Project

General

Profile

Actions

Support #4544

closed

Suricata 4.1.6 crashes while handling SMB traffic

Added by Srini J almost 3 years ago. Updated over 2 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Affected Versions:
Label:

Description

We are running Suricata 4.1.6 in Alpine Linux 3.11.11 and hit a crash while Suricata was processing SMB traffic. From the back trace, this issue looks similar to https://redmine.openinfosecfoundation.org/issues/2993. We plan on upgrading to Suricata 4.1.10 for now (upgrading to Suricata 5.0.x is not an immediate option).
We would like to know if backporting the following commits would help for fix this issue in Suricata 4.1.10. Kindly advise

Commits:
https://github.com/OISF/suricata/pull/4492/commits/a742c86741022996cd892819a1a3172288361a89
https://github.com/OISF/suricata/pull/4492/commits/0f41cf3d74dec2ba095b43a5957247d78391a1ed
https://github.com/OISF/suricata/pull/4492/commits/2c050187a3ad78388e57781c4feb74426bc75e21

/home/source/suricata-4.1.6 # gdb ./src/.libs/suricata
GNU gdb (GDB) 8.3.1
Copyright (C) 2019 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-alpine-linux-musl".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
    <http://www.gnu.org/software/gdb/documentation/>.

For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from ./src/.libs/suricata...

(gdb) core-file /home/source/crash/core.26727.W#01-0
warning: core file may not match specified executable file.
[New LWP 11]
[New LWP 7]
[New LWP 10]
[New LWP 8]
[New LWP 9]
[New LWP 12]
[New LWP 13]
[New LWP 14]
[New LWP 15]
[New LWP 16]
[New LWP 17]
warning: Can't read pathname for load map: No error information.
Core was generated by `suricata -c /etc/suricata/suricata-netmap.yaml -vvv --netmap'.
Program terminated with signal SIGABRT, Aborted.
#0  __restore_sigs (set=set@entry=0x7fa8dae52b70) at ./arch/x86_64/syscall_arch.h:40
40      ./arch/x86_64/syscall_arch.h: No such file or directory.
[Current thread is 1 (LWP 11)]
(gdb) bt
#0  __restore_sigs (set=set@entry=0x7fa8dae52b70) at ./arch/x86_64/syscall_arch.h:40
#1  0x00007fa8ddc39b4e in raise (sig=sig@entry=6) at src/signal/raise.c:11
#2  0x00007fa8ddc1172a in abort () at src/exit/abort.c:13
#3  0x000055edb38f61e7 in std::sys::unix::abort_internal ()
#4  0x000055edb38d36fd in rust_oom ()
#5  0x000055edb3912487 in alloc::alloc::handle_alloc_error ()
#6  0x000055edb386cef1 in alloc::raw_vec::RawVec<T,A>::allocate_in (capacity=4294967219, zeroed=255, a=...)
    at /home/buildozer/aports/community/rust/src/rustc-1.39.0-src/src/liballoc/raw_vec.rs:102
#7  alloc::raw_vec::RawVec<T>::with_capacity_zeroed (capacity=4294967219)
    at /home/buildozer/aports/community/rust/src/rustc-1.39.0-src/src/liballoc/raw_vec.rs:173
#8  <u8 as alloc::vec::SpecFromElem>::from_elem (elem=0, n=4294967219)
    at /home/buildozer/aports/community/rust/src/rustc-1.39.0-src/src/liballoc/vec.rs:1675
#9  alloc::vec::from_elem (elem=0, n=4294967219) at /home/buildozer/aports/community/rust/src/rustc-1.39.0-src/src/liballoc/vec.rs:1654
#10 suricata::smb::smb::SMBState::parse_tcp_data_tc_gap (self=0x55edba6377c0, gap_size=<optimized out>) at src/smb/smb.rs:1723
#11 rs_smb_parse_response_tcp_gap (state=0x55edba6377c0, input_len=<optimized out>) at src/smb/smb.rs:1853
#12 0x000055edb34fbaf6 in RustSMBTCPParseResponse (f=0x55edc141a340, state=0x55edba6377c0, pstate=0x55edb9e3e2e0, input=0x0,
    input_len=4294967219, local_data=0x0, flags=24 '\030') at app-layer-smb-tcp-rust.c:69
#13 0x000055edb34f860b in AppLayerParserParse (tv=0x55edb9473d20, alp_tctx=0x55edbb7b8920, f=0x55edc141a340, alproto=9, flags=24 '\030',
    input=0x0, input_len=4294967219) at app-layer-parser.c:1202
#14 0x000055edb3497d15 in AppLayerHandleTCPData (tv=0x55edb9473d20, ra_ctx=0x55edb8e37e20, p=0x55edbc12b1c0, f=0x55edc141a340,
    ssn=0x55edb854a040, stream=0x55edb854a050, data=0x0, data_len=4294967219, flags=24 '\030') at app-layer.c:578
#15 0x000055edb36c2dab in ReassembleUpdateAppLayer (tv=0x55edb9473d20, ra_ctx=0x55edb8e37e20, ssn=0x55edb854a040, stream=0x55edb854a050,
    p=0x55edbc12b1c0, dir=UPDATE_DIR_PACKET) at stream-tcp-reassemble.c:1014
#16 0x000055edb36c3163 in StreamTcpReassembleAppLayer (tv=0x55edb9473d20, ra_ctx=0x55edb8e37e20, ssn=0x55edb854a040, stream=0x55edb854a050,
    p=0x55edbc12b1c0, dir=UPDATE_DIR_PACKET) at stream-tcp-reassemble.c:1141
#17 0x000055edb36c4557 in StreamTcpReassembleHandleSegment (tv=0x55edb9473d20, ra_ctx=0x55edb8e37e20, ssn=0x55edb854a040,
    stream=0x55edb854a050, p=0x55edbc12b1c0, pq=0x55edbb800e68) at stream-tcp-reassemble.c:1800
#18 0x000055edb36b2db6 in HandleEstablishedPacketToClient (tv=0x55edb9473d20, ssn=0x55edb854a040, p=0x55edbc12b1c0, stt=0x55edbb800e60,
    pq=0x55edbb800e68) at stream-tcp.c:2407
#19 0x000055edb36b38a3 in StreamTcpPacketStateEstablished (tv=0x55edb9473d20, p=0x55edbc12b1c0, stt=0x55edbb800e60, ssn=0x55edb854a040,
    pq=0x55edbb800e68) at stream-tcp.c:2644
#20 0x000055edb36baa03 in StreamTcpStateDispatch (tv=0x55edb9473d20, p=0x55edbc12b1c0, stt=0x55edbb800e60, ssn=0x55edb854a040,
    pq=0x55edbb800e68, state=4 '\004') at stream-tcp.c:4649
#21 0x000055edb36bb1a2 in StreamTcpPacket (tv=0x55edb9473d20, p=0x55edbc12b1c0, stt=0x55edbb800e60, pq=0x55edb9473c40) at stream-tcp.c:4834
#22 0x000055edb36bbafb in StreamTcp (tv=0x55edb9473d20, p=0x55edbc12b1c0, data=0x55edbb800e60, pq=0x55edb9473c40, postpq=0x0)
    at stream-tcp.c:5170
#23 0x000055edb36078be in FlowWorker (tv=0x55edb9473d20, p=0x55edbc12b1c0, data=0x55edb9473c20, preq=0x55edbb6a6a00, unused=0x0)
    at flow-worker.c:228
#24 0x000055edb36d48b3 in TmThreadsSlotVarRun (tv=0x55edb9473d20, p=0x55edbc12b1c0, slot=0x55edbb6a6860) at tm-threads.c:144
#25 0x000055edb36949c2 in TmThreadsSlotProcessPkt (tv=0x55edb9473d20, s=0x55edbb6a6860, p=0x55edbc12b1c0) at tm-threads.h:148
--Type <RET> for more, q to quit, c to continue without paging--
#26 0x000055edb369f695 in NetmapRingRead (ntv=0x55edb73c93c0, ring_id=0) at source-netmap.c:1009
#27 0x000055edb36a004f in ReceiveNetmapLoop (tv=0x55edb9473d20, data=0x55edb73c93c0, slot=0x55edb9473e40) at source-netmap.c:1108
#28 0x000055edb36d5564 in TmThreadsSlotPktAcqLoop (td=0x55edb9473d20) at tm-threads.c:370
#29 0x00007fa8ddc46723 in start (p=0x7fa8dae54420) at src/thread/pthread_create.c:192
#30 0x00007fa8ddc48852 in __clone () at src/thread/x86_64/clone.s:22
Backtrace stopped: frame did not save the PC
(gdb)


Files

crash_bt.txt (5.83 KB) crash_bt.txt Crash backtrace Srini J, 06/23/2021 12:34 PM
Actions #1

Updated by Srini J almost 3 years ago

Actions #2

Updated by Victor Julien almost 3 years ago

  • Description updated (diff)
  • Priority changed from High to Normal
  • Label deleted (Needs backport to 4.1)
Actions #3

Updated by Victor Julien almost 3 years ago

I think these commits should do it. I would still strongly recommend upgrading to the most recent 5 or 6 version. We consider 4.1 and anything below EOL.

Actions #4

Updated by Srini J almost 3 years ago

Thank you for the update Victor. Sure we do have a plan on upgrading to version 5

Regards,
Srini

Actions #5

Updated by Victor Julien over 2 years ago

  • Status changed from New to Closed
Actions

Also available in: Atom PDF