Skip to content

heap-use-after-free src/feature/nodelist/routerlist.c:704 in router_get_by_descriptor_digest

Doing some HS DoS testing and on ctrl+c of my tor client (unmodified), this showed up.

Tor version 0.4.2.0-alpha-dev (git-6afe1b00c9c73b1b).

(info.log attached to the ticket)

==16279==ERROR: AddressSanitizer: heap-use-after-free on address 0x60e000002428 at pc 0x559683ab9839 bp 0x7ffff3007db0 sp 0x7ffff3007da0
READ of size 8 at 0x60e000002428 thread T0
    #0 0x559683ab9838 in router_get_by_descriptor_digest src/feature/nodelist/routerlist.c:704
    #1 0x559683aa2a12 in count_usable_descriptors src/feature/nodelist/nodelist.c:2388
    #2 0x559683aa2f75 in compute_frac_paths_available src/feature/nodelist/nodelist.c:2448
    #3 0x559683aaf204 in update_router_have_minimum_dir_info src/feature/nodelist/nodelist.c:2701
    #4 0x559683aaf204 in router_have_minimum_dir_info src/feature/nodelist/nodelist.c:2301
    #5 0x559683a52714 in can_client_refetch_desc src/feature/hs/hs_client.c:1184
    #6 0x559683a52714 in hs_client_refetch_hsdesc src/feature/hs/hs_client.c:1350
    #7 0x559683a56bc2 in retry_all_socks_conn_waiting_for_desc src/feature/hs/hs_client.c:298
    #8 0x559683a56bc2 in hs_client_dir_info_changed src/feature/hs/hs_client.c:1936
    #9 0x559683abab62 in routerlist_free_ src/feature/nodelist/routerlist.c:944
    #10 0x559683abab62 in routerlist_free_all src/feature/nodelist/routerlist.c:1429
    #11 0x5596838ce3f4 in tor_free_all src/app/main/shutdown.c:116
    #12 0x5596838cc0c4 in tor_run_main src/app/main/main.c:1358
    #13 0x5596838c86b8 in tor_main src/feature/api/tor_api.c:164
    #14 0x5596838c1dbf in main src/app/main/tor_main.c:32
    #15 0x7f6565a75b6a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x26b6a)
    #16 0x5596838c7db9 in _start (/home/dgoulet/Documents/git/tor/src/app/tor+0x1ccdb9)

0x60e000002428 is located 8 bytes inside of 160-byte region [0x60e000002420,0x60e0000024c0)
freed by thread T0 here:
    #0 0x7f656659f75f in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x10d75f)
    #1 0x559683ab6fa4 in routerlist_free_ src/feature/nodelist/routerlist.c:968
    #2 0x559683abab62 in routerlist_free_ src/feature/nodelist/routerlist.c:944
    #3 0x559683abab62 in routerlist_free_all src/feature/nodelist/routerlist.c:1429
    #4 0x5596838ce3f4 in tor_free_all src/app/main/shutdown.c:116
    #5 0x5596838cc0c4 in tor_run_main src/app/main/main.c:1358
    #6 0x5596838c86b8 in tor_main src/feature/api/tor_api.c:164
    #7 0x5596838c1dbf in main src/app/main/tor_main.c:32
    #8 0x7f6565a75b6a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x26b6a)

previously allocated by thread T0 here:
    #0 0x7f656659fb58 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x10db58)
    #1 0x559683c7804e in tor_malloc_ src/lib/malloc/malloc.c:45
    #2 0x559683c780e3 in tor_malloc_zero_ src/lib/malloc/malloc.c:71
    #3 0x559683ab99f1 in router_get_routerlist src/feature/nodelist/routerlist.c:812
    #4 0x559683aa4a88 in nodelist_assert_ok src/feature/nodelist/nodelist.c:853
    #5 0x559683aace28 in nodelist_set_consensus src/feature/nodelist/nodelist.c:662
    #6 0x559683a9b54a in networkstatus_set_current_consensus src/feature/nodelist/networkstatus.c:2137
    #7 0x559683a9beb9 in reload_consensus_from_file src/feature/nodelist/networkstatus.c:1761
    #8 0x559683a9bf8c in router_reload_consensus_networkstatus src/feature/nodelist/networkstatus.c:278
    #9 0x5596838cb17f in run_tor_main_loop src/app/main/main.c:1180
    #10 0x5596838cc0b4 in tor_run_main src/app/main/main.c:1328
    #11 0x5596838c86b8 in tor_main src/feature/api/tor_api.c:164
    #12 0x5596838c1dbf in main src/app/main/tor_main.c:32
    #13 0x7f6565a75b6a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x26b6a)

SUMMARY: AddressSanitizer: heap-use-after-free src/feature/nodelist/routerlist.c:704 in router_get_by_descriptor_digest
Shadow bytes around the buggy address:
  0x0c1c7fff8430: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c1c7fff8440: 00 00 00 02 fa fa fa fa fa fa fa fa 00 00 00 00
  0x0c1c7fff8450: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 05
  0x0c1c7fff8460: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c1c7fff8470: 00 00 00 00 00 00 00 00 00 00 06 fa fa fa fa fa
=>0x0c1c7fff8480: fa fa fa fa fd[fd]fd fd fd fd fd fd fd fd fd fd
  0x0c1c7fff8490: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
  0x0c1c7fff84a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c1c7fff84b0: fd fd fd fa fa fa fa fa fa fa fa fa fd fd fd fd
  0x0c1c7fff84c0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c1c7fff84d0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information