[tor-bugs] #24807 [Core Tor]: UAF after updating `master` to 1dab8bae21bc32e5d4e3ff954f4919d6506ad2e1

Tor Bug Tracker & Wiki blackhole at torproject.org
Fri Jan 5 09:53:11 UTC 2018 

#24807: UAF after updating `master` to 1dab8bae21bc32e5d4e3ff954f4919d6506ad2e1
--------------------------+--------------------
     Reporter:  gk        |      Owner:  (none)
         Type:  defect    |     Status:  new
     Priority:  High      |  Milestone:
    Component:  Core Tor  |    Version:
     Severity:  Normal    |   Keywords:
Actual Points:            |  Parent ID:
       Points:            |   Reviewer:
      Sponsor:            |
--------------------------+--------------------
 After updating `master` to 1dab8bae21bc32e5d4e3ff954f4919d6506ad2e1
 surfing to an arbitrary website on my Linux box crashes my tor with

 {{{
 =================================================================
 ==12974==ERROR: AddressSanitizer: heap-use-after-free on address
 0x61d000001884 at pc 0x563a216f6558 bp 0x7ffed0c7b0d0 sp 0x7ffed0c7b0c8
 READ of size 4 at 0x61d000001884 thread T0
     #0 0x563a216f6557 in run_main_loop_once ../src/or/main.c:2783
     #1 0x563a216f6557 in run_main_loop_until_done ../src/or/main.c:2852
     #2 0x563a216f6557 in do_main_loop ../src/or/main.c:2735
     #3 0x563a216f8e74 in tor_run_main ../src/or/main.c:4016
     #4 0x563a216e4585 in tor_main ../src/or/tor_api.c:84
     #5 0x563a216e178b in main ../src/or/tor_main.c:22
     #6 0x7fe2e63e6560 in __libc_start_main (/lib/x86_64-linux-
 gnu/libc.so.6+0x20560)
     #7 0x563a216e4239 in _start
 (/home/thomas/Arbeit/Tor/tor/build/src/or/tor+0x6a6239)

 0x61d000001884 is located 1028 bytes inside of 2272-byte region
 [0x61d000001480,0x61d000001d60)
 freed by thread T0 here:
     #0 0x7fe2e8eea8c8 in __interceptor_free (/usr/lib/x86_64-linux-
 gnu/libasan.so.4+0xd98c8)
     #1 0x563a21998102 in config_free_ ../src/or/confparse.c:882
     #2 0x563a21952174 in or_options_free_ ../src/or/config.c:957
     #3 0x563a2198075c in or_options_free_ ../src/or/config.c:933
     #4 0x563a2198075c in set_options ../src/or/config.c:887
     #5 0x563a2198670b in options_trial_assign ../src/or/config.c:2507
     #6 0x563a21a17e79 in control_setconf_helper ../src/or/control.c:1021
     #7 0x563a21a26190 in handle_control_setconf ../src/or/control.c:1059
     #8 0x563a21a26190 in connection_control_process_inbuf
 ../src/or/control.c:5352
     #9 0x563a219bfe2c in connection_handle_read_impl
 ../src/or/connection.c:3475
     #10 0x563a216f3a57 in conn_read_callback ../src/or/main.c:861
     #11 0x7fe2e86b09b9  (/usr/lib/x86_64-linux-
 gnu/libevent-2.1.so.6+0x229b9)

 previously allocated by thread T0 here:
     #0 0x7fe2e8eeac20 in __interceptor_malloc (/usr/lib/x86_64-linux-
 gnu/libasan.so.4+0xd9c20)
     #1 0x563a21bda65a in tor_malloc_ ../src/common/util.c:150
     #2 0x563a21bda701 in tor_malloc_zero_ ../src/common/util.c:178
     #3 0x563a219869c8 in options_init_from_string ../src/or/config.c:5401
     #4 0x563a21988b32 in options_init_from_torrc ../src/or/config.c:5298
     #5 0x563a216f7292 in tor_init ../src/or/main.c:3299
     #6 0x563a216f8a7f in tor_run_main ../src/or/main.c:3989
     #7 0x563a216e4585 in tor_main ../src/or/tor_api.c:84
     #8 0x563a216e178b in main ../src/or/tor_main.c:22
     #9 0x7fe2e63e6560 in __libc_start_main (/lib/x86_64-linux-
 gnu/libc.so.6+0x20560)

 SUMMARY: AddressSanitizer: heap-use-after-free ../src/or/main.c:2783 in
 run_main_loop_once
 Shadow bytes around the buggy address:
   0x0c3a7fff82c0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
   0x0c3a7fff82d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
   0x0c3a7fff82e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
   0x0c3a7fff82f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
   0x0c3a7fff8300: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 =>0x0c3a7fff8310:[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
   0x0c3a7fff8320: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
   0x0c3a7fff8330: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
   0x0c3a7fff8340: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
   0x0c3a7fff8350: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
   0x0c3a7fff8360: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 Shadow byte legend (one shadow byte represents 8 application bytes):
   Addressable:           00
   Partially addressable: 01 02 03 04 05 06 07
   Heap left redzone:       fa
   Freed heap region:       fd
   Stack left redzone:      f1
   Stack mid redzone:       f2
   Stack right redzone:     f3
   Stack after return:      f5
   Stack use after scope:   f8
   Global redzone:          f9
   Global init order:       f6
   Poisoned by user:        f7
   Container overflow:      fc
   Array cookie:            ac
   Intra object redzone:    bb
   ASan internal:           fe
   Left alloca redzone:     ca
   Right alloca redzone:    cb
 ==12974==ABORTING
 }}}

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/24807>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list