Bug #2802


iprep: use_cnt can get desynchronized (SIGABRT)

Added by sree hari over 4 years ago. Updated over 1 year ago.

Target version:
Affected Versions:
Needs backport to 5.0, Needs backport to 6.0


selks-user@SELKS:~/Downloads$ suricata --build-info
This is Suricata version 4.1.0-dev (rev 8709a20d)
SIMD support: none
Atomic intrisics: 1 2 4 8 byte(s)
64-bits, Little-endian architecture
GCC version 6.3.0 20170516, C version 199901
compiled with _FORTIFY_SOURCE=2
L1 cache line size (CLS)=64
thread local storage method: __thread
compiled with LibHTP v0.5.28, linked against LibHTP v0.5.28

Suricata Configuration:
AF_PACKET support: yes
eBPF support: no
XDP support: no
PF_RING support: no
NFQueue support: yes
NFLOG support: no
IPFW support: no
Netmap support: no
DAG enabled: no
Napatech enabled: no
WinDivert enabled: no

Unix socket enabled:                     yes
Detection enabled: yes
Libmagic support:                        yes
libnss support: yes
libnspr support: yes
libjansson support: yes
liblzma support: yes
hiredis support: yes
hiredis async with libevent: no
Prelude support: no
PCRE jit: yes
LUA support: yes, through luajit
libluajit: yes
libgeoip: yes
Non-bundled htp: yes
Old barnyard2 support: no
Hyperscan support: yes
Libnet support: yes
liblz4 support: yes
Rust support:                            yes (default)
Rust strict mode: no
Rust debug mode: no
Rust compiler: rustc 1.30.0 (da5f414c2 2018-10-24)
Rust cargo: cargo 1.30.0 (36d96825d 2018-10-24)
Install suricatasc:                      yes
Install suricata-update: no
Profiling enabled:                       no
Profiling locks enabled: no

Development settings:
Coccinelle / spatch: no
Unit tests enabled: no
Debug output enabled: no
Debug validation enabled: no

Generic build parameters:
Installation prefix: /usr
Configuration directory: /etc/suricata/
Log directory: /var/log/suricata/

--prefix                                 /usr
--sysconfdir /etc
--localstatedir /var
--datarootdir /usr/share
Host:                                    x86_64-pc-linux-gnu
Compiler: gcc (exec name) / gcc (real)
GCC Protect enabled: yes
GCC march native enabled: no
GCC Profile enabled: no
Position Independent Executable enabled: yes
CFLAGS -g -O2 -fdebug-prefix-map=/STAMUS/SELKS/Suricata/suricata-2019013001=. -fstack-protector-strong -Wformat -Werror=format-security -I${srcdir}/../rust/gen/c-headers
PCAP_CFLAGS -I/usr/include
SECCFLAGS -fstack-protector -D_FORTIFY_SOURCE=2 -Wformat -Wformat-security

selks-user@SELKS:~$ gdb /usr/bin/suricata ./core
GNU gdb (Debian 7.12-6)
Copyright (C) 2016 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
Find the GDB manual and other documentation resources online at:
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from /usr/bin/suricata...(no debugging symbols found)...done.

warning: core file may not match specified executable file.
[New LWP 3069]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/".
Core was generated by `suricata -r /home/selks-user/Downloads/Router+192_168_10_1.pcap -k none -l /hom'.
Program terminated with signal SIGABRT, Aborted.
#0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
51 ../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) set logging on
Copying output to gdb.txt.
(gdb) thread apply all bt

Thread 1 (Thread 0x7f9df52f0b80 (LWP 3069)):
#0 GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
#1 0x00007f9df059c42a in _GI_abort () at abort.c:89
#2 0x00007f9df0593e67 in __assert_fail_base (fmt=<optimized out>, assertion=assertion@entry=0x55cb488b63a8 "!((h->use_cnt_sc_atomic
) > 0)", file=file@entry=0x55cb488b63c8 "host.c", line=line@entry=309, function=function@entry=0x55cb488b6418 "HostShutdown") at assert.c:92
#3 0x00007f9df0593f12 in GI_assert_fail (assertion=0x55cb488b63a8 "!((h->use_cnt_sc_atomic
_) > 0)", file=0x55cb488b63c8 "host.c", line=309, function=0x55cb488b6418 "HostShutdown") at assert.c:101
#4 0x000055cb48629c21 in ?? ()
#5 0x000055cb48504946 in ?? ()
#6 0x00007f9df05882e1 in __libc_start_main (main=0x55cb48503250, argc=9, argv=0x7fff93e59cd8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fff93e59cc8) at ../csu/libc-start.c:291
#7 0x000055cb48505f0a in ?? ()
(gdb) quit

Related issues 3 (0 open3 closed)

Has duplicate Suricata - Bug #2913: SIGABRT reading a pcapClosedActions
Copied to Suricata - Bug #5163: iprep: use_cnt can get desynchronized (SIGABRT)ClosedShivani BhardwajActions
Copied to Suricata - Bug #5164: iprep: use_cnt can get desynchronized (SIGABRT)ClosedJeff LucovskyActions
Actions #1

Updated by Peter Manev over 4 years ago

Investigating and further reproducing it with the provided pcap seems to be Stretch/libgc related as if I use any other OS (LTS/Buster) i can't seem to reproduce it.

Actions #2

Updated by Victor Julien over 4 years ago

  • Status changed from New to Assigned
  • Assignee set to Victor Julien
  • Target version set to TBD

Can you share the pcap and instructions?

Actions #3

Updated by sree hari over 4 years ago

Emailed you the link.

suricata -r /home/selks-user/Downloads/Router+192_168_10_1.pcap -k none -l /home/selks-user/Downloads/ --runmode autofp

Actions #4

Updated by Victor Julien about 4 years ago

  • Has duplicate Bug #2913: SIGABRT reading a pcap added
Actions #5

Updated by Carl Smith about 3 years ago

We had the same end result (assert due to host use_cnt invalid during shutdown) with IPREP rules where the host use_cnt was becoming very negative due to unbalanced incr/dec.

That fix is here:

May not be related.

Actions #6

Updated by Peter Manev over 1 year ago

This is still an issue and it seems to be triggered only when iprep is used.

Actions #7

Updated by Victor Julien over 1 year ago

  • Subject changed from sigabrt core. to iprep: use_cnt can get desynchronized (SIGABRT)
  • Status changed from Assigned to In Progress
  • Target version changed from TBD to 7.0.0-beta1
  • Label Needs backport to 5.0, Needs backport to 6.0 added
Actions #8

Updated by Victor Julien over 1 year ago

  • Status changed from In Progress to Closed
Actions #9

Updated by Jeff Lucovsky over 1 year ago

  • Copied to Bug #5163: iprep: use_cnt can get desynchronized (SIGABRT) added
Actions #10

Updated by Jeff Lucovsky over 1 year ago

  • Copied to Bug #5164: iprep: use_cnt can get desynchronized (SIGABRT) added

Also available in: Atom PDF