Project

General

Profile

Actions

Bug #1070

closed

master-2013-12-02: SEGV in conf-yaml-loader.c: parent node not defined

Added by Mark Solaris about 9 years ago. Updated about 7 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Target version:
-
Affected Versions:
Effort:
Difficulty:
Label:

Description

Solaris 11 x86
Sun Studio Compiler

YAML parser verifys the version is OK, then on the first non-comment line it crashes:

%YAML 1.1
---

# Suricata configuration file. In addition to the comments describing all
# options in this file, full documentation can be found at:
# https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Suricatayaml

# Number of packets allowed to be processed simultaneously.  Default is a
# conservative 1024. A higher number will make sure CPU's/CPU cores will be
# more easily kept busy, but may negatively impact caching.
#
# If you are using the CUDA pattern matcher (b2g_cuda below), different rules
# apply. In that case try something like 4000 or more. This is because the CUDA
# pattern matcher scans many packets in parallel.
max-pending-packets: 8192

t@1 (l@1) signal SEGV (no mapping at the fault address) in ConfYamlParse at line 233 in file "conf-yaml-loader.c" 
  233                       if (parent->is_seq) {
(dbx) where                               
current thread: t@1
=>[1] ConfYamlParse(parser = 0xfeffd5c0, parent = (nil), inseq = 0), line 233 in "conf-yaml-loader.c" 
  [2] ConfYamlParse(parser = 0xfeffd5c0, parent = (nil), inseq = 0), line 307 in "conf-yaml-loader.c" 
  [3] ConfYamlLoadFile(filename = 0xfeffe9fb "/apps/ids/suricata/conf/suricata.yaml"), line 380 in "conf-yaml-loader.c" 
  [4] LoadYamlConfig(conf_filename = 0xfeffe9fb "/apps/ids/suricata/conf/suricata.yaml"), line 818 in "suricata.c" 
  [5] main(argc = 19, argv = 0xfeffe870), line 2033 in "suricata.c" 

(dbx) dump
n0 = (nil)
tag = (nil)
value = 0xa243418 "max-pending-packets" 
event = RECORD
seq_idx = 0
done = 0
node = (nil)
parent = (nil)
inseq = 0
parser = 0xfeffd5b0
__FUNCTION__ = "ConfYamlParse" 
state = 0

(dbx) print event
event = {
    type       = YAML_SCALAR_EVENT
    data       = {
        stream_start   = {
            encoding = YAML_ANY_ENCODING
        }
        document_start = {
            version_directive = (nil)
            tag_directives    = {
                start = (nil)
                end   = 0xa243418
            }
            implicit          = 19
        }
        document_end   = {
            implicit = 0
        }
        alias          = {
            anchor = (nil)
        }
        scalar         = {
            anchor          = (nil)
            tag             = (nil)
            value           = 0xa243418 "max-pending-packets" 
            length          = 19U
            plain_implicit  = 1
            quoted_implicit = 0
            style           = YAML_PLAIN_SCALAR_STYLE
        }
        sequence_start = {
            anchor   = (nil)
            tag      = (nil)
            implicit = 170144792
            style    = <unknown enum member 19>
        }
        mapping_start  = {
            anchor   = (nil)
            tag      = (nil)
            implicit = 170144792
            style    = <unknown enum member 19>
        }
    }
    start_mark = {
        index  = 651U
        line   = 15U
        column = 0
    }
    end_mark   = {
        index  = 670U
        line   = 15U
        column = 19U
    }
}

(dbx) print *parser
*parser = {
    error                 = YAML_NO_ERROR
    problem               = (nil)
    problem_offset        = 0
    problem_value         = 0
    problem_mark          = {
        index  = 0
        line   = 0
        column = 0
    }
    context               = (nil)
    context_mark          = {
        index  = 0
        line   = 0
        column = 0
    }
    read_handler          = 0xfe4f49f0 = &`libyaml-0.so.2.0.2`api.c`yaml_file_read_handler(void *data, unsigned char *buffer, size_t size, size_t *size_read)
    read_handler_data     = 0xfeffd5b0
    input                 = {
        string = {
            start   = 0x9db67f0 "ßZ" 
            end     = (nil)
            current = (nil)
        }
        file   = 0x9db67f0
    }
    eof                   = 0
    buffer                = {
        start   = 0xa24bb58 "%YAML 1.1\n---\n\n# Suricata configuration file. In addition to the comments describing all\n# options in this file, full documentation can be found at:\n# https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Suricatayaml\n\n\n# Number of packets allowed to be processed simultaneously.  Default is a\n# conservative 1024. A higher number will make sure CPU's/CPU cores will be\n# more easily kept busy, but may negatively impact caching.\n#\n# If you are using the CUDA pattern matcher (b2g_cuda below), differe" ... use -L option to see the whole string 
        end     = 0xa257b58 "\x81^B" 
        pointer = 0xa24bdf7 " 8192\n\n# Runmode the engine should use. Please check --list-runmodes to get the available\n# runmodes for each packet acquisition method. Defaults to "autofp" (auto flow pinned\n# load balancing).\n# runmode: autofp\nrunmode: workers\n\n# Specifies the kind of flow load balancer used by the flow pinned autofp mode.\n#\n# Supported schedulers are:\n#\n# round-robin       - Flows assigned to threads in a round robin fashion.\n# active-packets    - Flows assigned to threads that have the lowest number of\n#               " ... use -L option to see the whole string 
        last    = 0xa24fb58 "" 
    }
    unread                = 15711U
    raw_buffer            = {
        start   = 0xa247b50 "%YAML 1.1\n---\n\n# Suricata configuration file. In addition to the comments describing all\n# options in this file, full documentation can be found at:\n# https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Suricatayaml\n\n\n# Number of packets allowed to be processed simultaneously.  Default is a\n# conservative 1024. A higher number will make sure CPU's/CPU cores will be\n# more easily kept busy, but may negatively impact caching.\n#\n# If you are using the CUDA pattern matcher (b2g_cuda below), differe" ... use -L option to see the whole string 
        end     = 0xa24bb50 "^AÀ" 
        pointer = 0xa24bb50 "^AÀ" 
        last    = 0xa24bb50 "^AÀ" 
    }
    encoding              = YAML_UTF8_ENCODING
    offset                = 16384U
    mark                  = {
        index  = 671U
        line   = 15U
        column = 20U
    }
    stream_start_produced = 1
    stream_end_produced   = 0
    flow_level            = 0
    tokens                = {
        start = 0xa257b60
        end   = 0xa257de0
        head  = 0xa257c50
        tail  = 0xa257c78
    }
    tokens_parsed         = 6U
    token_available       = 0
    indents               = {
        start = 0xa257de8
        end   = 0xa257e28
        top   = 0xa257dec
    }
    indent                = 0
    simple_key_allowed    = 0
    simple_keys           = {
        start = 0xa257e30
        end   = 0xa257fb0
        top   = 0xa257e48
    }
    states                = {
        start = 0xa257fb8
        end   = 0xa257ff8
        top   = 0xa257fbc
    }
    state                 = YAML_PARSE_BLOCK_MAPPING_VALUE_STATE
    marks                 = {
        start = 0xa258000
        end   = 0xa2580c0
        top   = 0xa25800c
    }
    tag_directives        = {
        start = 0xa2580c8
        end   = 0xa258148
        top   = 0xa2580d8
    }
    aliases               = {
        start = (nil)
        end   = (nil)
        top   = (nil)
    }
    document              = (nil)
}
Actions #1

Updated by Mark Solaris about 9 years ago

I wonder if 'root' not being unique is messing it up?

Solaris 11 x86:
Reading libpcap.so.1.4.0

Solaris 11 SPARC (problem doesn't exist):
Reading libpcap.so.1.5.1

(dbx) print *root
More than one identifier 'root'.
Select one of the following:
 0) Cancel
 1) `suricata`conf.c`root
 2) `libpcap.so.1.4.0`gencode.c`root
> 1
*`suricata`conf.c`root = {
    name           = (nil)
    val            = (nil)
    is_seq         = 0
    allow_override = 1
    parent         = (nil)
    head           = {
        tqh_first = (nil)
        tqh_last  = 0xa244db4
    }
    next           = {
        tqe_next = (nil)
        tqe_prev = (nil)
    }
}

Recompiling libpcap 1.5.1 on Solaris 11 x86....

Actions #2

Updated by Mark Solaris about 9 years ago

That didn't affect anything.

Running suricata in debug mode:

[1] 17/12/2013 -- 14:14:04 - (suricata.c:813) <Debug> (LoadYamlConfig) -- Entering ... >>
[1] 17/12/2013 -- 14:14:04 - (conf-yaml-loader.c:183) <Debug> (ConfYamlParse) -- event.type=YAML_DOCUMENT_START_EVENT; state=0
[1] 17/12/2013 -- 14:14:04 - (conf-yaml-loader.c:294) <Debug> (ConfYamlParse) -- event.type=YAML_MAPPING_START_EVENT; state=0
[1] 17/12/2013 -- 14:14:04 - (conf-yaml-loader.c:205) <Debug> (ConfYamlParse) -- event.type=YAML_SCALAR_EVENT; state=0; value=max-pending-packets; tag=(null); inseq=0
t@1 (l@1) signal SEGV (no mapping at the fault address) in ConfYamlParse at line 233 in file "conf-yaml-loader.c" 
  233                       if (parent->is_seq) {
Actions #3

Updated by Mark Solaris about 9 years ago

(2) stop at "conf-yaml-loader.c":363
(dbx) run -c /apps/ids/suricata/conf/suricata.yaml -i net0 -i net1
Running: suricata -c /apps/ids/suricata/conf/suricata.yaml -i net0 -i net1 
(process id 6965)
[1] 17/12/2013 -- 19:12:44 - (suricata.c:1376) <Warning> (ParseCommandLine) -- [ERRCODE: SC_WARN_PCAP_MULTI_DEV_EXPERIMENTAL(177)] - using multiple pcap devices to get packets is experimental.
t@1 (l@1) stopped in ConfYamlLoadFile at line 363 in file "conf-yaml-loader.c" 
  363       if (stat(filename, &stat_buf) == 0) {
(dbx) print root                                        
root = 0xa245720
(dbx) step                
t@1 (l@1) stopped in ConfYamlLoadFile at line 364 in file "conf-yaml-loader.c" 
  364           if (stat_buf.st_mode & S_IFDIR) {
(dbx) print root
root = (nil)

If you took the time to watch the bytes involved and see which memory was getting overwritten, you could analyse the specific problem.
Moving the *root pointer declaration to the top 64 bit pointer section solved the issue.

--- ../../suricata-master.orig/src/conf-yaml-loader.c   Sun Dec  1 21:37:52 2013
+++ conf-yaml-loader.c  Tue Dec 17 19:23:48 2013
@@ -346,9 +346,9 @@
 ConfYamlLoadFile(const char *filename)
 {
     FILE *infile;
+    ConfNode *root = ConfGetRootNode();
     yaml_parser_t parser;
     int ret;
-    ConfNode *root = ConfGetRootNode();

     if (yaml_parser_initialize(&parser) != 1) {
         SCLogError(SC_ERR_FATAL, "failed to initialize yaml parser.");
Actions #4

Updated by Andreas Herz about 7 years ago

  • Status changed from New to Closed
Actions

Also available in: Atom PDF