https://redmine.openinfosecfoundation.org/https://redmine.openinfosecfoundation.org/favicon.ico?17011170022009-12-27T05:57:52ZOpen Information Security FoundationSuricata - Bug #23: Segv occurs occasionally inside of DetectHttpCookieMatchhttps://redmine.openinfosecfoundation.org/issues/23?journal_id=442009-12-27T05:57:52ZGurvinder Singhgurvindersinghdahiya@gmail.com
<ul><li><strong>File</strong> <a href="/attachments/38">0002-fixed-23-bug.patch</a> <a class="icon-only icon-download" title="Download" href="/attachments/download/38/0002-fixed-23-bug.patch">0002-fixed-23-bug.patch</a> added</li><li><strong>File</strong> <a href="/attachments/39">bug23-htp.patch</a> <a class="icon-only icon-download" title="Download" href="/attachments/download/39/bug23-htp.patch">bug23-htp.patch</a> added</li><li><strong>Status</strong> changed from <i>New</i> to <i>Assigned</i></li><li><strong>Assignee</strong> changed from <i>OISF Dev</i> to <i>Gurvinder Singh</i></li></ul><p>The issue seems to me too as related to the threading. The error seems to affect other parts too such as detect-http-method, brian please update the method task too. To be on the safe side, I have added a check in HTP library where we are facing the segv (patch attached).</p>
<p>I have run the engine after modification for 100 times and no segv. I hope you have the patch for bug 21 is already applied to the code.</p> Suricata - Bug #23: Segv occurs occasionally inside of DetectHttpCookieMatchhttps://redmine.openinfosecfoundation.org/issues/23?journal_id=452009-12-27T06:09:47ZWill Metcalfwilliam.metcalf@gmail.com
<ul></ul><p>I did already apply the patch from bug 21 already. I will try adding this patch and update the ticket if needed.</p>
<p>Regards,</p>
<p>Will</p> Suricata - Bug #23: Segv occurs occasionally inside of DetectHttpCookieMatchhttps://redmine.openinfosecfoundation.org/issues/23?journal_id=492009-12-27T09:28:57ZWill Metcalfwilliam.metcalf@gmail.com
<ul><li><strong>File</strong> <a href="/attachments/42">anon_sid_2002773_2002955_2006394_2002707_2003408_2002957.pcap-fuzz-2009-12-27-07-43-08</a> <a class="icon-only icon-download" title="Download" href="/attachments/download/42/anon_sid_2002773_2002955_2006394_2002707_2003408_2002957.pcap-fuzz-2009-12-27-07-43-08">anon_sid_2002773_2002955_2006394_2002707_2003408_2002957.pcap-fuzz-2009-12-27-07-43-08</a> added</li><li><strong>File</strong> <a href="/attachments/43">wirefuzz.pl</a> <a class="icon-only icon-download" title="Download" href="/attachments/download/43/wirefuzz.pl">wirefuzz.pl</a> added</li></ul><p>I'm still seeing this issue I'm going to attach a larger pcap as it appears to take less time to segv with this pcap.</p>
<p>I have applied the patches from this bug along with the patches from bug 21, to both the engine and r63 of htp.</p>
<p>coz@coz-desktop:~/downloads/oisfnew$ ./wirefuzz.pl <del>f="/home/coz/downloads/pcaps/evil-fingers/anon_sid_2002773_2002955_2006394_2002707_2003408_2002957.pcap-fuzz-2009-12-27-07-43-08" -r=/home/coz/downloads/current-all-blah.rules -c=suricata117.yaml<br />Name "main::wday" used only once: possible typo at ./wirefuzz.pl line 84.<br />Name "main::isdst" used only once: possible typo at ./wirefuzz.pl line 84.<br />Name "main::yday" used only once: possible typo at ./wirefuzz.pl line 84.<br />looping forever or until we have an error<br />rules file /home/coz/downloads/current-all-blah.rules<br />rules file /home/coz/downloads/current-all-blah.rules<br />not fuzzing pcap(s)<br />/home/coz/downloads/pcaps/evil-fingers/anon_sid_2002773_2002955_2006394_2002707_2003408_2002957.pcap-fuzz-2009-12-27-07-43-08<br />running ulimit -c unlimited; src/suricata -c suricata117.yaml -r /home/coz/downloads/pcaps/evil-fingers/anon_sid_2002773_2002955_2006394_2002707_2003408_2002957.pcap-fuzz-2009-12-27-07-43-08 -l ./ -s /home/coz/downloads/current-all-blah.rules <br />exit value 0<br />we have run with success 1 times<br />/home/coz/downloads/pcaps/evil-fingers/anon_sid_2002773_2002955_2006394_2002707_2003408_2002957.pcap-fuzz-2009-12-27-07-43-08<br />running ulimit -c unlimited; src/suricata -c suricata117.yaml -r /home/coz/downloads/pcaps/evil-fingers/anon_sid_2002773_2002955_2006394_2002707_2003408_2002957.pcap-fuzz-2009-12-27-07-43-08 -l ./ -s /home/coz/downloads/current-all-blah.rules <br />exit value 0<br />we have run with success 2 times<br />/home/coz/downloads/pcaps/evil-fingers/anon_sid_2002773_2002955_2006394_2002707_2003408_2002957.pcap-fuzz-2009-12-27-07-43-08<br />running ulimit -c unlimited; src/suricata -c suricata117.yaml -r /home/coz/downloads/pcaps/evil-fingers/anon_sid_2002773_2002955_2006394_2002707_2003408_2002957.pcap-fuzz-2009-12-27-07-43-08 -l ./ -s /home/coz/downloads/current-all-blah.rules <br />exit value 0<br />we have run with success 3 times<br />/home/coz/downloads/pcaps/evil-fingers/anon_sid_2002773_2002955_2006394_2002707_2003408_2002957.pcap-fuzz-2009-12-27-07-43-08<br />running ulimit -c unlimited; src/suricata -c suricata117.yaml -r /home/coz/downloads/pcaps/evil-fingers/anon_sid_2002773_2002955_2006394_2002707_2003408_2002957.pcap-fuzz-2009-12-27-07-43-08 -l ./ -s /home/coz/downloads/current-all-blah.rules <br />exit value 139<br />core dump found core processesing <br />warning: Can't read pathname for load map: Input/output error.<br />core dump <br /> GNU gdb (GDB) 7.0-ubuntu<br />Copyright (C) 2009 Free Software Foundation, Inc.<br />License GPLv3+: GNU GPL version 3 or later <<a class="external" href="http://gnu.org/licenses/gpl.html">http://gnu.org/licenses/gpl.html</a>><br />This is free software: you are free to change and redistribute it.<br />There is NO WARRANTY, to the extent permitted by law. Type "show copying" <br />and "show warranty" for details.<br />This GDB was configured as "x86_64-linux-gnu".<br />For bug reporting instructions, please see:<br /><<a class="external" href="http://www.gnu.org/software/gdb/bugs/&gt;">http://www.gnu.org/software/gdb/bugs/&gt;</a>.<br />Reading symbols from /home/coz/downloads/oisfnew/src/suricata...<br />done.<br />[New Thread 26876]<br />[New Thread 26874]<br />[New Thread 26863]<br />[New Thread 26883]<br />[New Thread 26878]<br />[New Thread 26879]<br />[New Thread 26875]<br />[New Thread 26884]<br />[New Thread 26880]<br />[New Thread 26881]<br />[New Thread 26882]<br />[New Thread 26873]<br />Reading symbols from /usr/lib/libhtp-0.1.so.1...<br />done.<br />Loaded symbols for /usr/lib/libhtp-0.1.so.1<br />Reading symbols from /usr/lib/libpcap.so.0.8...<br />(no debugging symbols found)...done.<br />Loaded symbols for /usr/lib/libpcap.so.0.8<br />Reading symbols from /usr/local/lib/libpfring.so...<br />done.<br />Loaded symbols for /usr/local/lib/libpfring.so<br />Reading symbols from /usr/lib/libnet.so.1...<br />(no debugging symbols found)...done.<br />Loaded symbols for /usr/lib/libnet.so.1<br />Reading symbols from /lib/libpthread.so.0...<br />Reading symbols from /usr/lib/debug/lib/libpthread-2.10.1.so...<br />done.<br />(no debugging symbols found)...done.<br />Loaded symbols for /lib/libpthread.so.0<br />Reading symbols from /usr/lib/libyaml-0.so.1...<br />(no debugging symbols found)...done.<br />Loaded symbols for /usr/lib/libyaml-0.so.1<br />Reading symbols from /lib/libpcre.so.3...<br />(no debugging symbols found)...done.<br />Loaded symbols for /lib/libpcre.so.3<br />Reading symbols from /lib/libc.so.6...<br />Reading symbols from /usr/lib/debug/lib/libc-2.10.1.so...<br />done.<br />(no debugging symbols found)...done.<br />Loaded symbols for /lib/libc.so.6<br />Reading symbols from /lib/libz.so.1...<br />(no debugging symbols found)...done.<br />Loaded symbols for /lib/libz.so.1<br />Reading symbols from /lib64/ld-linux-x86-64.so.2...<br />Reading symbols from /usr/lib/debug/lib/ld-2.10.1.so...<br />done.<br />(no debugging symbols found)...done.<br />Loaded symbols for /lib64/ld-linux-x86-64.so.2<br />Core was generated by `src/suricata -c suricata117.yaml -r /home/coz/downloads/pcaps/evil-fingers/anon'.<br />Program terminated with signal 11, Segmentation fault.<br />#0 0x0000000000485562 in DetectHttpCookieMatch (t=0x3d9d760, det_ctx=0x7f24fc000c40, f=0x18a8bc0, flags=4 '', state=0x1524a750, s=0x30b4590, m=0x30b4e70) at detect-http-cookie.c:78<br />78 if (htp_state</del>>connp->conn == NULL) {<br />#0 0x0000000000485562 in DetectHttpCookieMatch (t=0x3d9d760, det_ctx=0x7f24fc000c40, f=0x18a8bc0, flags=4 '', state=0x1524a750, s=0x30b4590, m=0x30b4e70) at detect-http-cookie.c:78<br /> co = 0x30b4d90<br /> htp_state = 0x1524a750<br /> ret = 0<br /> tx = 0x7f2508b1ef00<br /> h = 0x1ac48e0<br /><a class="issue tracker-1 status-5 priority-4 priority-default closed behind-schedule" title="Bug: within doesn't respect distance while carrying out a match (Closed)" href="https://redmine.openinfosecfoundation.org/issues/1">#1</a> 0x00000000004228cb in SigMatchSignaturesAppLayer (th_v=0x3d9d760, de_ctx=0x1ac48e0, det_ctx=0x7f24fc000c40, sgh=0x6892df0, p=0x1806cb0) at detect.c:527<br /> match = 1<br /> fmatch = 0<br /> s = 0x30b4590<br /> sm = 0x30b4e70<br /> idx = 8984<br /> sig = 11913<br /> flags = 4 ''<br /> alstate = 0x1524a750<br /><a class="issue tracker-2 status-5 priority-3 priority-lowest closed" title="Feature: The engine needs the ability to run in daemon mode. (Closed)" href="https://redmine.openinfosecfoundation.org/issues/2">#2</a> 0x0000000000423260 in SigMatchSignatures (th_v=0x3d9d760, de_ctx=0x1ac48e0, det_ctx=0x7f24fc000c40, p=0x1806cb0) at detect.c:786<br /> match = 0<br /> fmatch = 1<br /> s = 0x319acb0<br /> sm = 0x0<br /> idx = 9672<br /> sig = 12613<br /><a class="issue tracker-1 status-5 priority-3 priority-lowest closed" title="Bug: pcap_dispatch blocks on exit if no traffic is seen. (Closed)" href="https://redmine.openinfosecfoundation.org/issues/3">#3</a> 0x0000000000423307 in Detect (tv=0x3d9d760, p=0x1806cb0, data=0x7f24fc000c40, pq=0x3d9d860) at detect.c:823<br /> det_ctx = 0x7f24fc000c40<br /> de_ctx = 0x1ac48e0<br /> r = 0<br /><a class="issue tracker-1 status-5 priority-4 priority-default closed" title="Bug: DetectBytetestMatch: Error extracting 8 bytes of string data: 0 on web responses (Closed)" href="https://redmine.openinfosecfoundation.org/issues/4">#4</a> 0x00000000004bbdca in TmThreadsSlot1 (td=0x3d9d760) at tm-threads.c:325<br /> tv = 0x3d9d760<br /> s = 0x3d9d830<br /> p = 0x1806cb0<br /> run = 1 ''<br /> r = TM_ECODE_OK<br /><a class="issue tracker-1 status-5 priority-4 priority-default closed" title="Bug: Multi-line rules do not work in the OISF engine. (Closed)" href="https://redmine.openinfosecfoundation.org/issues/5">#5</a> 0x00007f250b801a04 in start_thread (arg=<value optimized out>) at pthread_create.c:300<br /> __res = <value optimized out><br /> pd = 0x7f2508b1f910<br /> unwind_buf = {cancel_jmp_buf = {{jmp_buf = {<br />139797036398864, <br />-8962179890314330272, <br />140736220004960, <br />0, <br />0, <br />3, <br />9067401624406343520, <br />9067408372617068384}, <br />mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, <br />0x0}, data = {<br /> prev = 0x0, cleanup = 0x0, <br />canceltype = 0}}}<br /> not_first_call = <value optimized out><br /> robust = <value optimized out><br /><a class="issue tracker-1 status-5 priority-4 priority-default closed" title="Bug: The Logging subsystem does not perform proper bounds checking on msg strings (Closed)" href="https://redmine.openinfosecfoundation.org/issues/6">#6</a> 0x00007f250b11c7bd in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:112<br />No locals.<br /><a class="issue tracker-1 status-5 priority-4 priority-default closed" title="Bug: Unifed* File Rollover Causes Segmentation Fault (Closed)" href="https://redmine.openinfosecfoundation.org/issues/7">#7</a> 0x0000000000000000 in ?? ()</p> Suricata - Bug #23: Segv occurs occasionally inside of DetectHttpCookieMatchhttps://redmine.openinfosecfoundation.org/issues/23?journal_id=612009-12-28T07:05:28ZWill Metcalfwilliam.metcalf@gmail.com
<ul></ul><p>I hope this helps, valgrind output makes it appear as if there is an invalid free.</p>
30244 Thread 6:<br />30244 Invalid read of size 8<br />30244 at 0x485562: DetectHttpCookieMatch (detect-http-cookie.c:78)<br />30244 by 0x4228CA: SigMatchSignaturesAppLayer (detect.c:527)<br />30244 by 0x42325F: SigMatchSignatures (detect.c:786)<br />30244 by 0x423306: Detect (detect.c:823)<br />30244 by 0x4BBDC9: TmThreadsSlot1 (tm-threads.c:325)<br />30244 by 0x5692A03: start_thread (pthread_create.c:300)<br />30244 by 0x5DD67BC: clone (clone.S:112)<br />30244 Address 0x4537e540 is 16 bytes inside a block of size 320 free'd<br />30244 at 0x4C24D68: free (vg_replace_malloc.c:325)<br />30244 by 0x4E80FD: HTPStateFree (app-layer-htp.c:70)<br />30244 by 0x4E74CF: AppLayerParserCleanupState (app-layer-parser.c:870)<br />30244 by 0x4C4F57: StreamTcpSessionPktFree (stream-tcp.c:152)<br />30244 by 0x4C944D: StreamTcpPacketStateTimeWait (stream-tcp.c:2213)<br />30244 by 0x4C967D: StreamTcpPacket (stream-tcp.c:2273)<br />30244 by 0x4C974B: StreamTcp (stream-tcp.c:2304)<br />30244 by 0x4BBDC9: TmThreadsSlot1 (tm-threads.c:325)<br />30244 by 0x5692A03: start_thread (pthread_create.c:300)<br />30244 by 0x5DD67BC: clone (clone.S:112)<br />30244 <br />30244 <br />30244 1 errors in context 2 of 196:<br />30244 Invalid read of size 8<br />30244 at 0x48555F: DetectHttpCookieMatch (detect-http-cookie.c:78)<br />30244 by 0x4228CA: SigMatchSignaturesAppLayer (detect.c:527)<br />30244 by 0x42325F: SigMatchSignatures (detect.c:786)<br />30244 by 0x423306: Detect (detect.c:823)<br />30244 by 0x4BBDC9: TmThreadsSlot1 (tm-threads.c:325)<br />30244 by 0x5692A03: start_thread (pthread_create.c:300)<br />30244 by 0x5DD67BC: clone (clone.S:112)<br />30244 Address 0x4537e4e0 is 0 bytes inside a block of size 16 free'd<br />30244 at 0x4C24D68: free (vg_replace_malloc.c:325)<br />30244 by 0x4E8109: HTPStateFree (app-layer-htp.c:72)<br />30244 by 0x4E74CF: AppLayerParserCleanupState (app-layer-parser.c:870)<br />30244 by 0x4C4F57: StreamTcpSessionPktFree (stream-tcp.c:152)<br />30244 by 0x4C944D: StreamTcpPacketStateTimeWait (stream-tcp.c:2213)<br />30244 by 0x4C967D: StreamTcpPacket (stream-tcp.c:2273)<br />30244 by 0x4C974B: StreamTcp (stream-tcp.c:2304)<br />30244 by 0x4BBDC9: TmThreadsSlot1 (tm-threads.c:325)<br />30244 by 0x5692A03: start_thread (pthread_create.c:300)<br />30244 by 0x5DD67BC: clone (clone.S:112)<br />30244 <br />30244 Suricata - Bug #23: Segv occurs occasionally inside of DetectHttpCookieMatchhttps://redmine.openinfosecfoundation.org/issues/23?journal_id=622009-12-28T07:11:10ZVictor Julienvictor@inliniac.net
<ul></ul><p>I think the next master which I'm about to push out will fix this...</p> Suricata - Bug #23: Segv occurs occasionally inside of DetectHttpCookieMatchhttps://redmine.openinfosecfoundation.org/issues/23?journal_id=692009-12-30T07:31:21ZVictor Julienvictor@inliniac.net
<ul><li><strong>Status</strong> changed from <i>Assigned</i> to <i>Closed</i></li></ul>