Actions
Bug #1070
closedmaster-2013-12-02: SEGV in conf-yaml-loader.c: parent node not defined
Status:
Closed
Priority:
Normal
Assignee:
-
Target version:
-
Affected Versions:
Effort:
Difficulty:
Label:
Description
Solaris 11 x86
Sun Studio Compiler
YAML parser verifys the version is OK, then on the first non-comment line it crashes:
%YAML 1.1
---
# Suricata configuration file. In addition to the comments describing all
# options in this file, full documentation can be found at:
# https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Suricatayaml
# Number of packets allowed to be processed simultaneously. Default is a
# conservative 1024. A higher number will make sure CPU's/CPU cores will be
# more easily kept busy, but may negatively impact caching.
#
# If you are using the CUDA pattern matcher (b2g_cuda below), different rules
# apply. In that case try something like 4000 or more. This is because the CUDA
# pattern matcher scans many packets in parallel.
max-pending-packets: 8192
t@1 (l@1) signal SEGV (no mapping at the fault address) in ConfYamlParse at line 233 in file "conf-yaml-loader.c"
233 if (parent->is_seq) {
(dbx) where
current thread: t@1
=>[1] ConfYamlParse(parser = 0xfeffd5c0, parent = (nil), inseq = 0), line 233 in "conf-yaml-loader.c"
[2] ConfYamlParse(parser = 0xfeffd5c0, parent = (nil), inseq = 0), line 307 in "conf-yaml-loader.c"
[3] ConfYamlLoadFile(filename = 0xfeffe9fb "/apps/ids/suricata/conf/suricata.yaml"), line 380 in "conf-yaml-loader.c"
[4] LoadYamlConfig(conf_filename = 0xfeffe9fb "/apps/ids/suricata/conf/suricata.yaml"), line 818 in "suricata.c"
[5] main(argc = 19, argv = 0xfeffe870), line 2033 in "suricata.c"
(dbx) dump
n0 = (nil)
tag = (nil)
value = 0xa243418 "max-pending-packets"
event = RECORD
seq_idx = 0
done = 0
node = (nil)
parent = (nil)
inseq = 0
parser = 0xfeffd5b0
__FUNCTION__ = "ConfYamlParse"
state = 0
(dbx) print event
event = {
type = YAML_SCALAR_EVENT
data = {
stream_start = {
encoding = YAML_ANY_ENCODING
}
document_start = {
version_directive = (nil)
tag_directives = {
start = (nil)
end = 0xa243418
}
implicit = 19
}
document_end = {
implicit = 0
}
alias = {
anchor = (nil)
}
scalar = {
anchor = (nil)
tag = (nil)
value = 0xa243418 "max-pending-packets"
length = 19U
plain_implicit = 1
quoted_implicit = 0
style = YAML_PLAIN_SCALAR_STYLE
}
sequence_start = {
anchor = (nil)
tag = (nil)
implicit = 170144792
style = <unknown enum member 19>
}
mapping_start = {
anchor = (nil)
tag = (nil)
implicit = 170144792
style = <unknown enum member 19>
}
}
start_mark = {
index = 651U
line = 15U
column = 0
}
end_mark = {
index = 670U
line = 15U
column = 19U
}
}
(dbx) print *parser
*parser = {
error = YAML_NO_ERROR
problem = (nil)
problem_offset = 0
problem_value = 0
problem_mark = {
index = 0
line = 0
column = 0
}
context = (nil)
context_mark = {
index = 0
line = 0
column = 0
}
read_handler = 0xfe4f49f0 = &`libyaml-0.so.2.0.2`api.c`yaml_file_read_handler(void *data, unsigned char *buffer, size_t size, size_t *size_read)
read_handler_data = 0xfeffd5b0
input = {
string = {
start = 0x9db67f0 "ßZ"
end = (nil)
current = (nil)
}
file = 0x9db67f0
}
eof = 0
buffer = {
start = 0xa24bb58 "%YAML 1.1\n---\n\n# Suricata configuration file. In addition to the comments describing all\n# options in this file, full documentation can be found at:\n# https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Suricatayaml\n\n\n# Number of packets allowed to be processed simultaneously. Default is a\n# conservative 1024. A higher number will make sure CPU's/CPU cores will be\n# more easily kept busy, but may negatively impact caching.\n#\n# If you are using the CUDA pattern matcher (b2g_cuda below), differe" ... use -L option to see the whole string
end = 0xa257b58 "\x81^B"
pointer = 0xa24bdf7 " 8192\n\n# Runmode the engine should use. Please check --list-runmodes to get the available\n# runmodes for each packet acquisition method. Defaults to "autofp" (auto flow pinned\n# load balancing).\n# runmode: autofp\nrunmode: workers\n\n# Specifies the kind of flow load balancer used by the flow pinned autofp mode.\n#\n# Supported schedulers are:\n#\n# round-robin - Flows assigned to threads in a round robin fashion.\n# active-packets - Flows assigned to threads that have the lowest number of\n# " ... use -L option to see the whole string
last = 0xa24fb58 ""
}
unread = 15711U
raw_buffer = {
start = 0xa247b50 "%YAML 1.1\n---\n\n# Suricata configuration file. In addition to the comments describing all\n# options in this file, full documentation can be found at:\n# https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Suricatayaml\n\n\n# Number of packets allowed to be processed simultaneously. Default is a\n# conservative 1024. A higher number will make sure CPU's/CPU cores will be\n# more easily kept busy, but may negatively impact caching.\n#\n# If you are using the CUDA pattern matcher (b2g_cuda below), differe" ... use -L option to see the whole string
end = 0xa24bb50 "^AÀ"
pointer = 0xa24bb50 "^AÀ"
last = 0xa24bb50 "^AÀ"
}
encoding = YAML_UTF8_ENCODING
offset = 16384U
mark = {
index = 671U
line = 15U
column = 20U
}
stream_start_produced = 1
stream_end_produced = 0
flow_level = 0
tokens = {
start = 0xa257b60
end = 0xa257de0
head = 0xa257c50
tail = 0xa257c78
}
tokens_parsed = 6U
token_available = 0
indents = {
start = 0xa257de8
end = 0xa257e28
top = 0xa257dec
}
indent = 0
simple_key_allowed = 0
simple_keys = {
start = 0xa257e30
end = 0xa257fb0
top = 0xa257e48
}
states = {
start = 0xa257fb8
end = 0xa257ff8
top = 0xa257fbc
}
state = YAML_PARSE_BLOCK_MAPPING_VALUE_STATE
marks = {
start = 0xa258000
end = 0xa2580c0
top = 0xa25800c
}
tag_directives = {
start = 0xa2580c8
end = 0xa258148
top = 0xa2580d8
}
aliases = {
start = (nil)
end = (nil)
top = (nil)
}
document = (nil)
}
Updated by Mark Solaris almost 11 years ago
I wonder if 'root' not being unique is messing it up?
Solaris 11 x86:
Reading libpcap.so.1.4.0
Solaris 11 SPARC (problem doesn't exist):
Reading libpcap.so.1.5.1
(dbx) print *root
More than one identifier 'root'.
Select one of the following:
0) Cancel
1) `suricata`conf.c`root
2) `libpcap.so.1.4.0`gencode.c`root
> 1
*`suricata`conf.c`root = {
name = (nil)
val = (nil)
is_seq = 0
allow_override = 1
parent = (nil)
head = {
tqh_first = (nil)
tqh_last = 0xa244db4
}
next = {
tqe_next = (nil)
tqe_prev = (nil)
}
}
Recompiling libpcap 1.5.1 on Solaris 11 x86....
Updated by Mark Solaris almost 11 years ago
That didn't affect anything.
Running suricata in debug mode:
[1] 17/12/2013 -- 14:14:04 - (suricata.c:813) <Debug> (LoadYamlConfig) -- Entering ... >>
[1] 17/12/2013 -- 14:14:04 - (conf-yaml-loader.c:183) <Debug> (ConfYamlParse) -- event.type=YAML_DOCUMENT_START_EVENT; state=0
[1] 17/12/2013 -- 14:14:04 - (conf-yaml-loader.c:294) <Debug> (ConfYamlParse) -- event.type=YAML_MAPPING_START_EVENT; state=0
[1] 17/12/2013 -- 14:14:04 - (conf-yaml-loader.c:205) <Debug> (ConfYamlParse) -- event.type=YAML_SCALAR_EVENT; state=0; value=max-pending-packets; tag=(null); inseq=0
t@1 (l@1) signal SEGV (no mapping at the fault address) in ConfYamlParse at line 233 in file "conf-yaml-loader.c"
233 if (parent->is_seq) {
Updated by Mark Solaris almost 11 years ago
(2) stop at "conf-yaml-loader.c":363
(dbx) run -c /apps/ids/suricata/conf/suricata.yaml -i net0 -i net1
Running: suricata -c /apps/ids/suricata/conf/suricata.yaml -i net0 -i net1
(process id 6965)
[1] 17/12/2013 -- 19:12:44 - (suricata.c:1376) <Warning> (ParseCommandLine) -- [ERRCODE: SC_WARN_PCAP_MULTI_DEV_EXPERIMENTAL(177)] - using multiple pcap devices to get packets is experimental.
t@1 (l@1) stopped in ConfYamlLoadFile at line 363 in file "conf-yaml-loader.c"
363 if (stat(filename, &stat_buf) == 0) {
(dbx) print root
root = 0xa245720
(dbx) step
t@1 (l@1) stopped in ConfYamlLoadFile at line 364 in file "conf-yaml-loader.c"
364 if (stat_buf.st_mode & S_IFDIR) {
(dbx) print root
root = (nil)
If you took the time to watch the bytes involved and see which memory was getting overwritten, you could analyse the specific problem.
Moving the *root pointer declaration to the top 64 bit pointer section solved the issue.
--- ../../suricata-master.orig/src/conf-yaml-loader.c Sun Dec 1 21:37:52 2013
+++ conf-yaml-loader.c Tue Dec 17 19:23:48 2013
@@ -346,9 +346,9 @@
ConfYamlLoadFile(const char *filename)
{
FILE *infile;
+ ConfNode *root = ConfGetRootNode();
yaml_parser_t parser;
int ret;
- ConfNode *root = ConfGetRootNode();
if (yaml_parser_initialize(&parser) != 1) {
SCLogError(SC_ERR_FATAL, "failed to initialize yaml parser.");
Actions