Skip to content

Heap use-after-free on git master dbb0abc9

I found this issue by setting an invalid HiddenServiceDir containing 2 level of directories for tor to create for which it can't do it leading to options_act() returning -1.

HiddenServiceDir /tmp/level1/level2

Here is the ASAN output:

==10573==ERROR: AddressSanitizer: heap-use-after-free on address 0x61d000002948 at pc 0x55741b1f88d1 bp 0x7ffe0d70bc10 sp 0x7ffe0d70bc00
READ of size 8 at 0x61d000002948 thread T0
    #0 0x55741b1f88d0 in or_options_free_ src/app/config/config.c:1005
    #1 0x55741b2009af in config_free_all src/app/config/config.c:1034
    #2 0x55741ad38034 in tor_free_all src/core/mainloop/main.c:3693
    #3 0x55741ad38b6e in tor_run_main src/core/mainloop/main.c:4277
    #4 0x55741ad2286b in tor_main src/feature/api/tor_api.c:164
    #5 0x55741ad1d7cb in main src/app/main/tor_main.c:32
    #6 0x7fc43440109a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2409a)
    #7 0x55741ad219e9 in _start (/home/dgoulet/Documents/git/tor/src/app/tor+0x9119e9)

0x61d000002948 is located 200 bytes inside of 2264-byte region [0x61d000002880,0x61d000003158)
freed by thread T0 here:
    #0 0x7fc43614cb70 in free (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xedb70)
    #1 0x55741b23e3e7 in config_free_ src/app/config/confparse.c:871
    #2 0x55741b1f8548 in or_options_free_ src/app/config/config.c:1026
    #3 0x55741b22bbcc in options_init_from_string src/app/config/config.c:5487
    #4 0x55741b22d540 in options_init_from_torrc src/app/config/config.c:5233
    #5 0x55741ad37098 in tor_init src/core/mainloop/main.c:3540
    #6 0x55741ad389c0 in tor_run_main src/core/mainloop/main.c:4275
    #7 0x55741ad2286b in tor_main src/feature/api/tor_api.c:164
    #8 0x55741ad1d7cb in main src/app/main/tor_main.c:32
    #9 0x7fc43440109a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2409a)

previously allocated by thread T0 here:
    #0 0x7fc43614cf30 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xedf30)
    #1 0x55741b3b378a in tor_malloc_ src/lib/malloc/malloc.c:45
    #2 0x55741b3b3821 in tor_malloc_zero_ src/lib/malloc/malloc.c:71
    #3 0x55741b22b294 in options_init_from_string src/app/config/config.c:5336
    #4 0x55741b22d540 in options_init_from_torrc src/app/config/config.c:5233
    #5 0x55741ad37098 in tor_init src/core/mainloop/main.c:3540
    #6 0x55741ad389c0 in tor_run_main src/core/mainloop/main.c:4275
    #7 0x55741ad2286b in tor_main src/feature/api/tor_api.c:164
    #8 0x55741ad1d7cb in main src/app/main/tor_main.c:32
    #9 0x7fc43440109a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2409a)

SUMMARY: AddressSanitizer: heap-use-after-free src/app/config/config.c:1005 in or_options_free_

Logs shows:

Sep 14 10:20:00.000 [warn] Error creating directory /tmp/level1/level2: No such file or directory
Sep 14 10:20:00.000 [warn] Error loading rendezvous service keys
Sep 14 10:20:00.000 [err] set_options(): Bug: Acting on config options left us in a broken state. Dying. (on Tor 0.3.5.0-alpha-dev dbb0abc9f1a174ef)

What I can tell is that if options_act() returns -1, we'll inevitably end up in this situation so this isn't HS only. Kind of difficult to follow the stacktrace as the use-after-free points to a free(). I know that the pointer there is NULL at that time...

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information