Project

General

Profile

Actions

Bug #4273

closed

protodetect: SEGV due to NULL ptr deref

Added by Peter Manev over 3 years ago. Updated about 3 years ago.

Status:
Closed
Priority:
Normal
Target version:
Affected Versions:
Effort:
Difficulty:
Label:
Needs backport, Needs backport to 5.0, Needs backport to 6.0

Description

As reported by - https://github.com/StamusNetworks/SELKS/issues/285#issuecomment-765382351

This is Suricata version 7.0.0-dev (3a8ba663a 2021-01-13)
Features: NFQ PCAP_SET_BUFF AF_PACKET HAVE_PACKET_FANOUT LIBCAP_NG LIBNET1.1 HAVE_HTP_URI_NORMALIZE_HOOK PCRE_JIT HAVE_NSS HAVE_LUA HAVE_LUAJIT HAVE_LIBJANSSON TLS TLS_C11 MAGIC RUST
SIMD support: none
Atomic intrinsics: 1 2 4 8 byte(s)
64-bits, Little-endian architecture
GCC version 8.3.0, C version 201112
compiled with _FORTIFY_SOURCE=2
L1 cache line size (CLS)=64
thread local storage method: _Thread_local
compiled with LibHTP v0.5.36, linked against LibHTP v0.5.36

Suricata Configuration:
AF_PACKET support: yes
eBPF support: no
XDP support: no
PF_RING support: no
NFQueue support: yes
NFLOG support: no
IPFW support: no
Netmap support: no
DAG enabled: no
Napatech enabled: no
WinDivert enabled: no

Unix socket enabled: yes
Detection enabled: yes

Libmagic support: yes
libjansson support: yes
hiredis support: yes
hiredis async with libevent: no
Prelude support: no
PCRE jit: yes
LUA support: yes, through luajit
libluajit: yes
GeoIP2 support: yes
Non-bundled htp: yes
Hyperscan support: yes
Libnet support: yes
liblz4 support: yes

Rust support: yes
Rust strict mode: no
Rust compiler path: /root/.cargo/bin/rustc
Rust compiler version: rustc 1.49.0 (e1884a8e3 2020-12-29)
Cargo path: /root/.cargo/bin/cargo
Cargo version: cargo 1.49.0 (d00d64df9 2020-12-05)
Cargo vendor: yes

Python support: yes
Python path: /usr/bin/python3
Python distutils yes
Python yaml yes
Install suricatactl: yes
Install suricatasc: yes
Install suricata-update: yes

Profiling enabled: no
Profiling locks enabled: no

Plugin support (experimental): yes

Development settings:
Coccinelle / spatch: yes
Unit tests enabled: no
Debug output enabled: no
Debug validation enabled: no

Generic build parameters:
Installation prefix: /usr
Configuration directory: /etc/suricata/
Log directory: /var/log/suricata/

--prefix /usr
--sysconfdir /etc
--localstatedir /var
--datarootdir /usr/share

Host: x86_64-pc-linux-gnu
Compiler: gcc (exec name) / g++ (real)
GCC Protect enabled: yes
GCC march native enabled: no
GCC Profile enabled: no
Position Independent Executable enabled: yes
CFLAGS -g -O2 -fdebug-prefix-map=/STAMUS/SELKS6/Suricata/suricata-2021011401=. -fstack-protector-strong -Wformat -Werror=format-security -std=c11 -I${srcdir}/../rust/gen -I${srcdir}/../rust/dist
PCAP_CFLAGS -I/usr/include
SECCFLAGS -fstack-protector -D_FORTIFY_SOURCE=2 -Wformat -Wformat-security

# gdb /usr/bin/suricata /var/log/suricata/core/core
GNU gdb (Debian 8.2.1-2+b3) 8.2.1
Copyright (C) 2018 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
    <http://www.gnu.org/software/gdb/documentation/>.

For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from /usr/bin/suricata...Reading symbols from /usr/lib/debug/.build-id/58/346f7cfd5262bc2dccbbd152659197b2e6c512.debug...done.
done.

warning: core file may not match specified executable file.
[New LWP 27105]
[New LWP 27111]
[New LWP 27110]
[New LWP 27107]
[New LWP 27106]
[New LWP 27108]
[New LWP 27109]
[New LWP 27094]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Core was generated by `/usr/bin/suricata -c /etc/suricata/suricata.yaml --pidfile /var/run/suricata.pi'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  SCACTileSearchTiny32 (ctx=0x557696e99ca0, mpm_thread_ctx=<optimized out>, pmq=0x7f15242d12c0, buf=0x0, buflen=8) at util-mpm-ac-ks-small.c:46
46      util-mpm-ac-ks-small.c: No such file or directory.
[Current thread is 1 (Thread 0x7f155fe49700 (LWP 27105))]
(gdb)
(gdb) set logging on
Copying output to gdb.txt.
(gdb) thread apply all bt

Thread 8 (Thread 0x7f1561752b00 (LWP 27094)):
#0  0x00007f1561baa720 in __GI___nanosleep (requested_time=requested_time@entry=0x7ffd33997340, remaining=remaining@entry=0x0) at ../sysdeps/unix/sysv/linux/nanosleep.c:28
#1  0x00007f1561bd5874 in usleep (useconds=useconds@entry=10000) at ../sysdeps/posix/usleep.c:32
#2  0x0000557696233b27 in SuricataMainLoop (suri=<optimized out>) at suricata.c:2644
#3  SuricataMain (argc=<optimized out>, argv=<optimized out>) at suricata.c:2805
#4  0x00007f1561b0809b in __libc_start_main (main=0x557696136950 <main>, argc=9, argv=0x7ffd33997498, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7ffd33997488)
    at ../csu/libc-start.c:308
#5  0x000055769613698a in _start ()

Thread 7 (Thread 0x7f155d30b700 (LWP 27109)):
#0  futex_abstimed_wait_cancelable (private=0, abstime=0x7f155d30aad0, expected=0, futex_word=0x5576ce21cfc8) at ../sysdeps/unix/sysv/linux/futex-internal.h:205
#1  __pthread_cond_wait_common (abstime=0x7f155d30aad0, mutex=0x5576a124a760, cond=0x5576ce21cfa0) at pthread_cond_wait.c:539
#2  __pthread_cond_timedwait (cond=0x5576ce21cfa0, mutex=0x5576a124a760, abstime=abstime@entry=0x7f155d30aad0) at pthread_cond_wait.c:667
#3  0x00005576961679cc in StatsWakeupThread (arg=0x5576a4081250) at counters.c:487
#4  0x00007f1562a5bfa3 in start_thread (arg=<optimized out>) at pthread_create.c:486
#5  0x00007f1561bdd4cf in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

Thread 6 (Thread 0x7f155db0c700 (LWP 27108)):
#0  0x00007f1561baa720 in __GI___nanosleep (requested_time=requested_time@entry=0x7f155db0ba10, remaining=remaining@entry=0x0) at ../sysdeps/unix/sysv/linux/nanosleep.c:28
#1  0x00007f1561bd5874 in usleep (useconds=useconds@entry=100) at ../sysdeps/posix/usleep.c:32
#2  0x00005576961def16 in FlowRecycler (th_v=0x5576a2ea3d40, thread_data=0x7f1508000b20) at flow-manager.c:1210
#3  0x00005576962373e2 in TmThreadsManagement (td=0x5576a2ea3d40) at tm-threads.c:541
#4  0x00007f1562a5bfa3 in start_thread (arg=<optimized out>) at pthread_create.c:486
#5  0x00007f1561bdd4cf in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

Thread 5 (Thread 0x7f155f0ab700 (LWP 27106)):
#0  0x00007f1561bd2819 in __GI___poll (fds=fds@entry=0x7f155f0aa9d0, nfds=nfds@entry=1, timeout=timeout@entry=100) at ../sysdeps/unix/sysv/linux/poll.c:29
#1  0x00005576962195ad in poll (__timeout=100, __nfds=1, __fds=0x7f155f0aa9d0) at /usr/include/x86_64-linux-gnu/bits/poll2.h:46
#2  ReceiveAFPLoop (tv=0x5576b21e13e0, data=0x7f151c274b20, slot=<optimized out>) at source-af-packet.c:1544
#3  0x000055769623768c in TmThreadsSlotPktAcqLoop (td=0x5576b21e13e0) at tm-threads.c:312
#4  0x00007f1562a5bfa3 in start_thread (arg=<optimized out>) at pthread_create.c:486
#5  0x00007f1561bdd4cf in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

Thread 4 (Thread 0x7f155e30d700 (LWP 27107)):
#0  0x00007f1561baa720 in __GI___nanosleep (requested_time=requested_time@entry=0x7f155e30c9b0, remaining=remaining@entry=0x0) at ../sysdeps/unix/sysv/linux/nanosleep.c:28
#1  0x00007f1561bd5874 in usleep (useconds=useconds@entry=100) at ../sysdeps/posix/usleep.c:32
#2  0x00005576961df8a3 in FlowManager (th_v=0x5576a2e7cde0, thread_data=0x7f1520000b20) at flow-manager.c:1014
#3  0x00005576962373e2 in TmThreadsManagement (td=0x5576a2e7cde0) at tm-threads.c:541
#4  0x00007f1562a5bfa3 in start_thread (arg=<optimized out>) at pthread_create.c:486
#5  0x00007f1561bdd4cf in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

Thread 3 (Thread 0x7f155cb0a700 (LWP 27110)):
#0  futex_abstimed_wait_cancelable (private=0, abstime=0x7f155cb09ad0, expected=0, futex_word=0x5576ce26b5c8) at ../sysdeps/unix/sysv/linux/futex-internal.h:205
#1  __pthread_cond_wait_common (abstime=0x7f155cb09ad0, mutex=0x5576a12bb5c0, cond=0x5576ce26b5a0) at pthread_cond_wait.c:539
#2  __pthread_cond_timedwait (cond=0x5576ce26b5a0, mutex=0x5576a12bb5c0, abstime=abstime@entry=0x7f155cb09ad0) at pthread_cond_wait.c:667
#3  0x0000557696168013 in StatsMgmtThread (arg=<optimized out>) at counters.c:415
#4  0x00007f1562a5bfa3 in start_thread (arg=<optimized out>) at pthread_create.c:486
#5  0x00007f1561bdd4cf in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

Thread 2 (Thread 0x7f155c309700 (LWP 27111)):
#0  0x00007f1561bd5037 in __GI___select (nfds=7, readfds=readfds@entry=0x7f155c308850, writefds=writefds@entry=0x0, exceptfds=exceptfds@entry=0x0, timeout=timeout@entry=0x7f155c308840)
    at ../sysdeps/unix/sysv/linux/select.c:41
#1  0x000055769623ab15 in UnixMain (this=0x557696656f20 <command>) at unix-manager.c:650
#2  UnixManager (th_v=0x55769b359bb0, thread_data=<optimized out>) at unix-manager.c:1125
#3  0x00005576962373e2 in TmThreadsManagement (td=0x55769b359bb0) at tm-threads.c:541
#4  0x00007f1562a5bfa3 in start_thread (arg=<optimized out>) at pthread_create.c:486
#5  0x00007f1561bdd4cf in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95
--Type <RET> for more, q to quit, c to continue without paging--

Thread 1 (Thread 0x7f155fe49700 (LWP 27105)):
#0  SCACTileSearchTiny32 (ctx=0x557696e99ca0, mpm_thread_ctx=<optimized out>, pmq=0x7f15242d12c0, buf=0x0, buflen=8) at util-mpm-ac-ks-small.c:46
#1  0x000055769613af7f in PMGetProtoInspect (rflow=0x7f155fe48527, pm_results=0x7f155fe48440, direction=41 ')', buflen=397, buf=0x0, f=0x7f15203aa6a0, mpm_tctx=<optimized out>,
    pm_ctx=0x557696647fe8 <alpd_ctx+72>, tctx=0x7f15242d12c0) at app-layer-detect-proto.c:275
#2  AppLayerProtoDetectPMGetProto (rflow=0x7f155fe48527, pm_results=0x7f155fe48440, direction=41 ')', buflen=397, buf=0x0, f=0x7f15203aa6a0, tctx=0x7f15242d12c0) at app-layer-detect-proto.c:342
#3  AppLayerProtoDetectGetProto (tctx=0x7f15242d12c0, f=f@entry=0x7f15203aa6a0, buf=buf@entry=0x0, buflen=buflen@entry=397, ipproto=ipproto@entry=6 '\006', direction=direction@entry=41 ')',
    reverse_flow=0x7f155fe48527) at app-layer-detect-proto.c:1551
#4  0x0000557696138df4 in TCPProtoDetect (tv=0x5576b75b1fa0, ra_ctx=0x7f15242d1270, app_tctx=app_tctx@entry=0x7f15242d12a0, p=p@entry=0x7f1524274150, f=f@entry=0x7f15203aa6a0,
    ssn=ssn@entry=0x7f151c3321b0, stream=0x7f155fe48648, data=0x0, data_len=397, flags=41 ')') at app-layer.c:336
#5  0x0000557696139921 in AppLayerHandleTCPData (tv=tv@entry=0x5576b75b1fa0, ra_ctx=ra_ctx@entry=0x7f15242d1270, p=p@entry=0x7f1524274150, f=0x7f15203aa6a0, ssn=ssn@entry=0x7f151c3321b0,
    stream=stream@entry=0x7f155fe48648, data=0x0, data_len=397, flags=41 ')') at app-layer.c:642
#6  0x000055769622dbb7 in ReassembleUpdateAppLayer (dir=UPDATE_DIR_PACKET, p=0x7f1524274150, stream=0x7f155fe48648, ssn=0x7f151c3321b0, ra_ctx=0x7f15242d1270, tv=0x5576b75b1fa0)
    at stream-tcp-reassemble.c:1175
#7  StreamTcpReassembleAppLayer (tv=tv@entry=0x5576b75b1fa0, ra_ctx=ra_ctx@entry=0x7f15242d1270, ssn=ssn@entry=0x7f151c3321b0, stream=<optimized out>, stream@entry=0x7f151c3321c0,
    p=p@entry=0x7f1524274150, dir=dir@entry=UPDATE_DIR_PACKET) at stream-tcp-reassemble.c:1238
#8  0x000055769622eb23 in StreamTcpReassembleHandleSegment (tv=tv@entry=0x5576b75b1fa0, ra_ctx=0x7f15242d1270, ssn=ssn@entry=0x7f151c3321b0, stream=0x7f151c3321c0, p=p@entry=0x7f1524274150,
    pq=pq@entry=0x7f15242d0f68) at stream-tcp-reassemble.c:1900
#9  0x000055769622392e in HandleEstablishedPacketToClient (stt=<optimized out>, pq=<optimized out>, p=<optimized out>, ssn=<optimized out>, tv=<optimized out>) at stream-tcp.c:2318
#10 StreamTcpPacketStateEstablished (tv=0x5576b75b1fa0, p=0x7f1524274150, stt=stt@entry=0x7f15242d0f60, ssn=0x7f151c3321b0, pq=0x7f15242d0f68) at stream-tcp.c:2702
#11 0x0000557696228da8 in StreamTcpStateDispatch (tv=0x5576b75b1fa0, p=0x7f1524274150, stt=0x7f15242d0f60, ssn=0x7f151c3321b0, pq=0x7f15242d0f68, state=<optimized out>) at stream-tcp.c:4703
#12 0x000055769622a682 in StreamTcpPacket (tv=0x5576b75b1fa0, p=0x7f1524274150, stt=0x7f15242d0f60, pq=0x7f15242aeb40) at stream-tcp.c:4889
#13 0x000055769622ae24 in StreamTcp (tv=tv@entry=0x5576b75b1fa0, p=p@entry=0x7f1524274150, data=<optimized out>, pq=pq@entry=0x7f15242aeb40) at stream-tcp.c:5225
#14 0x00005576961e2a2f in FlowWorkerStreamTCPUpdate (detect_thread=0x7f15243a3520, p=0x7f1524274150, fw=0x7f15242aeb10, tv=0x5576b75b1fa0) at flow-worker.c:524
#15 FlowWorker (tv=0x5576b75b1fa0, p=0x7f1524274150, data=0x7f15242aeb10) at flow-worker.c:524
#16 0x0000557696235fa2 in TmThreadsSlotVarRun (tv=tv@entry=0x5576b75b1fa0, p=p@entry=0x7f1524274150, slot=<optimized out>) at tm-threads.c:117
#17 0x0000557696219102 in TmThreadsSlotProcessPkt (p=0x7f1524274150, s=<optimized out>, tv=0x5576b75b1fa0) at tm-threads.h:192
#18 AFPReadFromRing (ptv=ptv@entry=0x7f1524274b20) at source-af-packet.c:1011
#19 0x00005576962196c9 in ReceiveAFPLoop (tv=0x5576b75b1fa0, data=0x7f1524274b20, slot=<optimized out>) at source-af-packet.c:1571
#20 0x000055769623768c in TmThreadsSlotPktAcqLoop (td=0x5576b75b1fa0) at tm-threads.c:312
#21 0x00007f1562a5bfa3 in start_thread (arg=<optimized out>) at pthread_create.c:486
#22 0x00007f1561bdd4cf in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95


Related issues 3 (0 open3 closed)

Blocked by Suricata - Bug #4171: Failed assert in TCPProtoDetectCheckBailConditions size_ts > 1000000ULClosedPhilippe AntoineActions
Copied to Suricata - Bug #4717: protodetect: SEGV due to NULL ptr derefClosedShivani BhardwajActions
Copied to Suricata - Bug #4718: protodetect: SEGV due to NULL ptr derefClosedJeff LucovskyActions
Actions

Also available in: Atom PDF