 ==9107==ERROR: AddressSanitizer: heap-use-after-free on address
 0x60e0004e3b98 at pc 0x7fb130756e46 bp 0x7ffc37f6ce60 sp 0x7ffc37f6ce58
 READ of size 2 at 0x60e0004e3b98 thread T0
 #0 0x7fb130756e45 in tor_addr_family src/common/address.h:155
 #1 0x7fb130756e45 in tor_addr_is_null src/common/address.c:871
 #2 0x7fb130757288 in tor_addr_is_valid src/common/address.c:932
 #3 0x7fb13047dc6b in node_get_all_orports src/or/nodelist.c:836
 #4 0x7fb130734c7a in node_is_a_configured_bridge
 src/or/entrynodes.c:1871
 #5 0x7fb13074173a in any_bridge_supports_microdescriptors
 src/or/entrynodes.c:2487
 #6 0x7fb130468229 in we_use_microdescriptors_for_circuits
 src/or/microdesc.c:924
 #7 0x7fb1304728ec in networkstatus_set_current_consensus
 src/or/networkstatus.c:1680
 #8 0x7fb1306d146c in connection_dir_client_reached_eof
 src/or/directory.c:2009
 #9 0x7fb1306d5cc9 in connection_dir_reached_eof
 src/or/directory.c:2471
 #10 0x7fb13067879e in connection_reached_eof src/or/connection.c:4841
 #11 0x7fb13067879e in connection_handle_read_impl
 src/or/connection.c:3528
 #12 0x7fb130453b67 in conn_read_callback src/or/main.c:803
 #13 0x7fb12e6983db in event_base_loop (/usr/lib/x86_64-linux-
 gnu/libevent-2.0.so.5+0x103db)
 #14 0x7fb130455396 in run_main_loop_once src/or/main.c:2543
 #15 0x7fb130455396 in run_main_loop_until_done src/or/main.c:2589
 #16 0x7fb130455396 in do_main_loop src/or/main.c:2515
 #17 0x7fb13045ab94 in tor_main src/or/main.c:3646
 #18 0x7fb13044865b in main src/or/tor_main.c:30
 #19 0x7fb12cbb9b44 in __libc_start_main (/lib/x86_64-linux-
 gnu/libc.so.6+0x21b44)
 #20 0x7fb13044b01a (tor/src/or/tor+0x56501a)
 }}}

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #20103 [Core Tor/Tor]: Crash on OpenBSD: tor invoked from Tor Browser 6.0.4

[Tor Bug Tracker & Wiki]

#20103: Crash on OpenBSD: tor invoked from Tor Browser 6.0.4
-+-
 Reporter:  attila   |  Owner:
 Type:  defect   | Status:  new
 Priority:  High |  Milestone:  Tor:
 |  0.2.9.x-final
Component:  Core Tor/Tor |Version:  Tor: 0.2.8.7
 Severity:  Normal   | Resolution:
 Keywords:  bug regression 028-backport  |  Actual Points:
Parent ID:   | Points:
 Reviewer:   |Sponsor:
-+-

Comment (by nickm):

 Actually, that _is_ an improvement: the crash is in
 usable_consensus_flavor() now, not download_status_reset(). :)

 But try my branch `bug20103_028_v2`.  Is that any better?

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #20103 [Core Tor/Tor]: Crash on OpenBSD: tor invoked from Tor Browser 6.0.4

[Tor Bug Tracker & Wiki]

#20103: Crash on OpenBSD: tor invoked from Tor Browser 6.0.4
-+-
 Reporter:  attila   |  Owner:
 Type:  defect   | Status:  new
 Priority:  High |  Milestone:  Tor:
 |  0.2.9.x-final
Component:  Core Tor/Tor |Version:  Tor: 0.2.8.7
 Severity:  Normal   | Resolution:
 Keywords:  bug regression 028-backport  |  Actual Points:
Parent ID:   | Points:
 Reviewer:   |Sponsor:
-+-

Comment (by rubiate):

 Still crashes with the bug20103_028 branch.


 {{{
 ==17092==ERROR: AddressSanitizer: heap-use-after-free on address
 0x60e0004d8bb8 at pc 0x7fd113288016 bp 0x7ffc5d960c30 sp 0x7ffc5d960c28
 READ of size 2 at 0x60e0004d8bb8 thread T0
 #0 0x7fd113288015 in tor_addr_family src/common/address.h:155
 #1 0x7fd113288015 in tor_addr_is_null src/common/address.c:871
 #2 0x7fd113288458 in tor_addr_is_valid src/common/address.c:932
 #3 0x7fd112faee5b in node_get_all_orports src/or/nodelist.c:836
 #4 0x7fd113265e4a in node_is_a_configured_bridge
 src/or/entrynodes.c:1871
 #5 0x7fd11327290a in any_bridge_supports_microdescriptors
 src/or/entrynodes.c:2487
 #6 0x7fd112f99229 in we_use_microdescriptors_for_circuits
 src/or/microdesc.c:924
 #7 0x7fd112f99553 in usable_consensus_flavor src/or/microdesc.c:961
 #8 0x7fd112fa32ae in networkstatus_set_current_consensus
 src/or/networkstatus.c:1686
 #9 0x7fd11320263c in connection_dir_client_reached_eof
 src/or/directory.c:2009
 #10 0x7fd113206e99 in connection_dir_reached_eof
 src/or/directory.c:2471
 #11 0x7fd1131a996e in connection_reached_eof src/or/connection.c:4841
 #12 0x7fd1131a996e in connection_handle_read_impl
 src/or/connection.c:3528
 #13 0x7fd112f84b67 in conn_read_callback src/or/main.c:803
 #14 0x7fdc93db in event_base_loop (/usr/lib/x86_64-linux-
 gnu/libevent-2.0.so.5+0x103db)
 #15 0x7fd112f86396 in run_main_loop_once src/or/main.c:2543
 #16 0x7fd112f86396 in run_main_loop_until_done src/or/main.c:2589
 #17 0x7fd112f86396 in do_main_loop src/or/main.c:2515
 #18 0x7fd112f8bb94 in tor_main src/or/main.c:3646
 #19 0x7fd112f7965b in main src/or/tor_main.c:30
 #20 0x7fd10f6eab44 in __libc_start_main (/lib/x86_64-linux-
 gnu/libc.so.6+0x21b44)
 #21 0x7fd112f7c01a (tor/src/or/tor+0x56501a)

 0x60e0004d8bb8 is located 88 bytes inside of 160-byte region
 [0x60e0004d8b60,0x60e0004d8c00)
 freed by thread T0 here:
 #0 0x7fd111971527 in __interceptor_free (/usr/lib/x86_64-linux-
 gnu/libasan.so.1+0x54527)
 #1 0x7fd112f9b9f9 in networkstatus_vote_free
 src/or/networkstatus.c:313
 #2 0x7fd112fa357a in networkstatus_set_current_consensus
 src/or/networkstatus.c:1660
 #3 0x7fd11320263c in connection_dir_client_reached_eof
 src/or/directory.c:2009
 #4 0x7fd113206e99 in connection_dir_reached_eof
 src/or/directory.c:2471
 #5 0x7fd1131a996e in connection_reached_eof src/or/connection.c:4841
 #6 0x7fd1131a996e in connection_handle_read_impl
 src/or/connection.c:3528
 #7 0x7fd112f84b67 in conn_read_callback src/or/main.c:803
 #8 0x7fdc93db in event_base_loop (/usr/lib/x86_64-linux-
 gnu/libevent-2.0.so.5+0x103db)
 }}}

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #20103 [Core Tor/Tor]: Crash on OpenBSD: tor invoked from Tor Browser 6.0.4

[Tor Bug Tracker & Wiki]

#20103: Crash on OpenBSD: tor invoked from Tor Browser 6.0.4
-+-
 Reporter:  attila   |  Owner:
 Type:  defect   | Status:  new
 Priority:  High |  Milestone:  Tor:
 |  0.2.9.x-final
Component:  Core Tor/Tor |Version:  Tor: 0.2.8.7
 Severity:  Normal   | Resolution:
 Keywords:  bug regression 028-backport  |  Actual Points:
Parent ID:   | Points:
 Reviewer:   |Sponsor:
-+-

Comment (by rubiate):

 It was 0.2.8.7 until I added debugging statements so that's probably not
 helpful. The line is   "networkstatus_vote_free(current_md_consensus)"
 which is really on src/or/networkstatus.c:1651


 Here it is with proper line numbers. This is from the tor-0.2.8.7 tag, or
 "Tor v0.2.8.7 (git-263088633a63982a)".

 {{{
 freed by thread T0 here:
 #0 0x7f7f8ef24527 in __interceptor_free (/usr/lib/x86_64-linux-
 gnu/libasan.so.1+0x54527)
 #1 0x7f7f9054e9f9 in networkstatus_vote_free
 src/or/networkstatus.c:313
 #2 0x7f7f90556563 in networkstatus_set_current_consensus
 src/or/networkstatus.c:1651
 #3 0x7f7f907b568c in connection_dir_client_reached_eof
 src/or/directory.c:2009
 #4 0x7f7f907b9ee9 in connection_dir_reached_eof
 src/or/directory.c:2471
 #5 0x7f7f9075c9be in connection_reached_eof src/or/connection.c:4841
 #6 0x7f7f9075c9be in connection_handle_read_impl
 src/or/connection.c:3528
 #7 0x7f7f90537b67 in conn_read_callback src/or/main.c:803
 #8 0x7f7f8e77c3db in event_base_loop (/usr/lib/x86_64-linux-
 gnu/libevent-2.0.so.5+0x103db)
 }}}

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #20103 [Core Tor/Tor]: Crash on OpenBSD: tor invoked from Tor Browser 6.0.4

[Tor Bug Tracker & Wiki]

#20103: Crash on OpenBSD: tor invoked from Tor Browser 6.0.4
-+-
 Reporter:  attila   |  Owner:
 Type:  defect   | Status:  new
 Priority:  High |  Milestone:  Tor:
 |  0.2.9.x-final
Component:  Core Tor/Tor |Version:  Tor: 0.2.8.7
 Severity:  Normal   | Resolution:
 Keywords:  bug regression 028-backport  |  Actual Points:
Parent ID:   | Points:
 Reviewer:   |Sponsor:
-+-

Comment (by nickm):

 Branch `bug20103_028` might fix this.  Before I put it in needs_review,
 though, it would be good to have it get testing.  (I could also use an
 answer to my question above about the exact Tor version)

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #20103 [Core Tor/Tor]: Crash on OpenBSD: tor invoked from Tor Browser 6.0.4

[Tor Bug Tracker & Wiki]

#20103: Crash on OpenBSD: tor invoked from Tor Browser 6.0.4
-+-
 Reporter:  attila   |  Owner:
 Type:  defect   | Status:  new
 Priority:  High |  Milestone:  Tor:
 |  0.2.9.x-final
Component:  Core Tor/Tor |Version:  Tor: 0.2.8.7
 Severity:  Normal   | Resolution:
 Keywords:  bug regression 028-backport  |  Actual Points:
Parent ID:   | Points:
 Reviewer:   |Sponsor:
-+-

Comment (by nickm):

 Oh MAN.  When we free the consensus earlier (line 1662) in
 networkstatus_vote_free, we don't  we don't invalidate all the
 routerstatus_t objects that the node_t structures point to.  But they are
 used deep inside download_status_reset().  Tricky!

 Could you tell me what exact version of Tor you were testing on debian
 above?  I want to make sure that it is
 "networkstatus_free(current_md_consensus)" that's on line
 src/or/networkstatus.c:1662 , not some other networkstatus_free().

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #20103 [Core Tor/Tor]: Crash on OpenBSD: tor invoked from Tor Browser 6.0.4

[Tor Bug Tracker & Wiki]

#20103: Crash on OpenBSD: tor invoked from Tor Browser 6.0.4
-+-
 Reporter:  attila   |  Owner:
 Type:  defect   | Status:  new
 Priority:  High |  Milestone:  Tor:
 |  0.2.9.x-final
Component:  Core Tor/Tor |Version:  Tor: 0.2.8.7
 Severity:  Normal   | Resolution:
 Keywords:  bug regression 028-backport  |  Actual Points:
Parent ID:   | Points:
 Reviewer:   |Sponsor:
-+-

Comment (by nickm):

 Okay, it looks like there's a logic error inside
 networkstatus_set_current_consensus().

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #20103 [Core Tor/Tor]: Crash on OpenBSD: tor invoked from Tor Browser 6.0.4

[Tor Bug Tracker & Wiki]

#20103: Crash on OpenBSD: tor invoked from Tor Browser 6.0.4
-+-
 Reporter:  attila   |  Owner:
 Type:  defect   | Status:  new
 Priority:  High |  Milestone:  Tor:
 |  0.2.9.x-final
Component:  Core Tor/Tor |Version:  Tor: 0.2.8.7
 Severity:  Normal   | Resolution:
 Keywords:  bug regression 028-backport  |  Actual Points:
Parent ID:   | Points:
 Reviewer:   |Sponsor:
-+-

Comment (by rubiate):

 Bah, I'm slow. Of course, it works the same everywhere, just the results
 are different. On OpenBSD the memory is read protected after it's freed,
 hence crashes.

 I should have compiled it ASAN on Debian (doh, that's probably what you
 meant), would've worked this out faster.

 {{{
 ==12100==ERROR: AddressSanitizer: heap-use-after-free on address
 0x60e0004adf78 at pc 0x7f5185128426 bp 0x7ffed0454d70 sp 0x7ffed0454d68
 READ of size 2 at 0x60e0004adf78 thread T0
 #0 0x7f5185128425 in tor_addr_family src/common/address.h:155
 #1 0x7f5185128425 in tor_addr_is_null src/common/address.c:871
 #2 0x7f5185128868 in tor_addr_is_valid src/common/address.c:932
 #3 0x7f5184e4f23b in node_get_all_orports src/or/nodelist.c:838
 #4 0x7f518510625a in node_is_a_configured_bridge
 src/or/entrynodes.c:1871
 #5 0x7f5185112d1a in any_bridge_supports_microdescriptors
 src/or/entrynodes.c:2487
 #6 0x7f5184e39499 in we_use_microdescriptors_for_circuits
 src/or/microdesc.c:924
 #7 0x7f5184e397c3 in usable_consensus_flavor src/or/microdesc.c:961
 #8 0x7f5184e3fe8f in networkstatus_consensus_is_bootstrapping
 src/or/networkstatus.c:1257
 #9 0x7f51850977da in find_dl_schedule src/or/directory.c:3731
 #10 0x7f51850a005e in download_status_reset src/or/directory.c:3950
 #11 0x7f5184e43cd0 in networkstatus_set_current_consensus
 src/or/networkstatus.c:1690
 #12 0x7f51850a2a4c in connection_dir_client_reached_eof
 src/or/directory.c:2009
 #13 0x7f51850a72a9 in connection_dir_reached_eof
 src/or/directory.c:2471
 #14 0x7f5185049d7e in connection_reached_eof src/or/connection.c:4841
 #15 0x7f5185049d7e in connection_handle_read_impl
 src/or/connection.c:3528
 #16 0x7f5184e24dd7 in conn_read_callback src/or/main.c:803
 #17 0x7f51830693db in event_base_loop (/usr/lib/x86_64-linux-
 gnu/libevent-2.0.so.5+0x103db)
 #18 0x7f5184e26606 in run_main_loop_once src/or/main.c:2543
 #19 0x7f5184e26606 in run_main_loop_until_done src/or/main.c:2589
 #20 0x7f5184e26606 in do_main_loop src/or/main.c:2515
 #21 0x7f5184e2be04 in tor_main src/or/main.c:3646
 #22 0x7f5184e198cb in main src/or/tor_main.c:30
 #23 0x7f518158ab44 in __libc_start_main (/lib/x86_64-linux-
 gnu/libc.so.6+0x21b44)
 #24 0x7f5184e1c28a (tor/src/or/tor+0x56528a)

 0x60e0004adf78 is located 88 bytes inside of 160-byte region
 [0x60e0004adf20,0x60e0004adfc0)
 freed by thread T0 here:
 #0 0x7f5183811527 in __interceptor_free (/usr/lib/x86_64-linux-
 gnu/libasan.so.1+0x54527)
 #1 0x7f5184e3b9ea in networkstatus_vote_free
 src/or/networkstatus.c:320
 #2 0x7f5184e43915 in networkstatus_set_current_consensus
 src/or/networkstatus.c:1662
 #3 0x7f51850a2a4c in connection_dir_client_reached_eof
 src/or/directory.c:2009
 #4 0x7f51850a72a9 in connection_dir_reached_eof
 src/or/directory.c:2471
 #5 0x7f5185049d7e in connection_reached_eof src/or/connection.c:4841
 #6 0x7f5185049d7e in connection_handle_read_impl
 src/or/connection.c:3528
 #7 0x7f5184e24dd7 in conn_read_callback src/or/main.c:803
 #8 0x7f51830693db in event_base_loop (/usr/lib/x86_64-linux-
 gnu/libevent-2.0.so.5+0x103db)

 }}}

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #20103 [Core Tor/Tor]: Crash on OpenBSD: tor invoked from Tor Browser 6.0.4

[Tor Bug Tracker & Wiki]

#20103: Crash on OpenBSD: tor invoked from Tor Browser 6.0.4
-+-
 Reporter:  attila   |  Owner:
 Type:  defect   | Status:  new
 Priority:  High |  Milestone:  Tor:
 |  0.2.9.x-final
Component:  Core Tor/Tor |Version:  Tor: 0.2.8.7
 Severity:  Normal   | Resolution:
 Keywords:  bug regression 028-backport  |  Actual Points:
Parent ID:   | Points:
 Reviewer:   |Sponsor:
-+-

Comment (by rubiate):

 Did some more digging.

 What's up with the consensus when using the .20 relay (NYCBUG0) as a
 bridge?

 network-status-version 3 microdesc\nvote-status consensus\nconsensus-
 method 20\nvalid-after 2016-09-08 19:00:00\nfresh-until '''2016-09-08'''
 20:00:00\nvalid-until '''2016-09-08''' 22:00:00

 Tor says the clock is fine:

 [debug] connection_dir_client_reached_eof(): Time on received
 directory is within tolerance; we are -2 seconds skewed.  (That's okay.)
 [info] connection_dir_client_reached_eof(): Received consensus
 directory (size 1404160) from server '66.111.2.20:9001'

 Whatever the cause, I think this is what is exposing the bug.

 Before the crash happens, `networkstatus_vote_free(current_md_consensus)`
 on src/or/networkstatus.c:1753 is reached. This calls
 `routerstatus_free(rs)` (src/or/networkstatus.c:319) on everything in the
 routerlist. I added some logging to see what it's doing:

 [... bajillion lines trimmed...]
 routerstatus_free: 0x167ecf8fa700
 routerstatus_free: 0x167e5e425e00
 '''routerstatus_free: 0x167ecf8fab00'''
 routerstatus_free: 0x167e91b76a00
 routerstatus_free: 0x167ecf8fa100
 [...bajillion lines trimmed...]
 Segmentation fault (core dumped)

 $ gdb tor/src/or/tor tor.core
 (gdb) up 2
 (gdb) print *node->rs
 $1 = (routerstatus_t *) 0x167ecf8fab00


 I'm hoping that NYCBUG relay stays broken for now so I can investigate
 further, and hopefully figure out why this seems to only happen on
 OpenBSD.

 And well done to atilla on having the specific config to trigger this :-)

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #20103 [Core Tor/Tor]: Crash on OpenBSD: tor invoked from Tor Browser 6.0.4

[Tor Bug Tracker & Wiki]

#20103: Crash on OpenBSD: tor invoked from Tor Browser 6.0.4
-+-
 Reporter:  attila   |  Owner:
 Type:  defect   | Status:  new
 Priority:  High |  Milestone:  Tor:
 |  0.2.9.x-final
Component:  Core Tor/Tor |Version:  Tor: 0.2.8.7
 Severity:  Normal   | Resolution:
 Keywords:  bug regression 028-backport  |  Actual Points:
Parent ID:   | Points:
 Reviewer:   |Sponsor:
-+-

Comment (by rubiate):

 Reproduced on tor-0.2.8.2-alpha, could not reproduce on tor-0.2.8.1-alpha

 There's no asan/ubsan support for openbsd unfortunately

 checking whether the compiler accepts -fsanitize=address... no
 checking whether the compiler accepts -fsanitize=undefined... no

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #20103 [Core Tor/Tor]: Crash on OpenBSD: tor invoked from Tor Browser 6.0.4

[Tor Bug Tracker & Wiki]

#20103: Crash on OpenBSD: tor invoked from Tor Browser 6.0.4
-+-
 Reporter:  attila   |  Owner:
 Type:  defect   | Status:  new
 Priority:  High |  Milestone:  Tor:
 |  0.2.9.x-final
Component:  Core Tor/Tor |Version:  Tor: 0.2.8.7
 Severity:  Normal   | Resolution:
 Keywords:  bug regression 028-backport  |  Actual Points:
Parent ID:   | Points:
 Reviewer:   |Sponsor:
-+-

Comment (by nickm):

 Also, are you able to compile with --enable-expensive-hardening ?  That
 configure flag turns on ubsan and asan if available, and can help diagnose
 memory corruption problems.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #20103 [Core Tor/Tor]: Crash on OpenBSD: tor invoked from Tor Browser 6.0.4

[Tor Bug Tracker & Wiki]

#20103: Crash on OpenBSD: tor invoked from Tor Browser 6.0.4
-+-
 Reporter:  attila   |  Owner:
 Type:  defect   | Status:  new
 Priority:  High |  Milestone:  Tor:
 |  0.2.9.x-final
Component:  Core Tor/Tor |Version:  Tor: 0.2.8.7
 Severity:  Normal   | Resolution:
 Keywords:  bug regression 028-backport  |  Actual Points:
Parent ID:   | Points:
 Reviewer:   |Sponsor:
-+-

Comment (by nickm):

 Does this happen with older versions of Tor?  Is it possible to figure out
 roughly when this started happening?

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #20103 [Core Tor/Tor]: Crash on OpenBSD: tor invoked from Tor Browser 6.0.4

[Tor Bug Tracker & Wiki]

#20103: Crash on OpenBSD: tor invoked from Tor Browser 6.0.4
-+-
 Reporter:  attila   |  Owner:
 Type:  defect   | Status:  new
 Priority:  High |  Milestone:  Tor:
 |  0.2.9.x-final
Component:  Core Tor/Tor |Version:  Tor: 0.2.8.7
 Severity:  Normal   | Resolution:
 Keywords:  bug regression 028-backport  |  Actual Points:
Parent ID:   | Points:
 Reviewer:   |Sponsor:
-+-
Changes (by nickm):

 * keywords:   => bug regression 028-backport
 * milestone:   => Tor: 0.2.9.x-final


--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #20103 [Core Tor/Tor]: Crash on OpenBSD: tor invoked from Tor Browser 6.0.4

[Tor Bug Tracker & Wiki]

#20103: Crash on OpenBSD: tor invoked from Tor Browser 6.0.4
--+--
 Reporter:  attila|  Owner:
 Type:  defect| Status:  new
 Priority:  High  |  Milestone:
Component:  Core Tor/Tor  |Version:  Tor: 0.2.8.7
 Severity:  Normal| Resolution:
 Keywords:|  Actual Points:
Parent ID:| Points:
 Reviewer:|Sponsor:
--+--

Comment (by rubiate):

 I've been able to reproduce this (on OpenBSD) a bit more easily than what
 attila described.

 Run tor normally and with a standard config, but with UseBridges enabled
 and the 2 relays attila posted as bridges. Start and stop tor and it will
 eventually produce this same crash on startup while updating the
 consensus.

 Running this gives the crash usually within about ~30 minutes:

 {{{
 #!/bin/sh
 while [ ! -e tor.core ] ; do
   tor --ignore-missing-torrc -f "" --bridge 66.111.2.16:9001 --bridge
 66.111.2.20:9001 --usebridges 1 &
   sleep 20
   kill -TERM $!
   sleep 3
 done
 }}}

 I couldn't reproduce this on Debian (with 0.2.8.7 compiled from source).
 Or on OpenBSD when I changed the bridge lines to use different relays
 (although I might be getting close to superstitious pigeon territory now).

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #20103 [Core Tor/Tor]: Crash on OpenBSD: tor invoked from Tor Browser 6.0.4 (was: Difficult-to-reproduce crash on OpenBSD: tor invoked from Tor Browser 6.0.4)

[Tor Bug Tracker & Wiki]

#20103: Crash on OpenBSD: tor invoked from Tor Browser 6.0.4
--+--
 Reporter:  attila|  Owner:
 Type:  defect| Status:  new
 Priority:  High  |  Milestone:
Component:  Core Tor/Tor  |Version:  Tor: 0.2.8.7
 Severity:  Normal| Resolution:
 Keywords:|  Actual Points:
Parent ID:| Points:
 Reviewer:|Sponsor:
--+--

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs