Actions
Bug #2833
closedmem leak - rules loading hunt rules
Affected Versions:
Effort:
low
Difficulty:
low
Label:
Description
wget https://raw.githubusercontent.com/travisbgreen/hunting-rules/master/hunting.rules
pevma@DonPedro:~/Work/Suricata/tests/tmp$ sudo LSAN_OPTIONS=suppressions=/home/pevma/Work/Suricata/suricomp/suricata/qa/lsan.suppress ASAN_SYMBOLIZER_PATH=/usr/lib/llvm-6.0/bin/llvm-symbolizer /opt/suricata-asan/bin/suricata -T -S hunting.rules
[2017] 18/2/2019 -- 09:14:44 - (suricata.c:1889) <Info> (ParseCommandLine) -- Running suricata under test mode
[2017] 18/2/2019 -- 09:14:44 - (suricata.c:1085) <Notice> (LogVersion) -- This is Suricata version 5.0.0-dev (rev 7811498d)
[2017] 18/2/2019 -- 09:14:45 - (suricata.c:2995) <Notice> (main) -- Configuration provided was successfully loaded. Exiting.
=================================================================
==2017==ERROR: LeakSanitizer: detected memory leaks
Direct leak of 20 byte(s) in 7 object(s) allocated from:
#0 0x4ce333 in __interceptor_malloc (/opt/suricata-asan/bin/suricata+0x4ce333)
#1 0x7efc3f888a14 in pcre_get_substring (/lib/x86_64-linux-gnu/libpcre.so.3+0x28a14)
#2 0x427959 in __asan::asan_malloc(unsigned long, __sanitizer::BufferedStackTrace*) (/opt/suricata-asan/bin/suricata+0x427959)
Direct leak of 2 byte(s) in 1 object(s) allocated from:
#0 0x4ce333 in __interceptor_malloc (/opt/suricata-asan/bin/suricata+0x4ce333)
#1 0x7efc3f888a14 in pcre_get_substring (/lib/x86_64-linux-gnu/libpcre.so.3+0x28a14)
#2 0x427959 in __asan::asan_malloc(unsigned long, __sanitizer::BufferedStackTrace*) (/opt/suricata-asan/bin/suricata+0x427959)
#3 0x128fa08 in SigMatchAlloc /home/pevma/Work/Suricata/suricomp/suricata/src/detect-parse.c:236:1
#4 0xe87e19 in DetectFlowSetup /home/pevma/Work/Suricata/suricomp/suricata/src/detect-flow.c:406:1
#5 0x12983f7 in SigParseOptions /home/pevma/Work/Suricata/suricomp/suricata/src/detect-parse.c:724:13
#6 0x1294490 in SigParse /home/pevma/Work/Suricata/suricomp/suricata/src/detect-parse.c:1155:19
#7 0x129e1c3 in SigInitHelper /home/pevma/Work/Suricata/suricomp/suricata/src/detect-parse.c:1785:9
#8 0x129db25 in SigInit /home/pevma/Work/Suricata/suricomp/suricata/src/detect-parse.c:1918:16
#9 0x129fc05 in DetectEngineAppendSig /home/pevma/Work/Suricata/suricomp/suricata/src/detect-parse.c:2192:22
#10 0xd162ea in DetectLoadSigFile /home/pevma/Work/Suricata/suricomp/suricata/src/detect-engine-loader.c:169:15
#11 0xd11505 in ProcessSigFiles /home/pevma/Work/Suricata/suricomp/suricata/src/detect-engine-loader.c:248:13
#12 0xd0f487 in SigLoadSignatures /home/pevma/Work/Suricata/suricomp/suricata/src/detect-engine-loader.c:327:15
#13 0x18288b3 in LoadSignatures /home/pevma/Work/Suricata/suricomp/suricata/src/suricata.c:2442:9
#14 0x181d936 in PostConfLoadedDetectSetup /home/pevma/Work/Suricata/suricomp/suricata/src/suricata.c:2593:17
#15 0x1808911 in main /home/pevma/Work/Suricata/suricomp/suricata/src/suricata.c:2992:5
#16 0x7efc3e95009a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2409a)
SUMMARY: AddressSanitizer: 22 byte(s) leaked in 8 allocation(s).
pevma@DonPedro:~/Work/Suricata/tests/tmp$
pevma@DonPedro:~/Work/Suricata/tests/tmp$ /opt/suricata-asan/bin/suricata --build-info
This is Suricata version 5.0.0-dev (rev 7811498d)
Features: UNITTESTS PCAP_SET_BUFF AF_PACKET HAVE_PACKET_FANOUT LIBCAP_NG LIBNET1.1 HAVE_HTP_URI_NORMALIZE_HOOK PCRE_JIT HAVE_NSS HAVE_LUA HAVE_LUAJIT HAVE_LIBJANSSON TLS MAGIC RUST
SIMD support: SSE_4_2 SSE_4_1 SSE_3
Atomic intrisics: 1 2 4 8 16 byte(s)
64-bits, Little-endian architecture
GCC version 4.2.1 Compatible Clang 7.0.1 (tags/RELEASE_701/final), C version 199901
compiled with _FORTIFY_SOURCE=0
L1 cache line size (CLS)=64
thread local storage method: __thread
compiled with LibHTP v0.5.28, linked against LibHTP v0.5.28
Suricata Configuration:
AF_PACKET support: yes
eBPF support: no
XDP support: no
PF_RING support: no
NFQueue support: no
NFLOG support: no
IPFW support: no
Netmap support: no
DAG enabled: no
Napatech enabled: no
WinDivert enabled: no
Unix socket enabled: yes
Detection enabled: yes
Libmagic support: yes
libnss support: yes
libnspr support: yes
libjansson support: yes
liblzma support: yes
hiredis support: no
hiredis async with libevent: no
Prelude support: no
PCRE jit: yes
LUA support: yes, through luajit
libluajit: yes
libgeoip: yes
Non-bundled htp: no
Old barnyard2 support: no
Hyperscan support: yes
Libnet support: yes
liblz4 support: yes
Rust support: yes (default)
Rust strict mode: yes
Rust debug mode: no
Rust compiler: rustc 1.31.0
Rust cargo: cargo 1.31.0
Install suricatasc: yes
Install suricata-update: no
Profiling enabled: no
Profiling locks enabled: no
Development settings:
Coccinelle / spatch: yes
Unit tests enabled: yes
Debug output enabled: no
Debug validation enabled: no
Generic build parameters:
Installation prefix: /opt/suricata-asan
Configuration directory: /opt/suricata-asan/etc/suricata/
Log directory: /opt/suricata-asan/var/log/suricata/
--prefix /opt/suricata-asan
--sysconfdir /opt/suricata-asan/etc
--localstatedir /opt/suricata-asan/var
--datarootdir /opt/suricata-asan/share
Host: x86_64-pc-linux-gnu
Compiler: clang (exec name) / clang (real)
GCC Protect enabled: no
GCC march native enabled: yes
GCC Profile enabled: no
Position Independent Executable enabled: no
CFLAGS -ggdb3 -Werror -Wchar-subscripts -fno-strict-aliasing -fstack-protector-all -fsanitize=address -fno-omit-frame-pointer -Wno-unused-parameter -Wno-unused-function -march=native -I${srcdir}/../rust/gen/c-headers
PCAP_CFLAGS -I/usr/include
SECCFLAGS
Updated by Victor Julien about 5 years ago
- Status changed from New to Assigned
- Assignee set to Jeff Lucovsky
- Target version set to 5.0beta1
Updated by Jeff Lucovsky about 5 years ago
Through trial and error, this is the single rule that causes the memory leaks; furthermore, the number of
toselements correlates to the number of leaking allocations.
alert ip any any -> any any (msg:"TGI HUNT non-DiffServ aware TOS setting"; flow:established,to_server; tos:!0; tos:!8; tos:!16; tos:!24; tos:!32; tos:!40; tos:!48; tos:!56; threshold:type limit, track by_src, seconds 60, count 1; classtype:bad-unknown; sid:2600124; rev:1;)
Updated by Jeff Lucovsky about 5 years ago
- Status changed from Assigned to Resolved
- Effort set to low
- Difficulty set to low
Updated by Victor Julien about 5 years ago
- Status changed from Resolved to Closed
- Priority changed from High to Normal
Actions