[tor-bugs] #13471 [Tor]: router daemon crashes with openssl built no_ssl3

Tor Bug Tracker & Wiki blackhole at torproject.org
Sun Oct 19 22:47:18 UTC 2014 

#13471: router daemon crashes with openssl built no_ssl3
-------------------------+-------------------------------------------------
     Reporter:           |      Owner:
  starlight              |     Status:  new
         Type:  defect   |  Milestone:  Tor: 0.2.6.x-final
     Priority:  blocker  |    Version:  Tor: 0.2.4.24
    Component:  Tor      |   Keywords:  tor-relay ssl3 poodle 025-backport
   Resolution:           |  024-backport 023-backport
Actual Points:           |  Parent ID:
       Points:           |
-------------------------+-------------------------------------------------

Comment (by starlight):

 As a point of interest, this bug handily facilitated
 the completion of a goal I've had to configure
 useable core-dumps on the stripped-down production
 relay system.

 The key bit was an undocumented ASAN environment option:

 unmap_shadow_on_exit=1

 per

 https://code.google.com/p/address-sanitizer/issues/detail?id=345

 so running with

 ASAN_OPTIONS="disable_core=0:unmap_shadow_on_exit=1:abort_on_error=1"

 I was finally able to obtain a good core file
 of this particular event.  Then one brings
 the chroot_tor jail over to the dev system
 and can use gdb to examine the file.  E.G.

 {{{
 $ gdb /ww/chroot_tor/usr/local/bin/tor-sanitize-0.2.4.24
 Reading symbols from /ww/chroot_tor/usr/local/bin/tor-
 sanitize-0.2.4.24...done.
 (gdb) set sysroot /ww/chroot_tor
 (gdb) add-auto-load-safe-path /ww/chroot_tor/lib64/libthread_db-1.0.so
 (gdb) core-file core.8353
 warning: core file may not match specified executable file.
 [New LWP 8353]
 [New LWP 8356]
 [New LWP 8355]
 [Thread debugging using libthread_db enabled]
 Using host libthread_db library "/ww/chroot_tor/lib64/libthread_db.so.1".
 Core was generated by `/usr/local/bin/tor -f /home/tor/torrc --quiet'.
 Program terminated with signal SIGABRT, Aborted.
 #0  0x? in raise () from /ww/chroot_tor/lib64/libc.so.6
 #1  0x? in abort () from /ww/chroot_tor/lib64/libc.so.6
 #2  0x? in __sanitizer::Abort () at ...
 #3  0x? in __asan::AsanDie () at ...
 #4  0x? in __sanitizer::Die () at ...
 #5  0x? in __asan::ScopedInErrorReport::~ScopedInErrorReport
 (this=<optimized out>, __in_chrg=<optimized out>) at ...
 #6  0x? in __asan::ReportSIGSEGV (pc=, sp=, bp=, addr=) ...
 #7  0x? in __asan::ASAN_OnSIGSEGV (siginfo=<optimized out>, context=0x?)
 at ...
 #8  <signal handler called>

 #9  0x? in SSL_ctrl (s=0x?, cmd=55, larg=0, parg=0x0) at ssl_lib.c:1106
 #10 0x? in tor_tls_free (tls=0x?) at src/common/tortls.c:2029
 #11 0x? in connection_free_ (conn=conn at entry=0x?) at
 src/or/connection.c:512
 #12 0x? in connection_free (conn=conn at entry=0x?) at
 src/or/connection.c:631
 #13 0px in connection_unlink (conn=conn at entry=0x?) at src/or/main.c:414
 #14 0x? in conn_close_if_marked (i=<optimized out>) at src/or/main.c:930
 #15 close_closeable_connections () at src/or/main.c:699
 #16 0x? in conn_read_callback (fd=<optimized out>, event=<optimized out>,
 _conn=0x?) at src/or/main.c:734
 #17 0x? in event_process_active_single_queue (activeq=0x?, base=0x?) at
 event.c:1350
 #18 event_process_active (base=<optimized out>) at event.c:1420
 #19 event_base_loop (base=0x?, flags=flags at entry=0) at event.c:1621
 #20 0x? in do_main_loop () at src/or/main.c:1987
 #21 0x? in tor_main (argc=4, argv=0x?) at src/or/main.c:2703
 #22 0x? in main (argc=<optimized out>, argv=<optimized out>) at
 src/or/tor_main.c:30

 (gdb) directory /w/gpl/openssl-1.0.1j-as-no_ssl3/ssl/
 Source directories searched: /w/gpl/openssl-1.0.1j-as-
 no_ssl3/ssl:$cdir:$cwd
 (gdb) up 9
 #9  0x? in SSL_ctrl (s=0x?, cmd=55, larg=0, parg=0x0) at ssl_lib.c:1106
 1106                    return(s->method->ssl_ctrl(s,cmd,larg,parg));
 (gdb) print s
 $3 = (SSL *) 0x?
 (gdb) print s->method
 $4 = (const struct ssl_method_st *) 0x0
 }}}

 Had to add libthread_db-1.0.so to the copy of the jail for 'gdb'.

 Of course the point of all this is to obtain core files
 that can be used for postmortem analysis a one-off failures
 that may be impossible to reproduce.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/13471#comment:17>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list