Trac issueshttps://gitlab.torproject.org/legacy/trac/-/issues2020-06-13T15:45:43Zhttps://gitlab.torproject.org/legacy/trac/-/issues/31772MAPADDRESS control command2020-06-13T15:45:43ZTracMAPADDRESS control commandI'm using the control socket to execute MAPADDRESS commands.
Since TorBrowser 8.5.5 (Linux64) with Tor 0.4.1.5 the behavior changed.
On TorBrowser 8.5.4 (Linux64) with Tor 0.4.0.5 the following command worked:
MAPADDRESS *.torproject.o...I'm using the control socket to execute MAPADDRESS commands.
Since TorBrowser 8.5.5 (Linux64) with Tor 0.4.1.5 the behavior changed.
On TorBrowser 8.5.4 (Linux64) with Tor 0.4.0.5 the following command worked:
MAPADDRESS *.torproject.org=127.0.0.1
250 *.torproject.org=127.0.0.1
On TorBrowser 8.5.5 (Linux64) with Tor 0.4.1.5 the following happens:
MAPADDRESS *.torproject.org=127.0.0.1
512 syntax error: not enough arguments to mapaddress.
However, I found out that the following works:
MAPADDRESS foo *.torproject.org=127.0.0.1
250 *.torproject.org=127.0.0.1
I could not find any information about a change in the MAPADDRESS command specification.
Did the MAPADDRESS command change or may this be a bug in the command parsing?
**Trac**:
**Username**: kowenkiTor: 0.4.1.x-finalNick MathewsonNick Mathewsonhttps://gitlab.torproject.org/legacy/trac/-/issues/31301error building tor-0.4.1.4-rc2020-06-13T15:43:54ZNathan Freitaserror building tor-0.4.1.4-rcusing the exact same build process I did for 0.4.0.4, I receive an error when trying to build the latest tor release, using the tor-android build system:
src/core/libtor-app.a(main.o):main.c:function run_tor_main_loop: error: undefined ...using the exact same build process I did for 0.4.0.4, I receive an error when trying to build the latest tor release, using the tor-android build system:
src/core/libtor-app.a(main.o):main.c:function run_tor_main_loop: error: undefined reference to 'keypin_load_journal'
src/core/libtor-app.a(main.o):main.c:function run_tor_main_loop: error: undefined reference to 'keypin_open_journal'
src/core/libtor-app.a(main.o):main.c:function do_hup: error: undefined reference to 'dirserv_load_fingerprint_file'
src/core/libtor-app.a(connection_or.o):connection_or.c:function connection_or_client_learned_peer_id: error: undefined reference to 'dirserv_orconn_tls_done'
src/core/libtor-app.a(networkstatus.o):networkstatus.c:function routers_update_status_from_consensus_networkstatus: error: undefined reference to 'dirserv_should_launch_reachability_test'
src/core/libtor-app.a(nodelist.o):nodelist.c:function nodelist_set_routerinfo: error: undefined reference to 'dirserv_router_get_status'
src/core/libtor-app.a(nodelist.o):nodelist.c:function nodelist_set_routerinfo: error: undefined reference to 'dirserv_set_node_flags_from_authoritative_status'
src/core/libtor-app.a(routerlist.o):routerlist.c:function router_add_to_routerlist: error: undefined reference to 'authdir_wants_to_reject_router'
src/core/libtor-app.a(routerlist.o):routerlist.c:function update_consensus_router_descriptor_downloads: error: undefined reference to 'dirserv_would_reject_router'
src/core/libtor-app.a(router.o):router.c:function init_keys: error: undefined reference to 'dirserv_add_own_fingerprint'
src/core/libtor-app.a(router.o):router.c:function init_keys: error: undefined reference to 'dirserv_add_descriptor'
src/core/libtor-app.a(router.o):router.c:function init_keys: error: undefined reference to 'dirserv_load_fingerprint_file'
src/core/libtor-app.a(dircache.o):dircache.c:function directory_handle_command_post: error: undefined reference to 'dirserv_add_multiple_descriptors'
clang: error: linker command failed with exit code 1 (use -v to see invocation)Tor: 0.4.1.x-finalhttps://gitlab.torproject.org/legacy/trac/-/issues/31003heap-use-after-free src/feature/nodelist/routerlist.c:704 in router_get_by_de...2020-06-13T15:43:07ZDavid Gouletdgoulet@torproject.orgheap-use-after-free src/feature/nodelist/routerlist.c:704 in router_get_by_descriptor_digestDoing some HS DoS testing and on ctrl+c of my tor client (unmodified), this showed up.
Tor version 0.4.2.0-alpha-dev (git-6afe1b00c9c73b1b).
(info.log attached to the ticket)
```
==16279==ERROR: AddressSanitizer: heap-use-after-free o...Doing some HS DoS testing and on ctrl+c of my tor client (unmodified), this showed up.
Tor version 0.4.2.0-alpha-dev (git-6afe1b00c9c73b1b).
(info.log attached to the ticket)
```
==16279==ERROR: AddressSanitizer: heap-use-after-free on address 0x60e000002428 at pc 0x559683ab9839 bp 0x7ffff3007db0 sp 0x7ffff3007da0
READ of size 8 at 0x60e000002428 thread T0
#0 0x559683ab9838 in router_get_by_descriptor_digest src/feature/nodelist/routerlist.c:704
#1 0x559683aa2a12 in count_usable_descriptors src/feature/nodelist/nodelist.c:2388
#2 0x559683aa2f75 in compute_frac_paths_available src/feature/nodelist/nodelist.c:2448
#3 0x559683aaf204 in update_router_have_minimum_dir_info src/feature/nodelist/nodelist.c:2701
#4 0x559683aaf204 in router_have_minimum_dir_info src/feature/nodelist/nodelist.c:2301
#5 0x559683a52714 in can_client_refetch_desc src/feature/hs/hs_client.c:1184
#6 0x559683a52714 in hs_client_refetch_hsdesc src/feature/hs/hs_client.c:1350
#7 0x559683a56bc2 in retry_all_socks_conn_waiting_for_desc src/feature/hs/hs_client.c:298
#8 0x559683a56bc2 in hs_client_dir_info_changed src/feature/hs/hs_client.c:1936
#9 0x559683abab62 in routerlist_free_ src/feature/nodelist/routerlist.c:944
#10 0x559683abab62 in routerlist_free_all src/feature/nodelist/routerlist.c:1429
#11 0x5596838ce3f4 in tor_free_all src/app/main/shutdown.c:116
#12 0x5596838cc0c4 in tor_run_main src/app/main/main.c:1358
#13 0x5596838c86b8 in tor_main src/feature/api/tor_api.c:164
#14 0x5596838c1dbf in main src/app/main/tor_main.c:32
#15 0x7f6565a75b6a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x26b6a)
#16 0x5596838c7db9 in _start (/home/dgoulet/Documents/git/tor/src/app/tor+0x1ccdb9)
0x60e000002428 is located 8 bytes inside of 160-byte region [0x60e000002420,0x60e0000024c0)
freed by thread T0 here:
#0 0x7f656659f75f in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x10d75f)
#1 0x559683ab6fa4 in routerlist_free_ src/feature/nodelist/routerlist.c:968
#2 0x559683abab62 in routerlist_free_ src/feature/nodelist/routerlist.c:944
#3 0x559683abab62 in routerlist_free_all src/feature/nodelist/routerlist.c:1429
#4 0x5596838ce3f4 in tor_free_all src/app/main/shutdown.c:116
#5 0x5596838cc0c4 in tor_run_main src/app/main/main.c:1358
#6 0x5596838c86b8 in tor_main src/feature/api/tor_api.c:164
#7 0x5596838c1dbf in main src/app/main/tor_main.c:32
#8 0x7f6565a75b6a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x26b6a)
previously allocated by thread T0 here:
#0 0x7f656659fb58 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x10db58)
#1 0x559683c7804e in tor_malloc_ src/lib/malloc/malloc.c:45
#2 0x559683c780e3 in tor_malloc_zero_ src/lib/malloc/malloc.c:71
#3 0x559683ab99f1 in router_get_routerlist src/feature/nodelist/routerlist.c:812
#4 0x559683aa4a88 in nodelist_assert_ok src/feature/nodelist/nodelist.c:853
#5 0x559683aace28 in nodelist_set_consensus src/feature/nodelist/nodelist.c:662
#6 0x559683a9b54a in networkstatus_set_current_consensus src/feature/nodelist/networkstatus.c:2137
#7 0x559683a9beb9 in reload_consensus_from_file src/feature/nodelist/networkstatus.c:1761
#8 0x559683a9bf8c in router_reload_consensus_networkstatus src/feature/nodelist/networkstatus.c:278
#9 0x5596838cb17f in run_tor_main_loop src/app/main/main.c:1180
#10 0x5596838cc0b4 in tor_run_main src/app/main/main.c:1328
#11 0x5596838c86b8 in tor_main src/feature/api/tor_api.c:164
#12 0x5596838c1dbf in main src/app/main/tor_main.c:32
#13 0x7f6565a75b6a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x26b6a)
SUMMARY: AddressSanitizer: heap-use-after-free src/feature/nodelist/routerlist.c:704 in router_get_by_descriptor_digest
Shadow bytes around the buggy address:
0x0c1c7fff8430: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c1c7fff8440: 00 00 00 02 fa fa fa fa fa fa fa fa 00 00 00 00
0x0c1c7fff8450: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 05
0x0c1c7fff8460: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c1c7fff8470: 00 00 00 00 00 00 00 00 00 00 06 fa fa fa fa fa
=>0x0c1c7fff8480: fa fa fa fa fd[fd]fd fd fd fd fd fd fd fd fd fd
0x0c1c7fff8490: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
0x0c1c7fff84a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c1c7fff84b0: fd fd fd fa fa fa fa fa fa fa fa fa fd fd fd fd
0x0c1c7fff84c0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c1c7fff84d0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
```Tor: 0.4.0.x-finalNick MathewsonNick Mathewson