[Pkg-privacy-maintainers] Bug#941483: torsocks: nc.openbsd in tight loop when talking to tor via libtorsocks

Daniel Kahn Gillmor dkg at fifthhorseman.net
Tue Oct 1 12:39:22 BST 2019 

Package: torsocks
Version: 2.3.0-2+b1
Severity: normal
Control: affects + netcat-openbsd

On my system right now, nc is in a tight loop, burning 100% CPU:

```
0 dkg at alice:~$ strace -p 10348 -T -ttt 2>&1 | head
strace: Process 10348 attached
1569928260.402113 select(4, [3], NULL, NULL, NULL) = 1 (in [3]) <0.000020>
1569928260.402195 recvfrom(3, "", 10, 0, NULL, NULL) = 0 <0.000015>
1569928260.402300 select(4, [3], NULL, NULL, NULL) = 1 (in [3]) <0.000008>
1569928260.402351 recvfrom(3, "", 10, 0, NULL, NULL) = 0 <0.000007>
1569928260.402394 select(4, [3], NULL, NULL, NULL) = 1 (in [3]) <0.000007>
1569928260.402436 recvfrom(3, "", 10, 0, NULL, NULL) = 0 <0.000006>
1569928260.402477 select(4, [3], NULL, NULL, NULL) = 1 (in [3]) <0.000007>
1569928260.402517 recvfrom(3, "", 10, 0, NULL, NULL) = 0 <0.000006>
1569928260.402558 select(4, [3], NULL, NULL, NULL) = 1 (in [3]) <0.000007>
0 dkg at alice:~$ lsof -p 10348
COMMAND   PID USER   FD   TYPE  DEVICE SIZE/OFF    NODE NAME
nc      10348  dkg  cwd    DIR   254,3    24576  261633 /home/dkg
nc      10348  dkg  rtd    DIR   254,1     4096       2 /
nc      10348  dkg  txt    REG   254,1    43504  135774 /bin/nc.openbsd
nc      10348  dkg  mem    REG   254,1    51696  141113 /lib/x86_64-linux-gnu/libnss_files-2.29.so
nc      10348  dkg  mem    REG   254,1    14592  138268 /lib/x86_64-linux-gnu/libdl-2.29.so
nc      10348  dkg  mem    REG   254,1  1820104  135133 /lib/x86_64-linux-gnu/libc-2.29.so
nc      10348  dkg  mem    REG   254,1    84808  141227 /lib/x86_64-linux-gnu/libresolv-2.29.so
nc      10348  dkg  mem    REG   254,1    96568    5752 /usr/lib/x86_64-linux-gnu/libbsd.so.0.10.0
nc      10348  dkg  mem    REG   254,1    88160  133186 /usr/lib/x86_64-linux-gnu/torsocks/libtorsocks.so.0.0.0
nc      10348  dkg  mem    REG   254,1   165632  131306 /lib/x86_64-linux-gnu/ld-2.29.so
nc      10348  dkg    0r  FIFO    0,12      0t0 8164325 pipe
nc      10348  dkg    1w  FIFO    0,12      0t0 8164326 pipe
nc      10348  dkg    2u   CHR  136,14      0t0      17 /dev/pts/14
nc      10348  dkg    3u  IPv4 8165435      0t0     TCP localhost:48380->localhost:9050 (CLOSE_WAIT)
0 dkg at alice:~$ 
```

It was invoked as part of an ssh proxycommand:

    torsocks nc jsjr752kjv5evcwv.onion 22

(onion service name is anonymized here)

I tried using ltrace on the same process, but nothing was emitted --
it's doing this loop without crossing any dynamic linker boundaries.

With torsocks-dbgsym and netcat-openbsd-dbgsym installed, and gdb
attached to the process, i see this backtrace:


```
#0  0x00007fb931222187 in __GI___select (nfds=nfds at entry=4, readfds=readfds at entry=0x7fffa2739eb0, writefds=writefds at entry=0x0, exceptfds=exceptfds at entry=0x0, timeout=timeout at entry=0x0)
    at ../sysdeps/unix/sysv/linux/select.c:41
#1  0x00007fb931359623 in wait_on_fd (fd=3) at socks5.c:40
#2  0x00007fb931359838 in recv_data_impl (fd=3, buf=0x7fffa273a070, len=<optimized out>) at socks5.c:69
#3  0x00007fb93135a2b0 in socks5_recv_connect_reply (conn=conn at entry=0x55ca81f32340) at socks5.c:509
#4  0x00007fb931352fca in tsocks_connect_to_tor (conn=conn at entry=0x55ca81f32340) at torsocks.c:500
#5  0x00007fb9313539e1 in tsocks_connect (sockfd=<optimized out>, addr=0x55ca81f32320, addrlen=16) at connect.c:206
#6  0x000055ca80745a7c in connect_with_timeout (ctimeout=<optimized out>, salen=16, sa=0x55ca81f32320, fd=3) at netcat.c:1277
#7  remote_connect (host=0x7fffa273ba37 "jsjr752kjv5evcwv.onion", port=0x55ca81f321c0 "22", hints=...) at netcat.c:1203
#8  0x000055ca80743ce0 in main (argc=<optimized out>, argv=<optimized out>) at netcat.c:878
(gdb) 
```

Thanks for maintaining torsocks in debian!

       --dkg

-- System Information:
Debian Release: bullseye/sid
  APT prefers testing-debug
  APT policy: (500, 'testing-debug'), (500, 'testing'), (500, 'stable'), (500, 'oldstable'), (200, 'unstable-debug'), (200, 'unstable'), (1, 'experimental-debug'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 5.2.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages torsocks depends on:
ii  libc6  2.29-2

Versions of packages torsocks recommends:
ii  tor  0.4.1.6-1

torsocks suggests no packages.

-- no debconf information

More information about the Pkg-privacy-maintainers mailing list