Project

General

Profile

Actions

Bug #157

closed

Segv inside of B2gSearchBNDMq() when processing the attached pcap and rules.

Added by Will Metcalf over 14 years ago. Updated over 14 years ago.

Status:
Closed
Priority:
Normal
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

ulimit -c unlimited; src/suricata -c suricata.yaml -r ./fuzz-2008-02-29-15412.pcap-fuzz-2010-05-12-09-17-04 -l ./ -s emerging-all.rules
....
Segmentation fault (core dumped)

coz@coz-desktop:~/downloads/suricatafuzz1$ gdb src/.libs/lt-suricata core
GNU gdb (GDB) 7.1-ubuntu
Copyright (C) 2010 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/&gt;...
Reading symbols from /home/coz/downloads/suricatafuzz1/src/.libs/lt-suricata...done.
[New Thread 4630]
[New Thread 4629]
[New Thread 4625]
[New Thread 4605]
[New Thread 4632]
[New Thread 4626]
[New Thread 4628]
[New Thread 4634]
[New Thread 4624]
[New Thread 4622]
[New Thread 4627]
[New Thread 4621]
[New Thread 4633]
[New Thread 4623]
[New Thread 4631]

warning: Can't read pathname for load map: Input/output error.
Reading symbols from /home/coz/downloads/suricatafuzz1/libhtp/htp/.libs/libhtp-0.2.so.1...done.
Loaded symbols for /home/coz/downloads/suricatafuzz1/libhtp/htp/.libs/libhtp-0.2.so.1
Reading symbols from /usr/lib/libpcap.so.0.8...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/libpcap.so.0.8
Reading symbols from /usr/local/lib/libpfring.so...done.
Loaded symbols for /usr/local/lib/libpfring.so
Reading symbols from /usr/lib/libnet.so.1...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/libnet.so.1
Reading symbols from /lib/libpthread.so.0...Reading symbols from /usr/lib/debug/lib/libpthread-2.11.1.so...done.
done.
Loaded symbols for /lib/libpthread.so.0
Reading symbols from /usr/lib/libyaml-0.so.2...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/libyaml-0.so.2
Reading symbols from /lib/libpcre.so.3...(no debugging symbols found)...done.
Loaded symbols for /lib/libpcre.so.3
Reading symbols from /lib/libc.so.6...Reading symbols from /usr/lib/debug/lib/libc-2.11.1.so...done.
done.
Loaded symbols for /lib/libc.so.6
Reading symbols from /lib/libz.so.1...(no debugging symbols found)...done.
Loaded symbols for /lib/libz.so.1
Reading symbols from /lib64/ld-linux-x86-64.so.2...Reading symbols from /usr/lib/debug/lib/ld-2.11.1.so...done.
done.
Loaded symbols for /lib64/ld-linux-x86-64.so.2
Reading symbols from /lib/libgcc_s.so.1...(no debugging symbols found)...done.
Loaded symbols for /lib/libgcc_s.so.1
Core was generated by `/home/coz/downloads/suricatafuzz1/src/.libs/lt-suricata -c suricata.yaml -r ./f'.
Program terminated with signal 11, Segmentation fault.
#0 0x0000000000487149 in B2gSearchBNDMq (mpm_ctx=0x715ac30, mpm_thread_ctx=0x6e8da78, pmq=0x6e8daa0, buf=0x0, buflen=1044) at util-mpm-b2g.c:905
905 uint16_t h = B2G_HASH16(u8_tolower(buf[pos - 1]),u8_tolower(buf[pos]));
(gdb) bt full
#0 0x0000000000487149 in B2gSearchBNDMq (mpm_ctx=0x715ac30, mpm_thread_ctx=0x6e8da78, pmq=0x6e8daa0, buf=0x0, buflen=1044) at util-mpm-b2g.c:905
h = 0
ctx = 0x715e800
pos = 1
matches = 0
d = 1451211904
#1 0x00000000004870d3 in B2gSearchWrap (mpm_ctx=0x715ac30, mpm_thread_ctx=0x6e8da78, pmq=0x6e8daa0, buf=0x0, buflen=1044) at util-mpm-b2g.c:882
ctx = 0x715e800
#2 0x000000000043cb89 in PacketPatternSearch (tv=0x7f9e580037b0, det_ctx=0x6e8da60, p=0x83b840) at detect-engine-mpm.c:109
ret = 1
#3 0x00000000004216b7 in SigMatchSignatures (th_v=0x7f9e580037b0, de_ctx=0xe81d60, det_ctx=0x6e8da60, p=0x83b840) at detect.c:556
match = 0
fmatch = 0
s = 0x0
sm = 0x0
idx = 4334548
sig = 3203452428
alproto = 0
alstate = 0x0
flags = 4 '\004'
cnt = 0
i = 0
#4 0x00000000004223b8 in Detect (tv=0x7f9e580037b0, p=0x83b840, data=0x6e8da60, pq=0x7f9e580038b0) at detect.c:873
det_ctx = 0x6e8da60
de_ctx = 0xe81d60
r = 32670
#5 0x00000000004a5268 in TmThreadsSlot1 (td=0x7f9e580037b0) at tm-threads.c:382
tv = 0x7f9e580037b0
s = 0x7f9e58003880
p = 0x83b840
run = 1 '\001'
r = TM_ECODE_OK
#6 0x00007f9e5fee89ca in start_thread (arg=<value optimized out>) at pthread_create.c:300
res = <value optimized out>
pd = 0x7f9e567fc710
unwind_buf = {cancel_jmp_buf = {{jmp_buf = {140318032774928, -2921437598426171300, 0, 0, 0, 0, 2902670036568537180, 2902649290091690076}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0,
cleanup = 0x0, canceltype = 0}}}
not_first_call = <value optimized out>
robust = <value optimized out>
freesize = <value optimized out>
__PRETTY_FUNCTION
= "start_thread"
#7 0x00007f9e5f7f869d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:112
No locals.
#8 0x0000000000000000 in ?? ()
No symbol table info available.
(gdb)


Files

fuzz-2008-02-29-15412.pcap-fuzz-2010-05-12-09-17-04 (8.53 KB) fuzz-2008-02-29-15412.pcap-fuzz-2010-05-12-09-17-04 fuzzed pcap Will Metcalf, 05/12/2010 12:10 PM
emerging-all.rules.gz (438 KB) emerging-all.rules.gz emerging threats all rules as of 05/12/10 Will Metcalf, 05/12/2010 12:10 PM
0001-fixed-the-segv-caused-by-null-payload-due-to-incorre.patch (2.74 KB) 0001-fixed-the-segv-caused-by-null-payload-due-to-incorre.patch Gurvinder Singh, 05/14/2010 08:28 AM
Actions

Also available in: Atom PDF