Project

General

Profile

Actions

Bug #4273

closed

protodetect: SEGV due to NULL ptr deref

Added by Peter Manev about 3 years ago. Updated over 2 years ago.

Status:
Closed
Priority:
Normal
Target version:
Affected Versions:
Effort:
Difficulty:
Label:
Needs backport, Needs backport to 5.0, Needs backport to 6.0

Description

As reported by - https://github.com/StamusNetworks/SELKS/issues/285#issuecomment-765382351

This is Suricata version 7.0.0-dev (3a8ba663a 2021-01-13)
Features: NFQ PCAP_SET_BUFF AF_PACKET HAVE_PACKET_FANOUT LIBCAP_NG LIBNET1.1 HAVE_HTP_URI_NORMALIZE_HOOK PCRE_JIT HAVE_NSS HAVE_LUA HAVE_LUAJIT HAVE_LIBJANSSON TLS TLS_C11 MAGIC RUST
SIMD support: none
Atomic intrinsics: 1 2 4 8 byte(s)
64-bits, Little-endian architecture
GCC version 8.3.0, C version 201112
compiled with _FORTIFY_SOURCE=2
L1 cache line size (CLS)=64
thread local storage method: _Thread_local
compiled with LibHTP v0.5.36, linked against LibHTP v0.5.36

Suricata Configuration:
AF_PACKET support: yes
eBPF support: no
XDP support: no
PF_RING support: no
NFQueue support: yes
NFLOG support: no
IPFW support: no
Netmap support: no
DAG enabled: no
Napatech enabled: no
WinDivert enabled: no

Unix socket enabled: yes
Detection enabled: yes

Libmagic support: yes
libjansson support: yes
hiredis support: yes
hiredis async with libevent: no
Prelude support: no
PCRE jit: yes
LUA support: yes, through luajit
libluajit: yes
GeoIP2 support: yes
Non-bundled htp: yes
Hyperscan support: yes
Libnet support: yes
liblz4 support: yes

Rust support: yes
Rust strict mode: no
Rust compiler path: /root/.cargo/bin/rustc
Rust compiler version: rustc 1.49.0 (e1884a8e3 2020-12-29)
Cargo path: /root/.cargo/bin/cargo
Cargo version: cargo 1.49.0 (d00d64df9 2020-12-05)
Cargo vendor: yes

Python support: yes
Python path: /usr/bin/python3
Python distutils yes
Python yaml yes
Install suricatactl: yes
Install suricatasc: yes
Install suricata-update: yes

Profiling enabled: no
Profiling locks enabled: no

Plugin support (experimental): yes

Development settings:
Coccinelle / spatch: yes
Unit tests enabled: no
Debug output enabled: no
Debug validation enabled: no

Generic build parameters:
Installation prefix: /usr
Configuration directory: /etc/suricata/
Log directory: /var/log/suricata/

--prefix /usr
--sysconfdir /etc
--localstatedir /var
--datarootdir /usr/share

Host: x86_64-pc-linux-gnu
Compiler: gcc (exec name) / g++ (real)
GCC Protect enabled: yes
GCC march native enabled: no
GCC Profile enabled: no
Position Independent Executable enabled: yes
CFLAGS -g -O2 -fdebug-prefix-map=/STAMUS/SELKS6/Suricata/suricata-2021011401=. -fstack-protector-strong -Wformat -Werror=format-security -std=c11 -I${srcdir}/../rust/gen -I${srcdir}/../rust/dist
PCAP_CFLAGS -I/usr/include
SECCFLAGS -fstack-protector -D_FORTIFY_SOURCE=2 -Wformat -Wformat-security

# gdb /usr/bin/suricata /var/log/suricata/core/core
GNU gdb (Debian 8.2.1-2+b3) 8.2.1
Copyright (C) 2018 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
    <http://www.gnu.org/software/gdb/documentation/>.

For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from /usr/bin/suricata...Reading symbols from /usr/lib/debug/.build-id/58/346f7cfd5262bc2dccbbd152659197b2e6c512.debug...done.
done.

warning: core file may not match specified executable file.
[New LWP 27105]
[New LWP 27111]
[New LWP 27110]
[New LWP 27107]
[New LWP 27106]
[New LWP 27108]
[New LWP 27109]
[New LWP 27094]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Core was generated by `/usr/bin/suricata -c /etc/suricata/suricata.yaml --pidfile /var/run/suricata.pi'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  SCACTileSearchTiny32 (ctx=0x557696e99ca0, mpm_thread_ctx=<optimized out>, pmq=0x7f15242d12c0, buf=0x0, buflen=8) at util-mpm-ac-ks-small.c:46
46      util-mpm-ac-ks-small.c: No such file or directory.
[Current thread is 1 (Thread 0x7f155fe49700 (LWP 27105))]
(gdb)
(gdb) set logging on
Copying output to gdb.txt.
(gdb) thread apply all bt

Thread 8 (Thread 0x7f1561752b00 (LWP 27094)):
#0  0x00007f1561baa720 in __GI___nanosleep (requested_time=requested_time@entry=0x7ffd33997340, remaining=remaining@entry=0x0) at ../sysdeps/unix/sysv/linux/nanosleep.c:28
#1  0x00007f1561bd5874 in usleep (useconds=useconds@entry=10000) at ../sysdeps/posix/usleep.c:32
#2  0x0000557696233b27 in SuricataMainLoop (suri=<optimized out>) at suricata.c:2644
#3  SuricataMain (argc=<optimized out>, argv=<optimized out>) at suricata.c:2805
#4  0x00007f1561b0809b in __libc_start_main (main=0x557696136950 <main>, argc=9, argv=0x7ffd33997498, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7ffd33997488)
    at ../csu/libc-start.c:308
#5  0x000055769613698a in _start ()

Thread 7 (Thread 0x7f155d30b700 (LWP 27109)):
#0  futex_abstimed_wait_cancelable (private=0, abstime=0x7f155d30aad0, expected=0, futex_word=0x5576ce21cfc8) at ../sysdeps/unix/sysv/linux/futex-internal.h:205
#1  __pthread_cond_wait_common (abstime=0x7f155d30aad0, mutex=0x5576a124a760, cond=0x5576ce21cfa0) at pthread_cond_wait.c:539
#2  __pthread_cond_timedwait (cond=0x5576ce21cfa0, mutex=0x5576a124a760, abstime=abstime@entry=0x7f155d30aad0) at pthread_cond_wait.c:667
#3  0x00005576961679cc in StatsWakeupThread (arg=0x5576a4081250) at counters.c:487
#4  0x00007f1562a5bfa3 in start_thread (arg=<optimized out>) at pthread_create.c:486
#5  0x00007f1561bdd4cf in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

Thread 6 (Thread 0x7f155db0c700 (LWP 27108)):
#0  0x00007f1561baa720 in __GI___nanosleep (requested_time=requested_time@entry=0x7f155db0ba10, remaining=remaining@entry=0x0) at ../sysdeps/unix/sysv/linux/nanosleep.c:28
#1  0x00007f1561bd5874 in usleep (useconds=useconds@entry=100) at ../sysdeps/posix/usleep.c:32
#2  0x00005576961def16 in FlowRecycler (th_v=0x5576a2ea3d40, thread_data=0x7f1508000b20) at flow-manager.c:1210
#3  0x00005576962373e2 in TmThreadsManagement (td=0x5576a2ea3d40) at tm-threads.c:541
#4  0x00007f1562a5bfa3 in start_thread (arg=<optimized out>) at pthread_create.c:486
#5  0x00007f1561bdd4cf in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

Thread 5 (Thread 0x7f155f0ab700 (LWP 27106)):
#0  0x00007f1561bd2819 in __GI___poll (fds=fds@entry=0x7f155f0aa9d0, nfds=nfds@entry=1, timeout=timeout@entry=100) at ../sysdeps/unix/sysv/linux/poll.c:29
#1  0x00005576962195ad in poll (__timeout=100, __nfds=1, __fds=0x7f155f0aa9d0) at /usr/include/x86_64-linux-gnu/bits/poll2.h:46
#2  ReceiveAFPLoop (tv=0x5576b21e13e0, data=0x7f151c274b20, slot=<optimized out>) at source-af-packet.c:1544
#3  0x000055769623768c in TmThreadsSlotPktAcqLoop (td=0x5576b21e13e0) at tm-threads.c:312
#4  0x00007f1562a5bfa3 in start_thread (arg=<optimized out>) at pthread_create.c:486
#5  0x00007f1561bdd4cf in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

Thread 4 (Thread 0x7f155e30d700 (LWP 27107)):
#0  0x00007f1561baa720 in __GI___nanosleep (requested_time=requested_time@entry=0x7f155e30c9b0, remaining=remaining@entry=0x0) at ../sysdeps/unix/sysv/linux/nanosleep.c:28
#1  0x00007f1561bd5874 in usleep (useconds=useconds@entry=100) at ../sysdeps/posix/usleep.c:32
#2  0x00005576961df8a3 in FlowManager (th_v=0x5576a2e7cde0, thread_data=0x7f1520000b20) at flow-manager.c:1014
#3  0x00005576962373e2 in TmThreadsManagement (td=0x5576a2e7cde0) at tm-threads.c:541
#4  0x00007f1562a5bfa3 in start_thread (arg=<optimized out>) at pthread_create.c:486
#5  0x00007f1561bdd4cf in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

Thread 3 (Thread 0x7f155cb0a700 (LWP 27110)):
#0  futex_abstimed_wait_cancelable (private=0, abstime=0x7f155cb09ad0, expected=0, futex_word=0x5576ce26b5c8) at ../sysdeps/unix/sysv/linux/futex-internal.h:205
#1  __pthread_cond_wait_common (abstime=0x7f155cb09ad0, mutex=0x5576a12bb5c0, cond=0x5576ce26b5a0) at pthread_cond_wait.c:539
#2  __pthread_cond_timedwait (cond=0x5576ce26b5a0, mutex=0x5576a12bb5c0, abstime=abstime@entry=0x7f155cb09ad0) at pthread_cond_wait.c:667
#3  0x0000557696168013 in StatsMgmtThread (arg=<optimized out>) at counters.c:415
#4  0x00007f1562a5bfa3 in start_thread (arg=<optimized out>) at pthread_create.c:486
#5  0x00007f1561bdd4cf in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

Thread 2 (Thread 0x7f155c309700 (LWP 27111)):
#0  0x00007f1561bd5037 in __GI___select (nfds=7, readfds=readfds@entry=0x7f155c308850, writefds=writefds@entry=0x0, exceptfds=exceptfds@entry=0x0, timeout=timeout@entry=0x7f155c308840)
    at ../sysdeps/unix/sysv/linux/select.c:41
#1  0x000055769623ab15 in UnixMain (this=0x557696656f20 <command>) at unix-manager.c:650
#2  UnixManager (th_v=0x55769b359bb0, thread_data=<optimized out>) at unix-manager.c:1125
#3  0x00005576962373e2 in TmThreadsManagement (td=0x55769b359bb0) at tm-threads.c:541
#4  0x00007f1562a5bfa3 in start_thread (arg=<optimized out>) at pthread_create.c:486
#5  0x00007f1561bdd4cf in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95
--Type <RET> for more, q to quit, c to continue without paging--

Thread 1 (Thread 0x7f155fe49700 (LWP 27105)):
#0  SCACTileSearchTiny32 (ctx=0x557696e99ca0, mpm_thread_ctx=<optimized out>, pmq=0x7f15242d12c0, buf=0x0, buflen=8) at util-mpm-ac-ks-small.c:46
#1  0x000055769613af7f in PMGetProtoInspect (rflow=0x7f155fe48527, pm_results=0x7f155fe48440, direction=41 ')', buflen=397, buf=0x0, f=0x7f15203aa6a0, mpm_tctx=<optimized out>,
    pm_ctx=0x557696647fe8 <alpd_ctx+72>, tctx=0x7f15242d12c0) at app-layer-detect-proto.c:275
#2  AppLayerProtoDetectPMGetProto (rflow=0x7f155fe48527, pm_results=0x7f155fe48440, direction=41 ')', buflen=397, buf=0x0, f=0x7f15203aa6a0, tctx=0x7f15242d12c0) at app-layer-detect-proto.c:342
#3  AppLayerProtoDetectGetProto (tctx=0x7f15242d12c0, f=f@entry=0x7f15203aa6a0, buf=buf@entry=0x0, buflen=buflen@entry=397, ipproto=ipproto@entry=6 '\006', direction=direction@entry=41 ')',
    reverse_flow=0x7f155fe48527) at app-layer-detect-proto.c:1551
#4  0x0000557696138df4 in TCPProtoDetect (tv=0x5576b75b1fa0, ra_ctx=0x7f15242d1270, app_tctx=app_tctx@entry=0x7f15242d12a0, p=p@entry=0x7f1524274150, f=f@entry=0x7f15203aa6a0,
    ssn=ssn@entry=0x7f151c3321b0, stream=0x7f155fe48648, data=0x0, data_len=397, flags=41 ')') at app-layer.c:336
#5  0x0000557696139921 in AppLayerHandleTCPData (tv=tv@entry=0x5576b75b1fa0, ra_ctx=ra_ctx@entry=0x7f15242d1270, p=p@entry=0x7f1524274150, f=0x7f15203aa6a0, ssn=ssn@entry=0x7f151c3321b0,
    stream=stream@entry=0x7f155fe48648, data=0x0, data_len=397, flags=41 ')') at app-layer.c:642
#6  0x000055769622dbb7 in ReassembleUpdateAppLayer (dir=UPDATE_DIR_PACKET, p=0x7f1524274150, stream=0x7f155fe48648, ssn=0x7f151c3321b0, ra_ctx=0x7f15242d1270, tv=0x5576b75b1fa0)
    at stream-tcp-reassemble.c:1175
#7  StreamTcpReassembleAppLayer (tv=tv@entry=0x5576b75b1fa0, ra_ctx=ra_ctx@entry=0x7f15242d1270, ssn=ssn@entry=0x7f151c3321b0, stream=<optimized out>, stream@entry=0x7f151c3321c0,
    p=p@entry=0x7f1524274150, dir=dir@entry=UPDATE_DIR_PACKET) at stream-tcp-reassemble.c:1238
#8  0x000055769622eb23 in StreamTcpReassembleHandleSegment (tv=tv@entry=0x5576b75b1fa0, ra_ctx=0x7f15242d1270, ssn=ssn@entry=0x7f151c3321b0, stream=0x7f151c3321c0, p=p@entry=0x7f1524274150,
    pq=pq@entry=0x7f15242d0f68) at stream-tcp-reassemble.c:1900
#9  0x000055769622392e in HandleEstablishedPacketToClient (stt=<optimized out>, pq=<optimized out>, p=<optimized out>, ssn=<optimized out>, tv=<optimized out>) at stream-tcp.c:2318
#10 StreamTcpPacketStateEstablished (tv=0x5576b75b1fa0, p=0x7f1524274150, stt=stt@entry=0x7f15242d0f60, ssn=0x7f151c3321b0, pq=0x7f15242d0f68) at stream-tcp.c:2702
#11 0x0000557696228da8 in StreamTcpStateDispatch (tv=0x5576b75b1fa0, p=0x7f1524274150, stt=0x7f15242d0f60, ssn=0x7f151c3321b0, pq=0x7f15242d0f68, state=<optimized out>) at stream-tcp.c:4703
#12 0x000055769622a682 in StreamTcpPacket (tv=0x5576b75b1fa0, p=0x7f1524274150, stt=0x7f15242d0f60, pq=0x7f15242aeb40) at stream-tcp.c:4889
#13 0x000055769622ae24 in StreamTcp (tv=tv@entry=0x5576b75b1fa0, p=p@entry=0x7f1524274150, data=<optimized out>, pq=pq@entry=0x7f15242aeb40) at stream-tcp.c:5225
#14 0x00005576961e2a2f in FlowWorkerStreamTCPUpdate (detect_thread=0x7f15243a3520, p=0x7f1524274150, fw=0x7f15242aeb10, tv=0x5576b75b1fa0) at flow-worker.c:524
#15 FlowWorker (tv=0x5576b75b1fa0, p=0x7f1524274150, data=0x7f15242aeb10) at flow-worker.c:524
#16 0x0000557696235fa2 in TmThreadsSlotVarRun (tv=tv@entry=0x5576b75b1fa0, p=p@entry=0x7f1524274150, slot=<optimized out>) at tm-threads.c:117
#17 0x0000557696219102 in TmThreadsSlotProcessPkt (p=0x7f1524274150, s=<optimized out>, tv=0x5576b75b1fa0) at tm-threads.h:192
#18 AFPReadFromRing (ptv=ptv@entry=0x7f1524274b20) at source-af-packet.c:1011
#19 0x00005576962196c9 in ReceiveAFPLoop (tv=0x5576b75b1fa0, data=0x7f1524274b20, slot=<optimized out>) at source-af-packet.c:1571
#20 0x000055769623768c in TmThreadsSlotPktAcqLoop (td=0x5576b75b1fa0) at tm-threads.c:312
#21 0x00007f1562a5bfa3 in start_thread (arg=<optimized out>) at pthread_create.c:486
#22 0x00007f1561bdd4cf in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95


Related issues 3 (0 open3 closed)

Blocked by Suricata - Bug #4171: Failed assert in TCPProtoDetectCheckBailConditions size_ts > 1000000ULClosedPhilippe AntoineActions
Copied to Suricata - Bug #4717: protodetect: SEGV due to NULL ptr derefClosedShivani BhardwajActions
Copied to Suricata - Bug #4718: protodetect: SEGV due to NULL ptr derefClosedJeff LucovskyActions
Actions #1

Updated by Peter Manev about 3 years ago

The issue seems very similar to https://redmine.openinfosecfoundation.org/issues/2141
hs produces

(util-mpm-hs.c:952) (SCHSSearch) -- [ERRCODE: SC_ERR_FATAL(171)] - Hyperscan returned error -1

Actions #2

Updated by Peter Manev about 3 years ago

Other choices of algos segfault/fail in a similar manner - https://github.com/StamusNetworks/SELKS/issues/285#issuecomment-771543404

Actions #3

Updated by Victor Julien about 3 years ago

  • Status changed from New to Assigned
  • Assignee set to Philippe Antoine
  • Target version set to 7.0.0-beta1

Seems we're passing a NULL ptr from protodetect to pattern matching, which shouldn't happen. Philippe can you have a look and also see if this needs to be fixed in 5 and 6?

Actions #4

Updated by Victor Julien about 3 years ago

  • Subject changed from SIGSEV with ac-ks to protodetect: SEGV due to NULL ptr deref
Actions #5

Updated by Philippe Antoine about 3 years ago

This seems to happen with midstream start having a gap

I am not sure about this condition
if (mydata NULL && mydata_len > 0 && CheckGap(ssn, *stream, p)) {
How can we have mydata NULL && mydata_len > 0 and not CheckGap ?

A proposal is in Gtilab for testing

Actions #6

Updated by Philippe Antoine about 3 years ago

  • Status changed from Assigned to In Review
Actions #7

Updated by Philippe Antoine almost 3 years ago

  • Blocked by Bug #4171: Failed assert in TCPProtoDetectCheckBailConditions size_ts > 1000000UL added
Actions #8

Updated by Philippe Antoine almost 3 years ago

#4171 is keeping being triggered by fuzz_sigpcap_ware, preventing from finding new bugs...

Actions #9

Updated by Philippe Antoine over 2 years ago

It looks to me that to trigger this bug, we need :
- a gat at the stream start
- reach the stream depth
- and CheckGap has to return false

I do not manage to get these conditions together...

Peter, do you have the core information ? Does the offending flow have alproto* set ?

Actions #10

Updated by Philippe Antoine over 2 years ago

Oh, but I see flags=41 in the stack trace, that means STREAM_START | STREAM_MIDSTREAM but no STREAM_DEPTH

I do not see how we can reach stream-tcp-reassemble.c:1175 with data=0x0, data_len=397, flags=41 ')'
As in the same block we have previously in a while loop

if (mydata == NULL && mydata_len > 0 && CheckGap(ssn, *stream, p)) {
//somestuff
continue; // or break or return 
} else if (flags & STREAM_DEPTH) {
// flags = 41 so we do not get here
} else if (mydata == NULL || (mydata_len == 0 && ((flags & STREAM_EOF) == 0))) {
//somestuff
break;
}
//somestuff
//line 1175

Actions #11

Updated by Peter Manev over 2 years ago

Another update, not sure if helpful:

Will this data be enough?

```
(gdb) bt full
#0  SCACTileSearchTiny32 (ctx=0x55838a3427d0, mpm_thread_ctx=<optimized out>, pmq=0x7f1d5b1bd3b0, buf=0x0, buflen=8) at util-mpm-ac-ks-small.c:46
        i = 0
        matches = 0
        mpm_bitarray = "\000\000" 
        xlate = 0x55838a3427d8 "\001\002\003\004" 
        state_table = 0x55838a353a10 "\200\200\200\200\200\201\203\211\217\200\200\200\200\200\200\200\225\200\200\200\242\200\232\236\200" 
        state = 0 '\000'
        c = <optimized out>
#1  0x0000558389776f5f in PMGetProtoInspect (rflow=0x7f1da7a63527, pm_results=0x7f1da7a63440, direction=41 ')', buflen=205, buf=0x0, f=0x7f1d3b771db0, mpm_tctx=<optimized out>,
    pm_ctx=0x558389c83fc8 <alpd_ctx+72>, tctx=0x7f1d5b1bd3b0) at app-layer-detect-proto.c:275
        pm_matches = 0
        searchlen = 8
        search_cnt = <optimized out>
        pm_results_bf = "\000\000\000" 
        pm_matches = <optimized out>
        searchlen = <optimized out>
        search_cnt = <optimized out>
        pm_results_bf = <optimized out>
        cnt = <optimized out>
        s = <optimized out>
        proto = <optimized out>
#2  AppLayerProtoDetectPMGetProto (rflow=0x7f1da7a63527, pm_results=0x7f1da7a63440, direction=41 ')', buflen=205, buf=0x0, f=0x7f1d3b771db0, tctx=0x7f1d5b1bd3b0) at app-layer-detect-proto.c:342
        pm_ctx = 0x558389c83fc8 <alpd_ctx+72>
        mpm_tctx = <optimized out>
        m = -1
        pm_ctx = <optimized out>
        mpm_tctx = <optimized out>
        m = <optimized out>
        om = <optimized out>
#3  AppLayerProtoDetectGetProto (tctx=0x7f1d5b1bd3b0, f=f@entry=0x7f1d3b771db0, buf=buf@entry=0x0, buflen=buflen@entry=205, ipproto=ipproto@entry=6 '\006', direction=direction@entry=41 ')',
    reverse_flow=0x7f1da7a63527) at app-layer-detect-proto.c:1551
        pm_results = {0, 15223, 32541, 0, 29408, 56344, 21891, 0, 28928, 53986, 21891, 0, 0, 0, 0, 0, 0, 2, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 2, 0, 0}
        pm_matches = <optimized out>
        alproto = 0
        pm_alproto = 0
#4  0x0000558389774dd4 in TCPProtoDetect (tv=0x5583abfd7e50, ra_ctx=0x7f1d5b1bd360, app_tctx=app_tctx@entry=0x7f1d5b1bd390, p=p@entry=0x7f1d5b160140, f=f@entry=0x7f1d3b771db0,
    ssn=ssn@entry=0x7f1d2539f4d0, stream=0x7f1da7a63648, data=0x0, data_len=205, flags=41 ')') at app-layer.c:336
        alproto = 0x7f1d3b771e6e
        alproto_otherdir = 0x7f1d3b771e6c
        direction = 1
        reverse_flow = false
#5  0x0000558389775901 in AppLayerHandleTCPData (tv=tv@entry=0x5583abfd7e50, ra_ctx=ra_ctx@entry=0x7f1d5b1bd360, p=p@entry=0x7f1d5b160140, f=0x7f1d3b771db0, ssn=ssn@entry=0x7f1d2539f4d0,
    stream=stream@entry=0x7f1da7a63648, data=0x0, data_len=205, flags=41 ')') at app-layer.c:642
        app_tctx = <optimized out>
        alproto = <optimized out>
        r = 0
        direction = 1
#6  0x0000558389869e67 in ReassembleUpdateAppLayer (dir=UPDATE_DIR_PACKET, p=0x7f1d5b160140, stream=0x7f1da7a63648, ssn=0x7f1d2539f4d0, ra_ctx=0x7f1d5b1bd360, tv=0x5583abfd7e50)
    at stream-tcp-reassemble.c:1174
        flags = <optimized out>
        check_for_gap_ahead = <optimized out>
        new_app_progress = <optimized out>
        mydata = 0x0
        mydata_len = 205
        app_progress = 0
        gap_ahead = <optimized out>
        last_was_gap = false
        app_progress = <optimized out>
--Type <RET> for more, q to quit, c to continue without paging--
        mydata = <optimized out>
        mydata_len = <optimized out>
        gap_ahead = <optimized out>
        last_was_gap = <optimized out>
        flags = <optimized out>
        check_for_gap_ahead = <optimized out>
        new_app_progress = <optimized out>
        r = <optimized out>
        no_progress_update = <optimized out>
#7  StreamTcpReassembleAppLayer (tv=tv@entry=0x5583abfd7e50, ra_ctx=ra_ctx@entry=0x7f1d5b1bd360, ssn=ssn@entry=0x7f1d2539f4d0, stream=<optimized out>, stream@entry=0x7f1d2539f4e0,
    p=p@entry=0x7f1d5b160140, dir=dir@entry=UPDATE_DIR_PACKET) at stream-tcp-reassemble.c:1237
No locals.
#8  0x000055838986add3 in StreamTcpReassembleHandleSegment (tv=tv@entry=0x5583abfd7e50, ra_ctx=0x7f1d5b1bd360, ssn=ssn@entry=0x7f1d2539f4d0, stream=0x7f1d2539f4e0, p=p@entry=0x7f1d5b160140,
    pq=pq@entry=0x7f1d5b1bd058) at stream-tcp-reassemble.c:1899
        opposing_stream = 0x7f1d2539f560
        dir = UPDATE_DIR_PACKET
#9  0x000055838985fbee in HandleEstablishedPacketToClient (stt=<optimized out>, pq=<optimized out>, p=<optimized out>, ssn=<optimized out>, tv=<optimized out>) at stream-tcp.c:2318
        zerowindowprobe = <optimized out>
        zerowindowprobe = <optimized out>
        ack_diff = <optimized out>
        ack_diff = <optimized out>
        ack_diff = <optimized out>
        ack_diff = <optimized out>
        sacked_size__ = <optimized out>
#10 StreamTcpPacketStateEstablished (tv=0x5583abfd7e50, p=0x7f1d5b160140, stt=stt@entry=0x7f1d5b1bd050, ssn=0x7f1d2539f4d0, pq=0x7f1d5b1bd058) at stream-tcp.c:2702
No locals.
#11 0x0000558389865068 in StreamTcpStateDispatch (tv=0x5583abfd7e50, p=0x7f1d5b160140, stt=0x7f1d5b1bd050, ssn=0x7f1d2539f4d0, pq=0x7f1d5b1bd058, state=<optimized out>) at stream-tcp.c:4703
No locals.
#12 0x0000558389866942 in StreamTcpPacket (tv=0x5583abfd7e50, p=0x7f1d5b160140, stt=0x7f1d5b1bd050, pq=0x7f1d5b19ac20) at stream-tcp.c:4889
        ssn = 0x7f1d2539f4d0
#13 0x00005583898670e4 in StreamTcp (tv=tv@entry=0x5583abfd7e50, p=p@entry=0x7f1d5b160140, data=<optimized out>, pq=pq@entry=0x7f1d5b19ac20) at stream-tcp.c:5225
        stt = <optimized out>
#14 0x000055838981eccf in FlowWorkerStreamTCPUpdate (detect_thread=0x55841d6e8750, p=0x7f1d5b160140, fw=0x7f1d5b19abf0, tv=0x5583abfd7e50) at flow-worker.c:524
        x = <optimized out>
        x = <optimized out>
#15 FlowWorker (tv=0x5583abfd7e50, p=0x7f1d5b160140, data=0x7f1d5b19abf0) at flow-worker.c:524
        fw = 0x7f1d5b19abf0
        detect_thread = 0x55841d6e8750
#16 0x0000558389872262 in TmThreadsSlotVarRun (tv=tv@entry=0x5583abfd7e50, p=p@entry=0x7f1d5b160140, slot=<optimized out>) at tm-threads.c:117
        r = <optimized out>
        s = 0x55839552eae0
#17 0x00005583898553c2 in TmThreadsSlotProcessPkt (p=0x7f1d5b160140, s=<optimized out>, tv=0x5583abfd7e50) at tm-threads.h:192
        r = <optimized out>
        r = <optimized out>
#18 AFPReadFromRing (ptv=ptv@entry=0x7f1d5b160b20) at source-af-packet.c:1011
        p = 0x7f1d5b160140
        h = {h2 = 0x7f1d57fb71a0, h3 = 0x7f1d57fb71a0, raw = 0x7f1d57fb71a0}
        emergency_flush = 0 '\000'
        read_pkts = 2
        loop_start = -1
#19 0x0000558389855989 in ReceiveAFPLoop (tv=0x5583abfd7e50, data=0x7f1d5b160b20, slot=<optimized out>) at source-af-packet.c:1571
        ptv = 0x7f1d5b160b20
        fds = {fd = 7, events = 1, revents = 1}
        r = <optimized out>
        s = <optimized out>
        last_dump = 1626694085
        current_time = <optimized out>
        AFPReadFunc = <optimized out>
--Type <RET> for more, q to quit, c to continue without paging--
        discarded_pkts = <optimized out>
        __FUNCTION__ = "ReceiveAFPLoop" 
#20 0x000055838987394c in TmThreadsSlotPktAcqLoop (td=0x5583abfd7e50) at tm-threads.c:312
        tv = 0x5583abfd7e50
        s = 0x5583b8b042b0
        run = 1 '\001'
        r = <optimized out>
        slot = <optimized out>
        __FUNCTION__ = "TmThreadsSlotPktAcqLoop" 
#21 0x00007f1daa6e1fa3 in start_thread (arg=<optimized out>) at pthread_create.c:486
        ret = <optimized out>
        pd = <optimized out>
        now = <optimized out>
        unwind_buf = {cancel_jmp_buf = {{jmp_buf = {139765343471360, -8490725896049826362, 140730217742686, 140730217742687, 139765343471360, 140730217742960, 8363657869228074438,
                8363665083564254662}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}}
        not_first_call = <optimized out>
#22 0x00007f1da98634cf in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95
No locals.
```

Actions #12

Updated by Sergey Svinarev over 2 years ago

Hi!
I initiated the original bug report on github:
https://github.com/StamusNetworks/SELKS/issues/285

Is there anything else I can help in troubleshooting this issue?
The problem is relevant and often reproduced.

Actions #14

Updated by Philippe Antoine over 2 years ago

  • Label Needs backport, Needs backport to 5.0, Needs backport to 6.0 added
Actions #16

Updated by Shivani Bhardwaj over 2 years ago

  • Copied to Bug #4717: protodetect: SEGV due to NULL ptr deref added
Actions #17

Updated by Shivani Bhardwaj over 2 years ago

  • Copied to Bug #4718: protodetect: SEGV due to NULL ptr deref added
Actions #18

Updated by Philippe Antoine over 2 years ago

  • Status changed from In Review to Closed
Actions

Also available in: Atom PDF