[tor-bugs] #17874 [Tor]: ERROR: AddressSanitizer: heap-use-after-free
Tor Bug Tracker & Wiki
blackhole at torproject.org
Wed Dec 16 19:47:21 UTC 2015
#17874: ERROR: AddressSanitizer: heap-use-after-free
-----------------------------+------------------------------
Reporter: cypherpunks | Owner:
Type: defect | Status: new
Priority: Medium | Milestone: Tor: 0.2.???
Component: Tor | Version: Tor: unspecified
Severity: Normal | Keywords:
Actual Points: | Parent ID:
Points: | Sponsor:
-----------------------------+------------------------------
==12345==ERROR: AddressSanitizer: heap-use-after-free on address
0x613000cf5472 at pc 0x55d4620d3245 bp 0x7ffcc0089a50 sp 0x7ffcc0089a48
READ of size 2 at 0x613000cf5472 thread T0
#0 0x55d4620d3244 (/home/cypherpunks/tor-browser_en-
US/Browser/TorBrowser/Tor/tor+0xef4244)
#1 0x55d461ef26bb (/home/cypherpunks/tor-browser_en-
US/Browser/TorBrowser/Tor/tor+0xd136bb)
#2 0x55d461ef244f (/home/cypherpunks/tor-browser_en-
US/Browser/TorBrowser/Tor/tor+0xd1344f)
#3 0x55d461dc997e (/home/cypherpunks/tor-browser_en-
US/Browser/TorBrowser/Tor/tor+0xbea97e)
#4 0x55d4619255d2 (/home/cypherpunks/tor-browser_en-
US/Browser/TorBrowser/Tor/tor+0x7465d2)
#5 0x55d461917088 (/home/cypherpunks/tor-browser_en-
US/Browser/TorBrowser/Tor/tor+0x738088)
#6 0x55d461f23213 (/home/cypherpunks/tor-browser_en-
US/Browser/TorBrowser/Tor/tor+0xd44213)
#7 0x55d461f1b081 (/home/cypherpunks/tor-browser_en-
US/Browser/TorBrowser/Tor/tor+0xd3c081)
#8 0x55d461d15dd7 (/home/cypherpunks/tor-browser_en-
US/Browser/TorBrowser/Tor/tor+0xb36dd7)
#9 0x55d461d4c147 (/home/cypherpunks/tor-browser_en-
US/Browser/TorBrowser/Tor/tor+0xb6d147)
#10 0x55d462126fef (/home/cypherpunks/tor-browser_en-
US/Browser/TorBrowser/Tor/tor+0xf47fef)
#11 0x55d4621231f2 (/home/cypherpunks/tor-browser_en-
US/Browser/TorBrowser/Tor/tor+0xf441f2)
#12 0x55d46209db6b (/home/cypherpunks/tor-browser_en-
US/Browser/TorBrowser/Tor/tor+0xebeb6b)
#13 0x55d46206a166 (/home/cypherpunks/tor-browser_en-
US/Browser/TorBrowser/Tor/tor+0xe8b166)
#14 0x55d4620679cf (/home/cypherpunks/tor-browser_en-
US/Browser/TorBrowser/Tor/tor+0xe889cf)
#15 0x55d46176ef18 (/home/cypherpunks/tor-browser_en-
US/Browser/TorBrowser/Tor/tor+0x58ff18)
#16 0x7fb0858abc58 (/home/cypherpunks/tor-browser_en-
US/Browser/TorBrowser/Tor/libevent-2.1.so.5+0x1fc58)
#17 0x7fb0858a7d01 (/home/cypherpunks/tor-browser_en-
US/Browser/TorBrowser/Tor/libevent-2.1.so.5+0x1bd01)
#18 0x55d461793edf (/home/cypherpunks/tor-browser_en-
US/Browser/TorBrowser/Tor/tor+0x5b4edf)
#19 0x55d461780a36 (/home/cypherpunks/tor-browser_en-
US/Browser/TorBrowser/Tor/tor+0x5a1a36)
#20 0x55d46177c946 (/home/cypherpunks/tor-browser_en-
US/Browser/TorBrowser/Tor/tor+0x59d946)
#21 0x55d461786c29 (/home/cypherpunks/tor-browser_en-
US/Browser/TorBrowser/Tor/tor+0x5a7c29)
#22 0x55d46176c52a (/home/cypherpunks/tor-browser_en-
US/Browser/TorBrowser/Tor/tor+0x58d52a)
#23 0x7fb0844afb44 (/lib/x86_64-linux-gnu/libc.so.6+0x21b44)
#24 0x55d4616c1216 (/home/cypherpunks/tor-browser_en-
US/Browser/TorBrowser/Tor/tor+0x4e2216)
0x613000cf5472 is located 114 bytes inside of 328-byte region
[0x613000cf5400,0x613000cf5548)
freed by thread T0 here:
#0 0x55d461747f32 (/home/cypherpunks/tor-browser_en-
US/Browser/TorBrowser/Tor/tor+0x568f32)
#1 0x55d462034722 (/home/cypherpunks/tor-browser_en-
US/Browser/TorBrowser/Tor/tor+0xe55722)
#2 0x55d46202a6cd (/home/cypherpunks/tor-browser_en-
US/Browser/TorBrowser/Tor/tor+0xe4b6cd)
#3 0x55d46179c7cf (/home/cypherpunks/tor-browser_en-
US/Browser/TorBrowser/Tor/tor+0x5bd7cf)
#4 0x55d4617a0bea (/home/cypherpunks/tor-browser_en-
US/Browser/TorBrowser/Tor/tor+0x5c1bea)
#5 0x55d46179b4c8 (/home/cypherpunks/tor-browser_en-
US/Browser/TorBrowser/Tor/tor+0x5bc4c8)
#6 0x55d46176f81d (/home/cypherpunks/tor-browser_en-
US/Browser/TorBrowser/Tor/tor+0x59081d)
#7 0x7fb0858abc58 (/home/cypherpunks/tor-browser_en-
US/Browser/TorBrowser/Tor/libevent-2.1.so.5+0x1fc58)
previously allocated by thread T0 here:
#0 0x55d461748212 (/home/cypherpunks/tor-browser_en-
US/Browser/TorBrowser/Tor/tor+0x569212)
#1 0x55d4625ba9af (/home/cypherpunks/tor-browser_en-
US/Browser/TorBrowser/Tor/tor+0x13db9af)
#2 0x55d4625bac68 (/home/cypherpunks/tor-browser_en-
US/Browser/TorBrowser/Tor/tor+0x13dbc68)
#3 0x55d4620264ca (/home/cypherpunks/tor-browser_en-
US/Browser/TorBrowser/Tor/tor+0xe474ca)
#4 0x55d4620280ba (/home/cypherpunks/tor-browser_en-
US/Browser/TorBrowser/Tor/tor+0xe490ba)
#5 0x55d462094402 (/home/cypherpunks/tor-browser_en-
US/Browser/TorBrowser/Tor/tor+0xeb5402)
#6 0x55d4620683ca (/home/cypherpunks/tor-browser_en-
US/Browser/TorBrowser/Tor/tor+0xe893ca)
#7 0x55d4620679cf (/home/cypherpunks/tor-browser_en-
US/Browser/TorBrowser/Tor/tor+0xe889cf)
#8 0x55d46176ef18 (/home/cypherpunks/tor-browser_en-
US/Browser/TorBrowser/Tor/tor+0x58ff18)
#9 0x7fb0858abc58 (/home/cypherpunks/tor-browser_en-
US/Browser/TorBrowser/Tor/libevent-2.1.so.5+0x1fc58)
Shadow bytes around the buggy address:
0x0c2680196a30: fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa
0x0c2680196a40: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c2680196a50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c2680196a60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c2680196a70: 00 fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c2680196a80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd[fd]fd
0x0c2680196a90: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c2680196aa0: fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa
0x0c2680196ab0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c2680196ac0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c2680196ad0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==12345==ABORTING
tor-0.2.7.3-rc-467-ga03469a
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/17874>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list