Project

General

Profile

Actions
Copy link

Bug #4568

closed

Double free in suricata-5.0.3

Added by sreenivasa penupolu over 2 years ago. Updated over 1 year ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Target version:
-
Affected Versions:
Effort:
Difficulty:
Label:

Description

We have implemented fiberblaze interface to read packets in suricata

Read loop looks like {
//Read packet from fiberblaze
PacketGetFromQueueOrAlloc()

PacketSetData
TmThreadsSlotProcessPkt
StatsSyncCountersIfSignalled
PacketFreeOrRelease
}

There is nothing under thread deinit.

We are seeing double free being reported in logs when suricata is stopped.

Jul 23 09:38:37 u4 suricata: 23/7/2021 - 09:38:37 - <Notice> - Signal Received. Stopping engine.
Jul 23 09:38:38 -u4 suricata: * Error in `/opt/suricata/bin/suricata': double free or corruption (out): 0x00007fc48535ff10 *
Jul 23 09:38:38 -u4 suricata: ======= Backtrace: =========
Jul 23 09:38:38 -u4 suricata: /lib64/libc.so.6(+0x7c619)[0x7fc49ba57619]
Jul 23 09:38:38 -u4 suricata: /opt/suricata/bin/suricata(+0x26bef0)[0x558f858abef0]
Jul 23 09:38:38 -u4 suricata: /opt/suricata/bin/suricata(+0x271aa9)[0x558f858b1aa9]
Jul 23 09:38:38 -u4 suricata: /lib64/libpthread.so.0(+0x7e25)[0x7fc49d162e25]
Jul 23 09:38:38 -u4 suricata: /lib64/libc.so.6(clone+0x6d)[0x7fc49bad334d]

By attaching to gdb, Looks like flow manager cleanup and PacketPoolDestroy are both freeing same pointer. But am not sure.

Can you let me know if there is some issue in the way we pass packets to suricata or if there is any known issue related to this.

Files

suricata.yaml (11.4 KB) suricata.yaml sreenivasa penupolu, 07/29/2021 07:19 AM
Actions
Copy link
 #1

Updated by Victor Julien over 2 years ago

Are you able to do a build with address sanitizer enabled? It may provide a more useful trace.

Actions
Copy link
 #2

Updated by sreenivasa penupolu over 2 years ago

Victor Julien wrote in #note-1:

Are you able to do a build with address sanitizer enabled? It may provide a more useful trace.

I get the following trace when I start suricata. So, as it doesnt start am not able to try stopping and seeing if double free happens.

Jul 29 07:08:50 unit-9 suricata: Out of memory. Dying.
Jul 29 07:08:50 unit-9 suricata: The process has exhausted 8192MB for size class 2816.

Attaching yaml file being used.

Actions
Copy link
 #3

Updated by sreenivasa penupolu over 2 years ago

The issue was because of not setting ReleasePacket while passing the packet pointer.
Default ReleasePacket was releasing directly without removing from pool.
PacketPoolDestroy was doing second free and causing crash.

Please go ahead and close this bug.

Actions
Copy link
 #4

Updated by Philippe Antoine over 1 year ago

  • Status changed from New to Closed

Closing as requested

Actions
Copy link

Also available in: Atom PDF