Project

General

Profile

Actions

Bug #2833

closed

mem leak - rules loading hunt rules

Added by Peter Manev over 5 years ago. Updated over 5 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
low
Difficulty:
low
Label:

Description

wget https://raw.githubusercontent.com/travisbgreen/hunting-rules/master/hunting.rules

pevma@DonPedro:~/Work/Suricata/tests/tmp$ sudo  LSAN_OPTIONS=suppressions=/home/pevma/Work/Suricata/suricomp/suricata/qa/lsan.suppress ASAN_SYMBOLIZER_PATH=/usr/lib/llvm-6.0/bin/llvm-symbolizer   /opt/suricata-asan/bin/suricata -T -S hunting.rules  
[2017] 18/2/2019 -- 09:14:44 - (suricata.c:1889) <Info> (ParseCommandLine) -- Running suricata under test mode
[2017] 18/2/2019 -- 09:14:44 - (suricata.c:1085) <Notice> (LogVersion) -- This is Suricata version 5.0.0-dev (rev 7811498d)
[2017] 18/2/2019 -- 09:14:45 - (suricata.c:2995) <Notice> (main) -- Configuration provided was successfully loaded. Exiting.

=================================================================
==2017==ERROR: LeakSanitizer: detected memory leaks

Direct leak of 20 byte(s) in 7 object(s) allocated from:
    #0 0x4ce333 in __interceptor_malloc (/opt/suricata-asan/bin/suricata+0x4ce333)
    #1 0x7efc3f888a14 in pcre_get_substring (/lib/x86_64-linux-gnu/libpcre.so.3+0x28a14)
    #2 0x427959 in __asan::asan_malloc(unsigned long, __sanitizer::BufferedStackTrace*) (/opt/suricata-asan/bin/suricata+0x427959)

Direct leak of 2 byte(s) in 1 object(s) allocated from:
    #0 0x4ce333 in __interceptor_malloc (/opt/suricata-asan/bin/suricata+0x4ce333)
    #1 0x7efc3f888a14 in pcre_get_substring (/lib/x86_64-linux-gnu/libpcre.so.3+0x28a14)
    #2 0x427959 in __asan::asan_malloc(unsigned long, __sanitizer::BufferedStackTrace*) (/opt/suricata-asan/bin/suricata+0x427959)
    #3 0x128fa08 in SigMatchAlloc /home/pevma/Work/Suricata/suricomp/suricata/src/detect-parse.c:236:1
    #4 0xe87e19 in DetectFlowSetup /home/pevma/Work/Suricata/suricomp/suricata/src/detect-flow.c:406:1
    #5 0x12983f7 in SigParseOptions /home/pevma/Work/Suricata/suricomp/suricata/src/detect-parse.c:724:13
    #6 0x1294490 in SigParse /home/pevma/Work/Suricata/suricomp/suricata/src/detect-parse.c:1155:19
    #7 0x129e1c3 in SigInitHelper /home/pevma/Work/Suricata/suricomp/suricata/src/detect-parse.c:1785:9
    #8 0x129db25 in SigInit /home/pevma/Work/Suricata/suricomp/suricata/src/detect-parse.c:1918:16
    #9 0x129fc05 in DetectEngineAppendSig /home/pevma/Work/Suricata/suricomp/suricata/src/detect-parse.c:2192:22
    #10 0xd162ea in DetectLoadSigFile /home/pevma/Work/Suricata/suricomp/suricata/src/detect-engine-loader.c:169:15
    #11 0xd11505 in ProcessSigFiles /home/pevma/Work/Suricata/suricomp/suricata/src/detect-engine-loader.c:248:13
    #12 0xd0f487 in SigLoadSignatures /home/pevma/Work/Suricata/suricomp/suricata/src/detect-engine-loader.c:327:15
    #13 0x18288b3 in LoadSignatures /home/pevma/Work/Suricata/suricomp/suricata/src/suricata.c:2442:9
    #14 0x181d936 in PostConfLoadedDetectSetup /home/pevma/Work/Suricata/suricomp/suricata/src/suricata.c:2593:17
    #15 0x1808911 in main /home/pevma/Work/Suricata/suricomp/suricata/src/suricata.c:2992:5
    #16 0x7efc3e95009a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2409a)

SUMMARY: AddressSanitizer: 22 byte(s) leaked in 8 allocation(s).
pevma@DonPedro:~/Work/Suricata/tests/tmp$ 
pevma@DonPedro:~/Work/Suricata/tests/tmp$ /opt/suricata-asan/bin/suricata --build-info
This is Suricata version 5.0.0-dev (rev 7811498d)
Features: UNITTESTS PCAP_SET_BUFF AF_PACKET HAVE_PACKET_FANOUT LIBCAP_NG LIBNET1.1 HAVE_HTP_URI_NORMALIZE_HOOK PCRE_JIT HAVE_NSS HAVE_LUA HAVE_LUAJIT HAVE_LIBJANSSON TLS MAGIC RUST 
SIMD support: SSE_4_2 SSE_4_1 SSE_3 
Atomic intrisics: 1 2 4 8 16 byte(s)
64-bits, Little-endian architecture
GCC version 4.2.1 Compatible Clang 7.0.1 (tags/RELEASE_701/final), C version 199901
compiled with _FORTIFY_SOURCE=0
L1 cache line size (CLS)=64
thread local storage method: __thread
compiled with LibHTP v0.5.28, linked against LibHTP v0.5.28

Suricata Configuration:
  AF_PACKET support:                       yes
  eBPF support:                            no
  XDP support:                             no
  PF_RING support:                         no
  NFQueue support:                         no
  NFLOG support:                           no
  IPFW support:                            no
  Netmap support:                          no
  DAG enabled:                             no
  Napatech enabled:                        no
  WinDivert enabled:                       no

  Unix socket enabled:                     yes
  Detection enabled:                       yes

  Libmagic support:                        yes
  libnss support:                          yes
  libnspr support:                         yes
  libjansson support:                      yes
  liblzma support:                         yes
  hiredis support:                         no
  hiredis async with libevent:             no
  Prelude support:                         no
  PCRE jit:                                yes
  LUA support:                             yes, through luajit
  libluajit:                               yes
  libgeoip:                                yes
  Non-bundled htp:                         no
  Old barnyard2 support:                   no
  Hyperscan support:                       yes
  Libnet support:                          yes
  liblz4 support:                          yes

  Rust support:                            yes (default)
  Rust strict mode:                        yes
  Rust debug mode:                         no
  Rust compiler:                           rustc 1.31.0
  Rust cargo:                              cargo 1.31.0

  Install suricatasc:                      yes
  Install suricata-update:                 no

  Profiling enabled:                       no
  Profiling locks enabled:                 no

Development settings:
  Coccinelle / spatch:                     yes
  Unit tests enabled:                      yes
  Debug output enabled:                    no
  Debug validation enabled:                no

Generic build parameters:
  Installation prefix:                     /opt/suricata-asan
  Configuration directory:                 /opt/suricata-asan/etc/suricata/
  Log directory:                           /opt/suricata-asan/var/log/suricata/

  --prefix                                 /opt/suricata-asan
  --sysconfdir                             /opt/suricata-asan/etc
  --localstatedir                          /opt/suricata-asan/var
  --datarootdir                            /opt/suricata-asan/share

  Host:                                    x86_64-pc-linux-gnu
  Compiler:                                clang (exec name) / clang (real)
  GCC Protect enabled:                     no
  GCC march native enabled:                yes
  GCC Profile enabled:                     no
  Position Independent Executable enabled: no
  CFLAGS                                   -ggdb3 -Werror -Wchar-subscripts -fno-strict-aliasing -fstack-protector-all -fsanitize=address -fno-omit-frame-pointer -Wno-unused-parameter -Wno-unused-function -march=native -I${srcdir}/../rust/gen/c-headers
  PCAP_CFLAGS                               -I/usr/include
  SECCFLAGS                                

Actions #1

Updated by Victor Julien over 5 years ago

  • Status changed from New to Assigned
  • Assignee set to Jeff Lucovsky
  • Target version set to 5.0beta1
Actions #2

Updated by Victor Julien over 5 years ago

  • Priority changed from Normal to High
Actions #3

Updated by Jeff Lucovsky over 5 years ago

Through trial and error, this is the single rule that causes the memory leaks; furthermore, the number of

tos
elements correlates to the number of leaking allocations.
alert ip any any -> any any (msg:"TGI HUNT non-DiffServ aware TOS setting"; flow:established,to_server; tos:!0; tos:!8; tos:!16; tos:!24; tos:!32; tos:!40; tos:!48; tos:!56; threshold:type limit, track by_src, seconds 60, count 1; classtype:bad-unknown; sid:2600124; rev:1;)

Actions #4

Updated by Jeff Lucovsky over 5 years ago

  • Status changed from Assigned to Resolved
  • Effort set to low
  • Difficulty set to low
Actions #5

Updated by Victor Julien over 5 years ago

  • Status changed from Resolved to Closed
  • Priority changed from High to Normal
Actions

Also available in: Atom PDF