Skip to content

SIGSEGV on potentially malformed state file

Hello,

At least after abruptly shutting down my laptop (but am unsure if it happened before or not), my Tor became unable to start, generating a SIGSEGV.

Tor version

Tor version 0.4.6.5.
Tor is running on OpenBSD with Libevent 2.1.11-stable, OpenSSL LibreSSL 3.4.0, Zlib 1.2.11, Liblzma N/A, Libzstd N/A and Unknown N/A as libc.
Tor compiled with clang version 11.1.0

OpenBSD version is -current, their dev branch, basically.

torrc (edited from the package's default to log to stderr and not daemonizing)

Log debug stderr
RunAsDaemon 0
DataDirectory /var/tor
User _tor

Log

Jul 25 19:10:18.107 [notice] Tor 0.4.6.5 running on OpenBSD with Libevent 2.1.11-stable, OpenSSL LibreSSL 3.4.0, Zlib 1.2.11, Liblzma N/A, Libzstd N/A and Unknown N/A as libc.
Jul 25 19:10:18.108 [notice] Tor can't help you if you use it wrong! Learn how to be safe at https://www.torproject.org/download/download#warning
Jul 25 19:10:18.108 [notice] Read configuration file "/tmp/tmp.CxgrTzT1SV/torrc".
Jul 25 19:10:18.116 [notice] Opening Socks listener on 127.0.0.1:9050
Jul 25 19:10:18.116 [notice] Opened Socks listener connection (ready) on 127.0.0.1:9050
Jul 25 19:10:18.000 [warn] Your log may contain sensitive information - you're logging more than "notice". Don't log unless it serves an important reason. Overwrite the log afterwards.
Jul 25 19:10:18.000 [info] options_commit_listener_transaction: Recomputed OOS thresholds: ConnLimit 1000, ConnLimit_ 992, ConnLimit_high_thresh 943, ConnLimit_low_thresh 744
Jul 25 19:10:18.000 [info] crypto_openssl_late_init: NOT using OpenSSL engine support.
Jul 25 19:10:18.000 [info] evaluate_evp_for_aes: This version of OpenSSL has a known-good EVP counter-mode implementation. Using it.
Jul 25 19:10:18.000 [debug] tor_disable_debugger_attach: Attempting to disable debugger attachment to Tor for unprivileged users.
Jul 25 19:10:18.000 [info] tor_lockfile_lock: Locking "/var/tor/lock"
Jul 25 19:10:18.000 [debug] parse_dir_authority_line: Trusted 100 dirserver at 128.31.0.39:9131 (9695)
Jul 25 19:10:18.000 [debug] parse_dir_authority_line: Trusted 100 dirserver at 86.59.21.38:80 (847B)
Jul 25 19:10:18.000 [debug] parse_dir_authority_line: Trusted 100 dirserver at 45.66.33.45:80 (7EA6)
Jul 25 19:10:18.000 [debug] parse_dir_authority_line: Trusted 16 dirserver at 66.111.2.131:9030 (BA44)
Jul 25 19:10:18.000 [debug] parse_dir_authority_line: Trusted 100 dirserver at 131.188.40.189:80 (F204)
Jul 25 19:10:18.000 [debug] parse_dir_authority_line: Trusted 100 dirserver at 193.23.244.244:80 (7BE6)
Jul 25 19:10:18.000 [debug] parse_dir_authority_line: Trusted 100 dirserver at 171.25.193.9:443 (BD6A)
Jul 25 19:10:18.000 [debug] parse_dir_authority_line: Trusted 100 dirserver at 154.35.175.225:80 (CF6D)
Jul 25 19:10:18.000 [debug] parse_dir_authority_line: Trusted 100 dirserver at 199.58.81.140:80 (74A9)
Jul 25 19:10:18.000 [debug] parse_dir_authority_line: Trusted 100 dirserver at 204.13.164.118:80 (24E2)
Jul 25 19:10:18.000 [debug] file_status: stat()ing /var/tor/state
Jul 25 19:10:18.000 [debug] subsystems_register_state_formats: Added state format for mainloop with index 0
Jul 25 19:10:18.000 [info] or_state_load: Loaded state from "/var/tor/state"
Jul 25 19:10:18.000 [debug] get_guard_selection_by_name: Creating a guard selection called default
Jul 25 19:10:18.000 [info] sampled_guards_update_from_consensus: Not updating the sample guard set; we have no reasonably live consensus.
Jul 25 19:10:18.000 [debug] entry_guard_set_filtered_flags: Updated sampled guard mj4 ($CE863C22AD5ABBEAF606AE35A22781C409D895E5): filtered=0; reachable_filtered=0.
Jul 25 19:10:18.000 [debug] entry_guard_set_filtered_flags: Updated sampled guard QuantumOnion252 ($58EE968A24700C0B51D7496B5273ADBE274EC4B1): filtered=0; reachable_filtered=0.
Jul 25 19:10:18.000 [debug] entry_guard_set_filtered_flags: Updated sampled guard FreedomForParrots2 ($C0E6A667064385B9CB5A685CEB06B85EDDA6AA00): filtered=0; reachable_filtered=0.
Jul 25 19:10:18.000 [debug] entry_guard_set_filtered_flags: Updated sampled guard 1torexit ($AED4A69836630A3375845006B5AAD03BFA3F96DC): filtered=0; reachable_filtered=0.
Jul 25 19:10:18.000 [debug] entry_guard_set_filtered_flags: Updated sampled guard brooke ($F5F4019509109A07E90C45A022CEED9ECA1643C8): filtered=0; reachable_filtered=0.
Jul 25 19:10:18.000 [debug] entry_guard_set_filtered_flags: Updated sampled guard torx1steack ($EE63C70C2126DBC6AB5DAD1C5A95935C31409742): filtered=0; reachable_filtered=0.
Jul 25 19:10:18.000 [debug] entry_guard_set_filtered_flags: Updated sampled guard helena ($5CFC486780CBD4446B764E51608D6574003B350D): filtered=0; reachable_filtered=0.
Jul 25 19:10:18.000 [debug] entry_guard_set_filtered_flags: Updated sampled guard Unnamed ($C63110BDD8736D2C2A733FF962F58D58FDE63A2D): filtered=0; reachable_filtered=0.
Jul 25 19:10:18.000 [debug] entry_guard_set_filtered_flags: Updated sampled guard TOR2DFN01a ($3239007CE1FB2ECDFDF2067DF23B949295DC5EF6): filtered=0; reachable_filtered=0.
Jul 25 19:10:18.000 [debug] entry_guard_set_filtered_flags: Updated sampled guard ax01 ($F0F2CEF702D60AC53747CA6A7CA0C5C145F873F9): filtered=0; reachable_filtered=0.
Jul 25 19:10:18.000 [debug] entry_guard_set_filtered_flags: Updated sampled guard VivelaFrance ($022A5535F42B1A9F9AA755C4EAB5F36FEF9781D8): filtered=0; reachable_filtered=0.
Jul 25 19:10:18.000 [debug] entry_guard_set_filtered_flags: Updated sampled guard GoofyRooster ($243996E46218666C1CADDE17B430EA7F95124F96): filtered=0; reachable_filtered=0.
Jul 25 19:10:18.000 [info] first_reachable_filtered_entry_guard: Trying to sample a reachable guard: We know of 0 in the USABLE_FILTERED set.
Jul 25 19:10:18.000 [info] first_reachable_filtered_entry_guard:   (That isn't enough. Trying to expand the sample.)
Jul 25 19:10:18.000 [info] entry_guards_expand_sample: Not expanding the sample guard set; we have no reasonably live consensus.
Jul 25 19:10:18.000 [info] first_reachable_filtered_entry_guard:   (After filters [b], we have 0 guards to consider.)
Jul 25 19:10:18.000 [warn] Too many build times in state file. Stopping short before 1
Jul 25 19:10:18.000 [info] circuit_build_times_parse_state: Adding 3 timeouts.

============================================================ T= 1627240218
Tor 0.4.6.5 died: Caught signal 11
Abort trap

Despite having ulimit -c unlimited, I'm unable to get a core dump to provide additional info. I also tried to compile Tor with -fasynchronous-unwind-tables, which OpenBSD does disable for the port (reason in https://raw.githubusercontent.com/openbsd/ports/8200b4a7f5e46eaa69a3cf261d27034396b178ab/net/tor/patches/patch-configure_ac ), but I'm still unable to generate a core dump or a backtrace.

The culprit of the issue seems my state file, which I'll attach to the ticket (if able after creating it--this interface seemingly doesn't provide an option to do so). In particular,

Based on the log output, comparing against Git tag 0.4.6.5, it makes it at least until line https://gitweb.torproject.org/tor.git/tree/src/core/or/circuitstats.c?h=tor-0.4.6.5#n1079 but does not reach https://gitweb.torproject.org/tor.git/tree/src/core/or/circuitstats.c?h=tor-0.4.6.5#n1103 .

If I can get provide the team with more information, I'll gladly do so.

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information