Buffer overflow rtorrent 0.9.8

[pandamasta]

Hello,

My rtorrent client crash sporadicaly on Debian 12

rtorrent -h
Rakshasa's BitTorrent client version 0.9.8.

Caught internal_error: Handshake::fill_read_buffer(...) Buffer overflow.
/lib/x86_64-linux-gnu/libtorrent.so.21(_ZN7torrent14internal_error10initializeERKNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEE+0x250) [0x749740bd6c80]
rtorrent(_ZN7torrent14internal_errorC1EPKc+0xaf) [0x6059a2de2f8f]
/lib/x86_64-linux-gnu/libtorrent.so.21(+0x379ba) [0x749740bcc9ba]
/lib/x86_64-linux-gnu/libtorrent.so.21(+0xa9afa) [0x749740c3eafa]
/lib/x86_64-linux-gnu/libtorrent.so.21(_ZN7torrent9PollEPoll7performEv+0xca) [0x749740bdfd3a]
/lib/x86_64-linux-gnu/libtorrent.so.21(_ZN7torrent11thread_base10event_loopEPS0_+0x115) [0x749740c0d195]
rtorrent(+0x41a4e) [0x6059a2d7aa4e]
/lib/x86_64-linux-gnu/libc.so.6(+0x2724a) [0x74974064624a]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0x85) [0x749740646305]
rtorrent(+0x422da) [0x6059a2d7b2da]

Please let me know how can I help on this by providing more helpful trace

Regards

[rakshasa]

Can you compile libtorrent/rtorrent from master branch?

[Abasz]

I tried to compile master branch but I am not able to complete the configure because I get the following error:

.in'ig.status: error: cannot find input file: `

EDIT: I was able to solve the .in'ig status issue. It turns out that for some reason the line endings on my Ubuntu 24.04 had to be fixed... after running dos2unix on the configure.ac it is able to do the configuration.

However, now when compiling I get a lot of errors like here: #1273

Though I think libtorrent is correctly compiled and installed.

[Abasz]

Ok, after some trial error I was able to compile. libtorrent was not installed correctly. Actually my struggle was that I installed from official ubuntu PPA a version of rtorrent that got conflicted. So after I removed every trace of rtorrent, and recompiled everything in order all worked.

Just a side note: for some reason I had to run dos2unix on every automake/autoconfig file (otherwise I was getting random autoconf errors). I used the following commands from the rtorrent/libtorrent directory:

find . -name \*.m4|xargs dos2unix
find . -name \*.ac|xargs dos2unix
find . -name \*.am|xargs dos2unix

after that atuoreconf -vif worked.

[pandamasta]

Hello,

So please follow what I did to build libtorrent and rtorrent.
I guess I use the last libtorrent and rtorrent

It's my first build like that so any feedback are welcome :)

i'm waiting the next crash (if it's happen)

*** rTorrent 0.9.8/0.13.8 ***

Prepare working directory and dependancy

mkdir -p ~/rtorrent_build/{libtorrent_install,rtorrent_install}

sudo apt-get update
sudo apt-get install build-essential pkg-config libtool automake libssl-dev libcurl4-openssl-dev libxmlrpc-c++8-dev libxmlrpc-core-c3-dev libncurses5-dev libncursesw5-dev

Build libtorrent

cd ~/rtorrent_build
git clone https://github.com/rakshasa/libtorrent.git
cd libtorrent

autoreconf -i
./configure --prefix=$HOME/rtorrent_build/libtorrent_install
make
make install

Build rtorrent

cd ~/rtorrent_build
git clone https://github.com/rakshasa/rtorrent.git
cd rtorrent

Configure rTorrent with support of libtorrent and xmlrpc-c

export CFLAGS="-I$HOME/rtorrent_build/libtorrent_install/include"
export LDFLAGS="-L$HOME/rtorrent_build/libtorrent_install/lib"
export PKG_CONFIG_PATH=$HOME/rtorrent_build/libtorrent_install/lib/pkgconfig:$PKG_CONFIG_PATH

autoreconf -i

./configure --prefix=$HOME/rtorrent_build/rtorrent_install --with-xmlrpc-c

make
make install

Use compiled version of libtorrent and rtorrent

export PATH=$HOME/rtorrent_build/rtorrent_install/bin:$PATH
export LD_LIBRARY_PATH=$HOME/rtorrent_build/libtorrent_install/lib:$LD_LIBRARY_PATH
export PKG_CONFIG_PATH=$HOME/rtorrent_build/libtorrent_install/lib/pkgconfig:$PKG_CONFIG_PATH

Ensure the compiled version is prioretized

which rtorrent
~/rtorrent_build/rtorrent_install/bin/rtorrent

ldd ~/rtorrent_build/rtorrent_install/bin/rtorrent | grep libtorrent
        libtorrent.so.21 => ~/rtorrent_build/libtorrent_install/lib/libtorrent.so.21 (0x000071ca0415b000)

[pandamasta]

Hello;

I crash again.
How could I proceed to spot this segfault in the code ?

Caught internal_error: Handshake::fill_read_buffer(...) Buffer overflow.
/home/rtorrent_build/libtorrent_install/lib/libtorrent.so.21(_ZN7torrent14internal_error10initializeERKNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEE+0x5f) [0x7520c31b820f]
rtorrent(_ZN7torrent14internal_errorC1EPKc+0x76) [0x58ae228c7f46]
/home/rtorrent_build/libtorrent_install/lib/libtorrent.so.21(+0x3c9c6) [0x7520c31839c6]
/home/rtorrent_build/libtorrent_install/lib/libtorrent.so.21(+0xaee3c) [0x7520c31f5e3c]
/home/rtorrent_build/libtorrent_install/lib/libtorrent.so.21(_ZN7torrent9PollEPoll7performEv+0xca) [0x7520c31bf11a]
/home/rtorrent_build/libtorrent_install/lib/libtorrent.so.21(_ZN7torrent11thread_base10event_loopEPS0_+0x12a) [0x7520c31b46aa]
rtorrent(+0x38ab5) [0x58ae228c0ab5]
/lib/x86_64-linux-gnu/libc.so.6(+0x2724a) [0x7520c2c4624a]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0x85) [0x7520c2c46305]
rtorrent(+0x393e1) [0x58ae228c13e1]

[Abasz]

So I experienced this issue only on Ubuntu 24.04.01 (i.e. Noble).

Based on this issue report: https://bugs.launchpad.net/ubuntu/+source/rtorrent/+bug/2063110 together with some debug logging I traced the issue down to this line:

rtorrent/src/utils/lockfile.cc

Line 101 in d067bd8

::snprintf(buf + std::strlen(buf), 255, ":+%i\n", ::getpid());

Which was of course a slight reinventing of the wheel as this fas fixed in this commit: 92bec88

So if you compile latest master correctly I think your issue should be resolved.

[pandamasta]

Hi Abasz,

Unfortunatly at some point it crash,whereas I build with the last master 9a93281

$ /home/rtorrent_build/rtorrent_install/bin/rtorrent

Caught internal_error: Handshake::fill_read_buffer(...) Buffer overflow.
/home/rtorrent_build/libtorrent_install/lib/libtorrent.so.21(_ZN7torrent14internal_error10initializeERKNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEE+0x5f) [0x76399276b20f]
/home/rtorrent_build/rtorrent_install/bin/rtorrent(_ZN7torrent14internal_errorC1EPKc+0x76) [0x619a7114ef46]
/home/rtorrent_build/libtorrent_install/lib/libtorrent.so.21(+0x3c9c6) [0x7639927369c6]
/home/rtorrent_build/libtorrent_install/lib/libtorrent.so.21(+0xaee3c) [0x7639927a8e3c]
/home/rtorrent_build/libtorrent_install/lib/libtorrent.so.21(_ZN7torrent9PollEPoll7performEv+0xca) [0x76399277211a]
/home/rtorrent_build/libtorrent_install/lib/libtorrent.so.21(_ZN7torrent11thread_base10event_loopEPS0_+0x12a) [0x7639927676aa]
/home/rtorrent_build/rtorrent_install/bin/rtorrent(+0x38ab5) [0x619a71147ab5]
/lib/x86_64-linux-gnu/libc.so.6(+0x2724a) [0x76399224624a]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0x85) [0x763992246305]
/home/rtorrent_build/rtorrent_install/bin/rtorrent(+0x393e1) [0x619a711483e1]

 ldd /home/rtorrent_build/rtorrent_install/bin/rtorrent | grep torrent
        libtorrent.so.21 => /home/rtorrent_build/libtorrent_install/lib/libtorrent.so.21 (0x00007258189f6000)

As you can see the patch is there

 sed -n 100,105p src/utils/lockfile.cc

  if (pos == 0) {
    ssize_t len = std::strlen(buf);
    ::snprintf(buf + len, 255 - len, ":+%i\n", ::getpid());
    int __UNUSED result = ::write(fd, buf, std::strlen(buf));
  }

Look the issue is elsewhere ?
Let me know if I miss something

Regards

[Abasz]

Its the same error the above patch sopposed to fix. But I cannot reproduce this.

[pandamasta]

Ok thx, I have rebuild with debug symbol and running in GDB, let's see when it crash

[pandamasta]

I got this backtrace

(gdb) bt
#0  __libc_send (flags=<optimized out>, len=16384, buf=0x5555559f44f0, fd=110) at ../sysdeps/unix/sysv/linux/send.c:28
#1  __libc_send (fd=110, buf=0x5555559f44f0, len=16384, flags=0) at ../sysdeps/unix/sysv/linux/send.c:23
#2  0x00007ffff7c43c9d in torrent::SocketStream::write_stream (this=0x5555565d1b80, buf=0x5555559f44f0, length=16384) at net/socket_stream.h:94
#3  0x00007ffff7c439a8 in torrent::SocketStream::write_stream_throws (this=0x5555565d1b80, buf=0x5555559f44f0, length=16384) at net/socket_stream.cc:80
#4  0x00007ffff7c58ca4 in torrent::PeerConnectionBase::up_chunk (this=0x5555565d1b70) at protocol/peer_connection_base.cc:784
#5  0x00007ffff7c614c6 in torrent::PeerConnection<(torrent::Download::ConnectionType)1>::event_write (this=0x5555565d1b70) at protocol/peer_connection_leech.cc:627
#6  0x00007ffff7bcb2cf in torrent::PollEPoll::perform (this=0x55555572a610) at poll_epoll.cc:190
#7  0x00007ffff7bcb492 in torrent::PollEPoll::do_poll (this=0x55555572a610, timeout_usec=823781, flags=0) at poll_epoll.cc:224
#8  0x00007ffff7bb7fcd in torrent::thread_base::event_loop (thread=0x555555728190) at utils/thread_base.cc:150
#9  0x000055555558eab5 in main (argc=1, argv=0x7fffffffe458) at main.cc:497
(gdb) 

[rakshasa]

That it now crashes another place is suspicious, as running it in gdb would change how the program is loaded/initialized into memory.

So it isn't a bug in the handshake code, my suspicion is either corrupt physical memory or a bug in the linker or something like that.

BTW, make sure that what you got above was a segfault and not a SIGPIPE. So do the following before run:

handle SIGPIPE nostop noprint pass

[pandamasta]

Please find the output, I set the GDB value you've mentioned

(gdb) run
Starting program: /home/rtorrent_build/rtorrent_install/bin/rtorrent
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
[New Thread 0x7ffff66006c0 (LWP 336608)]
Caught internal_error: Handshake::fill_read_buffer(...) Buffer overflow.
/home/rtorrent_build/libtorrent_install/lib/libtorrent.so.21(_ZN7torrent14internal_error10initializeERKNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEE+0x4b) [0x7ffff7bc1f95]
/home/rtorrent_build/rtorrent_install/bin/rtorrent(_ZN7torrent14internal_errorC2EPKc+0x76) [0x555555595f46]
/home/rtorrent_build/libtorrent_install/lib/libtorrent.so.21(+0x24c8d6) [0x7ffff7c4c8d6]
/home/rtorrent_build/libtorrent_install/lib/libtorrent.so.21(+0x24c22e) [0x7ffff7c4c22e]
/home/rtorrent_build/libtorrent_install/lib/libtorrent.so.21(_ZN7torrent9PollEPoll7performEv+0x1bf) [0x7ffff7bcb265]
/home/rtorrent_build/libtorrent_install/lib/libtorrent.so.21(_ZN7torrent9PollEPoll7do_pollEli+0x198) [0x7ffff7bcb492]
/home/rtorrent_build/libtorrent_install/lib/libtorrent.so.21(_ZN7torrent11thread_base10event_loopEPS0_+0x33b) [0x7ffff7bb7fcd]
/home/rtorrent_build/rtorrent_install/bin/rtorrent(+0x3aab5) [0x55555558eab5]
/lib/x86_64-linux-gnu/libc.so.6(+0x2724a) [0x7ffff784624a]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0x85) [0x7ffff7846305]
/home/rtorrent_build/rtorrent_install/bin/rtorrent(+0x3b3e1) [0x55555558f3e1]
[Thread 0x7ffff66006c0 (LWP 376708) exited]
[Thread 0x7ffff7486f00 (LWP 376705) exited]
[Thread 0x7fffef6006c0 (LWP 376709) exited]
[New process 376705]
[Inferior 1 (process 376705) exited with code 0377]
(gdb) bt
No stack.           

I have no core file so I set 'ulimit -c unlimited' to see if I can generate a core

How can I help more ?

[rakshasa]

I'll have to add better logging of handshake events to debug this, so it's going to take a bit of time.

[pandamasta]

Ok I'll be there to help for debugging if needed.
Cheers