Project

General

Profile

Actions

Bug #1672

closed

Suricata Creates RWX Pages

Added by Shawn Webb almost 9 years ago. Updated almost 9 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Target version:
-
Affected Versions:
Effort:
Difficulty:
Label:

Description

This bug may be due to a shared library that Suricata brings in. During Shmoocon, I talked with Victor about this a little bit. He advised me to send a bug report, even if it's with a shared library.

When using the Emerging Threats rulesets, Suricata will create RWX pages, which cause Suricata to crash on HardenedBSD.

You can reproduce this by:
1) installing HardenedBSD
2) installing suricata: pkg install suricata
3) downloading the Emerging Threats rulesets to /usr/local/etc/suricata/rules directory
4) turning off NOEXEC: sysctl hardening.pax.pageexec.status=0
5) enabling suricata in /etc/rc.conf
6) starting suricata: service suricata start
7) looking at the memory mappings for suricata: (as root) procstat -v `pgrep suricata`

Attached is the output of that procstat command. You'll notice that the rwx pages are per-thread stacks, likely created by the RTLD on behalf of shared objects that request it in the .GNU_STACK section.


Files

suricata_rwx.log (11.1 KB) suricata_rwx.log Shawn Webb, 01/17/2016 10:00 AM
2016-01-19-rtld_noexec.patch (1.96 KB) 2016-01-19-rtld_noexec.patch Shawn Webb, 01/19/2016 10:40 PM
2016-01-19-suricata_procstat.txt (11 KB) 2016-01-19-suricata_procstat.txt Shawn Webb, 01/19/2016 10:42 PM
Actions

Also available in: Atom PDF