Bug #157
closedSegv inside of B2gSearchBNDMq() when processing the attached pcap and rules.
Description
ulimit -c unlimited; src/suricata -c suricata.yaml -r ./fuzz-2008-02-29-15412.pcap-fuzz-2010-05-12-09-17-04 -l ./ -s emerging-all.rules
....
Segmentation fault (core dumped)
coz@coz-desktop:~/downloads/suricatafuzz1$ gdb src/.libs/lt-suricata core
GNU gdb (GDB) 7.1-ubuntu
Copyright (C) 2010 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /home/coz/downloads/suricatafuzz1/src/.libs/lt-suricata...done.
[New Thread 4630]
[New Thread 4629]
[New Thread 4625]
[New Thread 4605]
[New Thread 4632]
[New Thread 4626]
[New Thread 4628]
[New Thread 4634]
[New Thread 4624]
[New Thread 4622]
[New Thread 4627]
[New Thread 4621]
[New Thread 4633]
[New Thread 4623]
[New Thread 4631]
warning: Can't read pathname for load map: Input/output error.
Reading symbols from /home/coz/downloads/suricatafuzz1/libhtp/htp/.libs/libhtp-0.2.so.1...done.
Loaded symbols for /home/coz/downloads/suricatafuzz1/libhtp/htp/.libs/libhtp-0.2.so.1
Reading symbols from /usr/lib/libpcap.so.0.8...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/libpcap.so.0.8
Reading symbols from /usr/local/lib/libpfring.so...done.
Loaded symbols for /usr/local/lib/libpfring.so
Reading symbols from /usr/lib/libnet.so.1...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/libnet.so.1
Reading symbols from /lib/libpthread.so.0...Reading symbols from /usr/lib/debug/lib/libpthread-2.11.1.so...done.
done.
Loaded symbols for /lib/libpthread.so.0
Reading symbols from /usr/lib/libyaml-0.so.2...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/libyaml-0.so.2
Reading symbols from /lib/libpcre.so.3...(no debugging symbols found)...done.
Loaded symbols for /lib/libpcre.so.3
Reading symbols from /lib/libc.so.6...Reading symbols from /usr/lib/debug/lib/libc-2.11.1.so...done.
done.
Loaded symbols for /lib/libc.so.6
Reading symbols from /lib/libz.so.1...(no debugging symbols found)...done.
Loaded symbols for /lib/libz.so.1
Reading symbols from /lib64/ld-linux-x86-64.so.2...Reading symbols from /usr/lib/debug/lib/ld-2.11.1.so...done.
done.
Loaded symbols for /lib64/ld-linux-x86-64.so.2
Reading symbols from /lib/libgcc_s.so.1...(no debugging symbols found)...done.
Loaded symbols for /lib/libgcc_s.so.1
Core was generated by `/home/coz/downloads/suricatafuzz1/src/.libs/lt-suricata -c suricata.yaml -r ./f'.
Program terminated with signal 11, Segmentation fault.
#0 0x0000000000487149 in B2gSearchBNDMq (mpm_ctx=0x715ac30, mpm_thread_ctx=0x6e8da78, pmq=0x6e8daa0, buf=0x0, buflen=1044) at util-mpm-b2g.c:905
905 uint16_t h = B2G_HASH16(u8_tolower(buf[pos - 1]),u8_tolower(buf[pos]));
(gdb) bt full
#0 0x0000000000487149 in B2gSearchBNDMq (mpm_ctx=0x715ac30, mpm_thread_ctx=0x6e8da78, pmq=0x6e8daa0, buf=0x0, buflen=1044) at util-mpm-b2g.c:905
h = 0
ctx = 0x715e800
pos = 1
matches = 0
d = 1451211904
#1 0x00000000004870d3 in B2gSearchWrap (mpm_ctx=0x715ac30, mpm_thread_ctx=0x6e8da78, pmq=0x6e8daa0, buf=0x0, buflen=1044) at util-mpm-b2g.c:882
ctx = 0x715e800
#2 0x000000000043cb89 in PacketPatternSearch (tv=0x7f9e580037b0, det_ctx=0x6e8da60, p=0x83b840) at detect-engine-mpm.c:109
ret = 1
#3 0x00000000004216b7 in SigMatchSignatures (th_v=0x7f9e580037b0, de_ctx=0xe81d60, det_ctx=0x6e8da60, p=0x83b840) at detect.c:556
match = 0
fmatch = 0
s = 0x0
sm = 0x0
idx = 4334548
sig = 3203452428
alproto = 0
alstate = 0x0
flags = 4 '\004'
cnt = 0
i = 0
#4 0x00000000004223b8 in Detect (tv=0x7f9e580037b0, p=0x83b840, data=0x6e8da60, pq=0x7f9e580038b0) at detect.c:873
det_ctx = 0x6e8da60
de_ctx = 0xe81d60
r = 32670
#5 0x00000000004a5268 in TmThreadsSlot1 (td=0x7f9e580037b0) at tm-threads.c:382
tv = 0x7f9e580037b0
s = 0x7f9e58003880
p = 0x83b840
run = 1 '\001'
r = TM_ECODE_OK
#6 0x00007f9e5fee89ca in start_thread (arg=<value optimized out>) at pthread_create.c:300
res = <value optimized out>
pd = 0x7f9e567fc710
unwind_buf = {cancel_jmp_buf = {{jmp_buf = {140318032774928, -2921437598426171300, 0, 0, 0, 0, 2902670036568537180, 2902649290091690076}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0,
cleanup = 0x0, canceltype = 0}}}
not_first_call = <value optimized out>
robust = <value optimized out>
freesize = <value optimized out>
__PRETTY_FUNCTION = "start_thread"
#7 0x00007f9e5f7f869d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:112
No locals.
#8 0x0000000000000000 in ?? ()
No symbol table info available.
(gdb)
Files
Updated by Gurvinder Singh almost 14 years ago
I have tested the engine with given rules and pcap. there in segv on my system. the stats of my 32-bit systems are
2.6.28-18-generic #60-Ubuntu i686 GNU/Linux
To me it seems, the segv is only on 64-bit systems.
Updated by Gurvinder Singh almost 14 years ago
Gurvinder Singh wrote:
I have tested the engine with given rules and pcap. there in no segv on my system. the stats of my 32-bit systems are
2.6.28-18-generic #60-Ubuntu i686 GNU/Linux
To me it seems, the segv is only on 64-bit systems.
Updated by Will Metcalf almost 14 years ago
Interesting it segv's for me on every one of the platforms I have 32 and 64-bit.
Regards,
Will
Updated by Gurvinder Singh almost 14 years ago
- File 0001-fixed-the-segv-caused-by-null-payload-due-to-incorre.patch 0001-fixed-the-segv-caused-by-null-payload-due-to-incorre.patch added
- Status changed from New to Resolved
- Assignee changed from OISF Dev to Gurvinder Singh
- % Done changed from 0 to 90
It turns out that it does segv on my system too, I am still thinking that what happened in the morning did I overlooked the segv or it doesn't happen at all (early morning I guess :p )
Anyways the segv was caused by not setting the payload buffer while decoding the icmpv6 packets. Attached patch fixes the issue.
Updated by Victor Julien almost 14 years ago
- Status changed from Resolved to Closed
- % Done changed from 90 to 100
Patches applied and pushed out. Thanks Gurvinder.