Bug #178: Processing the attached pcap and rules causes a segv inside of SigMatchSignatures() - Suricata - Open Information Security Foundation

Actions

Copy link

Bug #178

closed

Processing the attached pcap and rules causes a segv inside of SigMatchSignatures()

Added by Will Metcalf almost 14 years ago. Updated almost 14 years ago.

Status:

Closed

Priority:

Normal

Assignee:

OISF Dev

Target version:

0.9.2

Affected Versions:

Effort:

Difficulty:

Label:

Description

ulimit -c unlimited; src/suricata -c suricata.yaml -r ./ctf08_1228495450_eth8.dump-fuzz-2010-06-16-09-01-01.slice4 -l ./ -s ../emerging-all.rules

#0 0x00000000004294c8 in SigMatchSignatures (th_v=0x4ae7f20, de_ctx=0x1ca97f0, det_ctx=0x490a4c0, p=0x1875610) at detect.c:794
794 if (!(det_ctx->smsg_pmq[i].pattern_id_bitarray[(s->mpm_pattern_id / 8)] & (1<<(s->mpm_pattern_id % 8))) &&
(gdb) bt full
#0 0x00000000004294c8 in SigMatchSignatures (th_v=0x4ae7f20, de_ctx=0x1ca97f0, det_ctx=0x490a4c0, p=0x1875610) at detect.c:794
pmatch = 0 '\000'
i = 258
smsg_inspect = 0x4b45d60
match = 0
fmatch = 0
s = 0x25569c0
sm = 0x0
idx = 0
alproto = 6
alstate = 0x7f5544783c60
flags = 64 '@'
cnt = 1
sgh = 0x6044b60
use_flow_sgh = 1 '\001'
smsg = 0x7f553cebc900
de_state_start = 1 '\001'
#1 0x0000000000429b5e in Detect (tv=0x4ae7f20, p=0x1875610, data=0x490a4c0, pq=0x4dfff70, postpq=0x4dfffe8) at detect.c:978
det_ctx = 0x490a4c0
de_ctx = 0x1ca97f0
r = 0
#2 0x00000000004c8abe in TmThreadsSlot1 (td=0x4ae7f20) at tm-threads.c:406
tv = 0x4ae7f20
s = 0x4dfff40
p = 0x1875610
run = 1 '\001'
r = TM_ECODE_OK
#3 0x00007f554b4ee9ca in start_thread (arg=<value optimized out>) at pthread_create.c:300
res = <value optimized out>
pd = 0x7f55492fd710
unwind_buf = {cancel_jmp_buf = {{jmp_buf = {140004276819728, -3756412537071364385, 0, 0, 0, 0, 3851730986279212767, 3851734569383073503}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0,
cleanup = 0x0, canceltype = 0}}}
not_first_call = <value optimized out>
robust = <value optimized out>
freesize = <value optimized out>
__PRETTY_FUNCTION = "start_thread"
#4 0x00007f554adfe6cd in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:112
No locals.
#5 0x0000000000000000 in ?? ()
No symbol table info available.

Files

ictfbug061610.tar.gz (486 KB) ictfbug061610.tar.gz

ET rules and pcap for segv inside of SigMatchSignatures.

Will Metcalf, 06/16/2010 09:12 AM

Actions

Copy link

Updated by Will Metcalf almost 14 years ago

memcheck output.

26910 Thread 11:
26910 Invalid read of size 1
26910 at 0x4294C8: SigMatchSignatures (detect.c:794)
26910 by 0x429B5D: Detect (detect.c:978)
26910 by 0x4C8ABD: TmThreadsSlot1 (tm-threads.c:406)
26910 by 0x569B9C9: start_thread (pthread_create.c:300)
26910 by 0x21EA270F: ?
26910 Address 0x41 is not stack'd, malloc'd or (recently) free'd
26910
26910
26910 Process terminating with default action of signal 11 (SIGSEGV): dumping core
26910 Access not within mapped region at address 0x41
26910 at 0x4294C8: SigMatchSignatures (detect.c:794)
26910 by 0x429B5D: Detect (detect.c:978)
26910 by 0x4C8ABD: TmThreadsSlot1 (tm-threads.c:406)
26910 by 0x569B9C9: start_thread (pthread_create.c:300)
26910 by 0x21EA270F: ?
26910 If you believe this happened as a result of a stack
26910 overflow in your program's main thread (unlikely but
26910 possible), you can try to increase the size of the
26910 main thread stack using the --main-stacksize= flag.
26910 The main thread stack size used in this run was 8388608.
26910
26910 HEAP SUMMARY:
26910 in use at exit: 318,438,694 bytes in 2,086,008 blocks
26910 total heap usage: 4,281,739 allocs, 2,195,731 frees, 1,156,772,693 bytes allocated
26910

Actions

Copy link