Project

General

Profile

Actions

Bug #4568

open

Double free in suricata-5.0.3

Added by sreenivasa penupolu about 2 months ago. Updated about 1 month ago.

Status:
New
Priority:
Normal
Assignee:
-
Target version:
-
Affected Versions:
Effort:
Difficulty:
Label:

Description

We have implemented fiberblaze interface to read packets in suricata

Read loop looks like {
//Read packet from fiberblaze
PacketGetFromQueueOrAlloc()

PacketSetData
TmThreadsSlotProcessPkt
StatsSyncCountersIfSignalled
PacketFreeOrRelease
}

There is nothing under thread deinit.

We are seeing double free being reported in logs when suricata is stopped.

Jul 23 09:38:37 u4 suricata: 23/7/2021 - 09:38:37 - <Notice> - Signal Received. Stopping engine.
Jul 23 09:38:38 -u4 suricata: * Error in `/opt/suricata/bin/suricata': double free or corruption (out): 0x00007fc48535ff10 *
Jul 23 09:38:38 -u4 suricata: ======= Backtrace: =========
Jul 23 09:38:38 -u4 suricata: /lib64/libc.so.6(+0x7c619)[0x7fc49ba57619]
Jul 23 09:38:38 -u4 suricata: /opt/suricata/bin/suricata(+0x26bef0)[0x558f858abef0]
Jul 23 09:38:38 -u4 suricata: /opt/suricata/bin/suricata(+0x271aa9)[0x558f858b1aa9]
Jul 23 09:38:38 -u4 suricata: /lib64/libpthread.so.0(+0x7e25)[0x7fc49d162e25]
Jul 23 09:38:38 -u4 suricata: /lib64/libc.so.6(clone+0x6d)[0x7fc49bad334d]

By attaching to gdb, Looks like flow manager cleanup and PacketPoolDestroy are both freeing same pointer. But am not sure.

Can you let me know if there is some issue in the way we pass packets to suricata or if there is any known issue related to this.


Files

suricata.yaml (11.4 KB) suricata.yaml sreenivasa penupolu, 07/29/2021 07:19 AM
Actions #1

Updated by Victor Julien about 2 months ago

Are you able to do a build with address sanitizer enabled? It may provide a more useful trace.

Actions #2

Updated by sreenivasa penupolu about 2 months ago

Victor Julien wrote in #note-1:

Are you able to do a build with address sanitizer enabled? It may provide a more useful trace.

I get the following trace when I start suricata. So, as it doesnt start am not able to try stopping and seeing if double free happens.

Jul 29 07:08:50 unit-9 suricata: Out of memory. Dying.
Jul 29 07:08:50 unit-9 suricata: The process has exhausted 8192MB for size class 2816.

Attaching yaml file being used.

Actions #3

Updated by sreenivasa penupolu about 1 month ago

The issue was because of not setting ReleasePacket while passing the packet pointer.
Default ReleasePacket was releasing directly without removing from pool.
PacketPoolDestroy was doing second free and causing crash.

Please go ahead and close this bug.

Actions

Also available in: Atom PDF