Project

General

Profile

Actions

Security #5408

closed

filestore: Segfault with filestore enabled and forced

Added by Jeff Lucovsky 3 months ago. Updated 3 months ago.

Status:
Closed
Priority:
Normal
Target version:
Affected Versions:
Label:
CVE:
Git IDs:
Severity:
MODERATE

Description

Suricata will crash when filestore is enabled and the bigFlows.pcap is used. This was reported in the forum: https://forum.suricata.io/t/file-store-core-dumping-on-specific-pcap/2587

I've confirmed that the crash occurs on
  • master
  • master-6.0.x

The crash does not occur on master-5.0.x

The bigFlows.pcap is available here: https://tcpreplay.appneta.com/wiki/captures.html#bigflows-pcap

master: args" -c suricata.yaml -l /tmp/ll -r /home/jlucovsky/bigFlows.pcap"

Thread 15 "W#13" received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7fffd9d13700 (LWP 241346)]
0x0000000000000000 in ?? ()
(gdb) bt
#0  0x0000000000000000 in ?? ()
#1  0x0000555555a1cb37 in AppLayerParserGetTx (ipproto=1 '\001', alproto=1, alstate=0x60c001eca3c0, tx_id=0) at app-layer-parser.c:1126
#2  0x0000555556106875 in CloseFile (p=0x61d0068f1080, f=0x612003090940, file=0x61100035ac40) at output-filedata.c:128
#3  0x0000555556107161 in OutputFiledataLogFfc (tv=0x612001d36ec0, td=0x602002e7d670, p=0x61d0068f1080, ffc=0x602002e60250, call_flags=8 '\b', file_close=false, file_trunc=false, dir=8 '\b') at output-filedata.c:209
#4  0x0000555556107493 in OutputFiledataLog (tv=0x612001d36ec0, p=0x61d0068f1080, thread_data=0x602002e7d670) at output-filedata.c:244
#5  0x00005555561038c4 in OutputLoggerLog (tv=0x612001d36ec0, p=0x61d0068f1080, thread_data=0x6020021117d0) at output.c:885
#6  0x00005555560ecf19 in FlowWorker (tv=0x612001d36ec0, p=0x61d0068f1080, data=0x61000016b040) at flow-worker.c:565
#7  0x00005555558953a8 in TmThreadsSlotVarRun (tv=0x612001d36ec0, p=0x61d0068f1080, slot=0x6060029821a0) at tm-threads.c:117
#8  0x0000555555897682 in TmThreadsSlotVar (td=0x612001d36ec0) at tm-threads.c:457
#9  0x00007ffff730d609 in start_thread (arg=<optimized out>) at pthread_create.c:477
#10 0x00007ffff69ab133 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

(gdb) fr 1
#1  0x0000555555a1cb37 in AppLayerParserGetTx (ipproto=1 '\001', alproto=1, alstate=0x60c001eca3c0, tx_id=0) at app-layer-parser.c:1126
1126        void *r = alp_ctx.ctxs[FlowGetProtoMapping(ipproto)][alproto].StateGetTx(alstate, tx_id);
(gdb) p alp_ctx.ctxs[FlowGetProtoMapping(ipproto)][alproto]
$1 = {Parser = {0x0, 0x0}, logger = false, first_data_dir = 0 '\000', logger_bits = 0, StateAlloc = 0x0, StateFree = 0x0, StateTransactionFree = 0x0, LocalStorageAlloc = 0x0, LocalStorageFree = 0x0, Truncate = 0x0, StateGetFiles = 0x0, StateGetProgress = 0x0, StateGetTxCnt = 0x0, StateGetTx = 0x0, StateGetTxIterator = 0x0,
  complete_ts = 0, complete_tc = 0, StateGetEventInfoById = 0x0, StateGetEventInfo = 0x0, GetTxData = 0x0, ApplyTxConfig = 0x0, SetStreamDepthFlag = 0x0, GetFrameIdByName = 0x0, GetFrameNameById = 0x0, stream_depth = 1048576, option_flags = 0, internal_flags = 0, RegisterUnittests = 0x0}
(gdb) p FlowGetProtoMapping(ipproto)
$2 = 2 '\002'
(gdb) p alproto
$3 = 1
(gdb) p ipproto
$4 = 1 '\001'

master-6.0.x: args" -c suricata.yaml -l /tmp/ll -r /home/jlucovsky/bigFlows.pcap"

gdb) bt
#0  0x0000000000000000 in ?? ()
#1  0x000055555595eea3 in AppLayerParserGetTx (ipproto=1 '\001', alproto=1, alstate=0x6080004cd920, tx_id=0) at app-layer-parser.c:1095
#2  0x00005555561f3383 in CloseFile (p=0x61d00026de80, f=0x612000d83640, file=0x6110007dc5c0) at output-filedata.c:137
#3  0x00005555561f3c69 in OutputFiledataLogFfc (tv=0x612001526bc0, td=0x602001f0de10, p=0x61d00026de80, ffc=0x6020009ede70, call_flags=8 '\b', file_close=false, file_trunc=false, dir=8 '\b') at output-filedata.c:218
#4  0x00005555561f3fe3 in OutputFiledataLog (tv=0x612001526bc0, p=0x61d00026de80, thread_data=0x602001f0de10) at output-filedata.c:253
#5  0x00005555561f03f3 in OutputLoggerLog (tv=0x612001526bc0, p=0x61d00026de80, thread_data=0x602001417f10) at output.c:882
#6  0x00005555561b1d21 in FlowWorker (tv=0x612001526bc0, p=0x61d00026de80, data=0x60d00073f1b0) at flow-worker.c:556
#7  0x00005555563c084f in TmThreadsSlotVarRun (tv=0x612001526bc0, p=0x61d00026de80, slot=0x60600225f0e0) at tm-threads.c:117
#8  0x00005555563c2b5e in TmThreadsSlotVar (td=0x612001526bc0) at tm-threads.c:463
#9  0x00007ffff730d609 in start_thread (arg=<optimized out>) at pthread_create.c:477
#10 0x00007ffff6767133 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95
(gdb) fr 1
#1  0x000055555595eea3 in AppLayerParserGetTx (ipproto=1 '\001', alproto=1, alstate=0x6080004cd920, tx_id=0) at app-layer-parser.c:1095
1095        r = alp_ctx.ctxs[FlowGetProtoMapping(ipproto)][alproto].
(gdb) list
1090
1091    void *AppLayerParserGetTx(uint8_t ipproto, AppProto alproto, void *alstate, uint64_t tx_id)
1092    {
1093        SCEnter();
1094        void * r = NULL;
1095        r = alp_ctx.ctxs[FlowGetProtoMapping(ipproto)][alproto].
1096                    StateGetTx(alstate, tx_id);
1097        SCReturnPtr(r, "void *");
1098    }
1099
(gdb) p alp_ctx.ctxs[FlowGetProtoMapping(ipproto)][alproto]
$2 = {Parser = {0x0, 0x0}, logger = false, logger_bits = 0, StateAlloc = 0x0, StateFree = 0x0, StateTransactionFree = 0x0, LocalStorageAlloc = 0x0, LocalStorageFree = 0x0, Truncate = 0x0, StateGetFiles = 0x0, StateGetEvents = 0x0, StateGetProgress = 0x0, StateGetTxCnt = 0x0, StateGetTx = 0x0, StateGetTxIterator = 0x0,
  StateGetProgressCompletionStatus = 0x0, StateGetEventInfoById = 0x0, StateGetEventInfo = 0x0, GetTxDetectState = 0x0, SetTxDetectState = 0x0, GetTxData = 0x0, ApplyTxConfig = 0x0, SetStreamDepthFlag = 0x0, stream_depth = 1048576, first_data_dir = 0 '\000', option_flags = 0, internal_flags = 0, RegisterUnittests = 0x0}
(gdb) p FlowGetProtoMapping(ipproto)
$3 = 2 '\002'
(gdb) p alproto
$4 = 1
(gdb) p ipproto
$5 = 1 '\001'


Files

bad_icmp_test4.3.pcap (3.07 MB) bad_icmp_test4.3.pcap JP J, 06/30/2022 02:49 PM

Subtasks 1 (0 open1 closed)

Security #5431: filestore: Segfault with filestore enabled and forced (6.0.x backport)ClosedJason IshActions
Actions #1

Updated by Jeff Lucovsky 3 months ago

Both crashes (master, master-6.0.x) occur at the same point in the pcap

(gdb) p p->pcap_cnt
$1 = 291867

tcpdump (and wireshark, et al) show this to be an ICMP packet.

ICMP doesn't have a TX accessor:

$ git grep -l -e  AppLayerParserRegisterGetTx
rust/src/applayer.rs
src/app-layer-dnp3.c
src/app-layer-enip.c
src/app-layer-ftp.c
src/app-layer-htp.c
src/app-layer-parser.c
src/app-layer-parser.h
src/app-layer-register.c
src/app-layer-smtp.c
src/app-layer-ssl.c
src/app-layer-template.c
src/app-layer-tftp.c

Actions #2

Updated by Jeff Lucovsky 3 months ago

  • Subject changed from Segfault with filestore enabled to Segfault with filestore enabled and forces
Actions #3

Updated by Victor Julien 3 months ago

Certain types of ICMP errors are considered part of a TCP/UDP flow.

Actions #4

Updated by Jeff Lucovsky 3 months ago

  • Subject changed from Segfault with filestore enabled and forces to Segfault with filestore enabled and forced
Actions #5

Updated by JP J 3 months ago

Hello,

Please find attached a narrower pcap extracted from BigFlows.pcap

We have been able to reproduce 100% with the joined pcap.

Setting force-filestore to 'no' makes harder to reproduce the issue.

Actions #6

Updated by Victor Julien 3 months ago

  • Priority changed from Normal to Urgent
Actions #7

Updated by Shivani Bhardwaj 3 months ago

  • Affected Versions 6.0.5 added
  • Affected Versions deleted (6.0.6, 7.0rc1)
Actions #8

Updated by Victor Julien 3 months ago

  • Target version changed from TBD to 7.0rc1
Actions #9

Updated by Victor Julien 3 months ago

  • Subject changed from Segfault with filestore enabled and forced to filestore: Segfault with filestore enabled and forced
Actions #10

Updated by Victor Julien 3 months ago

  • Tracker changed from Bug to Security
  • Severity set to MODERATE
Actions #11

Updated by Victor Julien 3 months ago

  • Label deleted (Needs backport to 6.0)
Actions #12

Updated by Philippe Antoine 3 months ago

  • Assignee changed from OISF Dev to Philippe Antoine
Actions #13

Updated by Philippe Antoine 3 months ago

  • Status changed from New to In Review
Actions #14

Updated by Jason Ish 3 months ago

  • Status changed from In Review to Resolved
Actions #15

Updated by Jason Ish 3 months ago

  • Status changed from Resolved to Closed
Actions

Also available in: Atom PDF