[tor-bugs] #15901 [Tor]: apparent memory corruption from control channel request processing -- very difficult to isolate
Tor Bug Tracker & Wiki
blackhole at torproject.org
Mon May 4 15:04:07 UTC 2015
#15901: apparent memory corruption from control channel request processing -- very
difficult to isolate
---------------------------+--------------------------------
Reporter: starlight | Owner:
Type: defect | Status: new
Priority: critical | Milestone: Tor: 0.2.7.x-final
Component: Tor | Version: Tor: 0.2.5.12
Resolution: | Keywords:
Actual Points: | Parent ID:
Points: |
---------------------------+--------------------------------
Comment (by starlight):
I realized that possibly the first event showed
visibly corrupt "ISO time" strings due to the
0.2.4.26 version memory layout rather than due
to timing or luck.
So I have built 0.2.4.27 with the core/stdio
patch and put that live in the hope that
the the "ISO time" flavor of the event can
be reproduced. If this happens, I intend
to add some code to set one or more of the
x86 debug registers to trap on a write to
the time string, I.E. a hard-coded "watchpoint"
without using 'gdb'. This could result in a
core file where the stack trace leads directly
to the code path causing memory corruption.
It appears that any use of an alternate
malloc() such as with ASAN perturbs the
memory layout such that the bug will not
appear.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/15901#comment:6>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list