[tor-bugs] #6267 [Obfsproxy]: SIGSEGV in obfs2_circuit_free when chroot() is used

Tor Bug Tracker & Wiki torproject-admin at torproject.org
Sat Jun 30 20:19:26 UTC 2012 

#6267: SIGSEGV in obfs2_circuit_free when chroot() is used
-----------------------+----------------------------------------------------
 Reporter:  dazo       |          Owner:  asn
     Type:  defect     |         Status:  new
 Priority:  normal     |      Milestone:     
Component:  Obfsproxy  |        Version:     
 Keywords:  chroot     |         Parent:     
   Points:             |   Actualpoints:     
-----------------------+----------------------------------------------------
 When using the --chroot feature from trac #6264 on a SL6.2 x86_64 box, I
 get the following SEGV:

 '''Server side with --chroot'''
 {{{
 Program received signal SIGSEGV, Segmentation fault.
 obfs2_circuit_free (circuit=0x7ffff8214870) at src/protocols/obfs2.c:303
 303       obfs2_destroy(obfs2_circuit->state);
 (gdb) bt
 #0  obfs2_circuit_free (circuit=0x7ffff8214870) at
 src/protocols/obfs2.c:303
 #1  0x00007ffff7b9bb26 in bufferevent_writecb (fd=14, event=<value
 optimized out>, arg=0x7ffff82144d0) at bufferevent_sock.c:244
 #2  0x00007ffff7b93b0c in event_process_active_single_queue
 (base=0x7ffff8212fd0, flags=0) at event.c:1340
 #3  event_process_active (base=0x7ffff8212fd0, flags=0) at event.c:1407
 #4  event_base_loop (base=0x7ffff8212fd0, flags=0) at event.c:1604
 #5  0x00007ffff7ff8f3c in launch_external_proxy (begin=<value optimized
 out>) at src/external.c:90
 #6  0x00007ffff7fecbf8 in obfs_main (argc=<value optimized out>,
 argv=0x7fffffffe648) at src/main.c:646
 #7  0x00007ffff705ccdd in __libc_start_main () from /lib64/libc.so.6
 #8  0x00007ffff7febcd9 in _start ()
 (gdb) print circuit
 $1 = (circuit_t *) 0x7ffff8214870
 (gdb) print *circuit
 $2 = {upstream = 0x7ffff8214840, downstream = 0x7ffff8214080, socks_state
 = 0x0, is_open = 1, is_flushing = 0}
 (gdb) print *circuit->upstream
 $3 = {cfg = 0x0, peername = 0x7ffff8214dc0 "\360M!\370\377\177", circuit =
 0x0, buffer = 0x7ffff82144d0, mode = LSN_SIMPLE_SERVER}
 (gdb) print *circuit->downstream
 $4 = {cfg = 0x7ffff82143e0, peername = 0x7ffff8214060
 "\260M!\370\377\177", circuit = 0x0, buffer = 0x7ffff82140b0, mode =
 LSN_SIMPLE_SERVER}
 (gdb)
 }}}

 '''Client side with --chroot'''
 {{{
 Program received signal SIGSEGV, Segmentation fault.
 obfs2_circuit_free (circuit=0x7ffff8214470) at src/protocols/obfs2.c:303
 303     src/protocols/obfs2.c: No such file or directory.
         in src/protocols/obfs2.c
 Missing separate debuginfos, use: debuginfo-install
 glibc-2.12-1.47.el6_2.12.x86_64 openssl-1.0.0-20.el6_2.5.x86_64
 zlib-1.2.3-27.el6.x86_64
 (gdb) bt
 #0  obfs2_circuit_free (circuit=0x7ffff8214470) at
 src/protocols/obfs2.c:303
 #1  0x00007ffff7fefb8a in pending_socks_cb (bev=0x7ffff8214b00,
 what=<value optimized out>, arg=<value optimized out>) at
 src/network.c:994
 #2  0x00007ffff7b9bb26 in bufferevent_writecb (fd=13, event=<value
 optimized out>, arg=0x7ffff8214b00) at bufferevent_sock.c:244
 #3  0x00007ffff7b93b0c in event_process_active_single_queue
 (base=0x7ffff8212f70, flags=0) at event.c:1340
 #4  event_process_active (base=0x7ffff8212f70, flags=0) at event.c:1407
 #5  event_base_loop (base=0x7ffff8212f70, flags=0) at event.c:1604
 #6  0x00007ffff7ff8f3c in launch_external_proxy (begin=<value optimized
 out>) at src/external.c:90
 #7  0x00007ffff7fecbf8 in obfs_main (argc=<value optimized out>,
 argv=0x7fffffffe608) at src/main.c:646
 #8  0x00007ffff705ccdd in __libc_start_main () from /lib64/libc.so.6
 #9  0x00007ffff7febcd9 in _start ()
 (gdb) print *circuit
 $1 = {upstream = 0x7ffff8214020, downstream = 0x7ffff8214e70, socks_state
 = 0x0, is_open = 1, is_flushing = 0}
 (gdb) print *circuit->upstream
 $2 = {cfg = 0x7ffff8214380, peername = 0x7ffff8214000
 "\220N!\370\377\177", circuit = 0x0, buffer = 0x7ffff8214050, mode =
 LSN_SOCKS_CLIENT}
 (gdb) print *circuit->upstream->cfg
 $3 = {vtable = 0x340}
 (gdb) print *circuit->upstream->buffer
 $4 = {ev_base = 0x7ffff73c9ed8, be_ops = 0x7ffff73c9ed8, ev_read =
 {ev_active_next = {tqe_next = 0x0, tqe_prev = 0x0}, ev_next = {
       tqe_next = 0x0, tqe_prev = 0x0}, ev_timeout_pos =
 {ev_next_with_common_timeout = {tqe_next = 0x0, tqe_prev = 0x0},
 min_heap_idx = 0},
     ev_fd = 0, ev_base = 0x0, _ev = {ev_io = {ev_io_next = {tqe_next =
 0x0, tqe_prev = 0x0}, ev_timeout = {tv_sec = 0,
           tv_usec = 140737341327456}}, ev_signal = {ev_signal_next =
 {tqe_next = 0x0, tqe_prev = 0x0}, ev_ncalls = 0,
         ev_pncalls = 0x7ffff73c8860}}, ev_events = -1, ev_res = -1,
 ev_flags = 2, ev_pri = 0 '\000', ev_closure = 0 '\000', ev_timeout = {
       tv_sec = 0, tv_usec = 0}, ev_callback = 0x7ffff8214130, ev_arg =
 0xffffffffffffffff}, ev_write = {ev_active_next = {tqe_next = 0x0,
       tqe_prev = 0x7ffff8214140}, ev_next = {tqe_next = 0x0, tqe_prev =
 0x7ffff8214ba8}, ev_timeout_pos = {ev_next_with_common_timeout = {
         tqe_next = 0xffffffff, tqe_prev = 0x0}, min_heap_idx = -1}, ev_fd
 = 12, ev_base = 0x7ffff8212f70, _ev = {ev_io = {ev_io_next = {
           tqe_next = 0x7ffff73c7500, tqe_prev = 0x0}, ev_timeout = {tv_sec
 = 0, tv_usec = 0}}, ev_signal = {ev_signal_next = {
           tqe_next = 0x7ffff73c7500, tqe_prev = 0x0}, ev_ncalls = 0,
 ev_pncalls = 0x0}}, ev_events = 0, ev_res = 0, ev_flags = 0,
     ev_pri = 0 '\000', ev_closure = 0 '\000', ev_timeout = {tv_sec = 0,
 tv_usec = 0}, ev_callback = 0, ev_arg = 0x0}, input = 0x0,
   output = 0x0, wm_read = {low = 0, high = 0}, wm_write = {low = 0, high =
 0}, readcb = 0, writecb = 0, errorcb = 0, cbarg = 0x0,
   timeout_read = {tv_sec = 0, tv_usec = 0}, timeout_write = {tv_sec = 0,
 tv_usec = 0}, enabled = 6}
 (gdb) print *circuit->downstream
 $5 = {cfg = 0x7ffff8214010, peername = 0x7ffff8214f30
 "\360?!\370\377\177", circuit = 0x0, buffer = 0x7ffff8214b00, mode =
 LSN_SOCKS_CLIENT}
 (gdb) print *circuit->downstream->cfg
 $6 = {vtable = 0x0}
 (gdb) print *circuit->downstream->buffer
 $7 = {ev_base = 0x7ffff8212f70, be_ops = 0x7ffff7dc5040, ev_read =
 {ev_active_next = {tqe_next = 0x0, tqe_prev = 0x0}, ev_next = {
       tqe_next = 0x0, tqe_prev = 0x7ffff8214ba8}, ev_timeout_pos =
 {ev_next_with_common_timeout = {tqe_next = 0xffffffff, tqe_prev = 0x0},
       min_heap_idx = -1}, ev_fd = 13, ev_base = 0x7ffff8212f70, _ev =
 {ev_io = {ev_io_next = {tqe_next = 0x0, tqe_prev = 0x7ffff8214bd8},
         ev_timeout = {tv_sec = 0, tv_usec = 0}}, ev_signal =
 {ev_signal_next = {tqe_next = 0x0, tqe_prev = 0x7ffff8214bd8}, ev_ncalls =
 0,
         ev_pncalls = 0x0}}, ev_events = 18, ev_res = 0, ev_flags = 130,
 ev_pri = 0 '\000', ev_closure = 2 '\002', ev_timeout = {tv_sec = 0,
       tv_usec = 0}, ev_callback = 0x7ffff7b9bc40 <bufferevent_readcb>,
 ev_arg = 0x7ffff8214b00}, ev_write = {ev_active_next = {
       tqe_next = 0x0, tqe_prev = 0x7ffff82133a0}, ev_next = {tqe_next =
 0x7ffff8214b10, tqe_prev = 0x7ffff8213f60}, ev_timeout_pos = {
       ev_next_with_common_timeout = {tqe_next = 0xffffffff, tqe_prev =
 0x0}, min_heap_idx = -1}, ev_fd = 13, ev_base = 0x7ffff8212f70,
     _ev = {ev_io = {ev_io_next = {tqe_next = 0x7ffff8214b10, tqe_prev =
 0x7ffff8214f10}, ev_timeout = {tv_sec = 0, tv_usec = 0}},
       ev_signal = {ev_signal_next = {tqe_next = 0x7ffff8214b10, tqe_prev =
 0x7ffff8214f10}, ev_ncalls = 0, ev_pncalls = 0x0}},
     ev_events = 20, ev_res = 4, ev_flags = 130, ev_pri = 0 '\000',
 ev_closure = 2 '\002', ev_timeout = {tv_sec = 0, tv_usec = 0},
     ev_callback = 0x7ffff7b9b9d0 <bufferevent_writecb>, ev_arg =
 0x7ffff8214b00}, input = 0x7ffff8214d00, output = 0x7ffff8214da0,
   wm_read = {low = 0, high = 0}, wm_write = {low = 0, high = 0}, readcb =
 0, writecb = 0, errorcb = 0, cbarg = 0x0, timeout_read = {
     tv_sec = 0, tv_usec = 0}, timeout_write = {tv_sec = 0, tv_usec = 0},
 enabled = 6}
 (gdb)
 }}}

 These faults doesn't seem to be related to chroot() itself, but the
 chroot()ing seems to trigger some other issues in obfsproxy.

 The command lines I used to trigger this were:

 '''Server:'''
 {{{
 obfsproxy --log-file=/var/log/obfsproxyd --chroot /var/chroot/obfsproxy
 --log-min-severity=info --user=nobody obfs2 --dest=127.0.0.1:45442
 --shared-secret=abcdefghijklmnopqrstuvwxyz server 0.0.0.0:65442
 }}}


 '''Client:'''
 {{{
 obfsproxy --chroot=/var/chroot/obfsproxy --user=nobody --log-min-
 severity=debug  obfs2 --shared-secret=abcdefghijklmnopqrstuvwxyz socks
 127.0.0.1:1050
 }}}

 The crash happens when a socks client tries to connect to the service on
 the server side.  I've been using OpenVPN to trigger this.

 The git HEAD for my environment is commit
 94ebc4c3edf1e3e5f313444e59981ac557578df5 (v0.1.4) with the --daemon,
 --pid-file, --user/--group and --chroot patches applied on top of that.
 The --daemon and --pid-file patches can be found in Trac ticket #5130 and
 --user/--group and --chroot patches are from #6264.

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/6267>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list