Bug #6201: multi-tenancy: crash under test mode when tenant signature load fails - Suricata - Open Information Security Foundation

Actions

Copy link

Bug #6201

closed

multi-tenancy: crash under test mode when tenant signature load fails

Added by Jeff Lucovsky 10 months ago. Updated 8 months ago.

Status:

Closed

Priority:

Normal

Assignee:

Victor Julien

Target version:

7.0.1

Affected Versions:

6.0.13

Effort:

Difficulty:

Label:

Description

When running Suricata under test mode and multi-tenancy configured, a crash often occurs when signature loading fails.

When using a tenant configuration file that lacks a definition for DNP3_SERVER and the tenant's configuration specifies a ETPro rule file from early 2023, the following error message is printed, the signature is rejected, and test mode "fails":

5/7/2023 -- 13:26:27 - <Error> - [ERRCODE: SC_ERR_UNDEFINED_VAR(101)] - Variable "DNP3_SERVER" is not defined in configuration file
5/7/2023 -- 13:26:27 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp any any <> $DNP3_SERVER <redacted>" 
5/7/2023 -- 13:26:45 - <Error> - [ERRCODE: SC_ERR_NO_RULES_LOADED(43)] - Loading signatures failed.

Then, this crash occurs:

Thread 15 "DL#02" received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7fffe89ff640 (LWP 2053)]
VariableNameGetIdx (type=VAR_TYPE_FLOW_BIT, name=0x7fffe89e8b80 "ETPRO.slenfbot_g_pass", v=0x0) at util-var-name.c:190
190        VariableName *lookup_fn = (VariableName *)HashListTableLookup(v->names, (void *)fn, 0);
(gdb) p v
$1 = (VarNameStore *) 0x0
(gdb) bt
#0  VariableNameGetIdx (type=VAR_TYPE_FLOW_BIT, name=0x7fffe89e8b80 "ETPRO.slenfbot_g_pass", v=0x0) at util-var-name.c:190
#1  VarNameStoreSetupAdd (name=name@entry=0x7fffe89e8b80 "ETPRO.slenfbot_g_pass", type=type@entry=VAR_TYPE_FLOW_BIT) at util-var-name.c:327
#2  0x00005555556ef29d in DetectFlowbitParse (de_ctx=0x7fffe7c04000, rawstr=<optimized out>, cdout=cdout@entry=0x7fffe89e8cd0) at detect-flowbits.c:313
#3  0x00005555556ef42f in DetectFlowbitSetup (de_ctx=<optimized out>, s=0x7fffaa437a40, rawstr=<optimized out>) at detect-flowbits.c:335
#4  0x0000555555706798 in SigParseOptions (output_size=275, output=0x7fffe89e8d00 "", optstr=0x7fffe89e8e21 "flowbits", s=0x7fffaa437a40,
    de_ctx=0x7fffe7c04000) at detect-parse.c:815
#5  SigParse (parser=0x7fffe89e8fb0, addrs_direction=<optimized out>, sigstr=0x7fffe89faff0 "\260\260\237\350\377\177", s=<optimized out>,
    de_ctx=<optimized out>) at detect-parse.c:1251
#6  SigInitHelper (de_ctx=de_ctx@entry=0x7fffe7c04000,
    sigstr=sigstr@entry=0x7fffe89fb0b0 "alert tcp $HOME_NET any -> $EXTERNAL_NET 1234 (msg:\"ETPRO WORM Worm.Win32.Slenfbot.G Checkin 2\"; flow:to_server,established; content:\"PASS xxx|0D|\"; depth:9; nocase; flowbits:set,ETPRO.slenfbot_g_pass"..., dir=dir@entry=0 '\000') at detect-parse.c:1910
#7  0x00005555557079e2 in SigInit (de_ctx=de_ctx@entry=0x7fffe7c04000,
    sigstr=sigstr@entry=0x7fffe89fb0b0 "alert tcp $HOME_NET any -> $EXTERNAL_NET 1234 (msg:\"ETPRO WORM Worm.Win32.Slenfbot.G Checkin 2\"; flow:to_server,established; content:\"PASS xxx|0D|\"; depth:9; nocase; flowbits:set,ETPRO.slenfbot_g_pass"...) at detect-parse.c:2079
#8  0x0000555555707bb7 in DetectEngineAppendSig (de_ctx=de_ctx@entry=0x7fffe7c04000,
    sigstr=sigstr@entry=0x7fffe89fb0b0 "alert tcp $HOME_NET any -> $EXTERNAL_NET 1234 (msg:\"ETPRO WORM Worm.Win32.Slenfbot.G Checkin 2\"; flow:to_server,established; content:\"PASS xxx|0D|\"; depth:9; nocase; flowbits:set,ETPRO.slenfbot_g_pass"...) at detect-parse.c:2377
#9  0x00005555556dbeab in DetectLoadSigFile (de_ctx=de_ctx@entry=0x7fffe7c04000,
    sig_file=sig_file@entry=0x7fffe7c034f0 "/tmp/etc/suricata/rules/tenant-2.rules", goodsigs=goodsigs@entry=0x7fffe89fd1c8, badsigs=0x7fffe89fb0b0,
    badsigs@entry=0x7fffe89fd1cc) at detect-engine-loader.c:169
#10 0x00005555556dc208 in ProcessSigFiles (de_ctx=de_ctx@entry=0x7fffe7c04000, pattern=pattern@entry=0x7fffe7c034c0 "/tmp/etc/suricata/rules/tenant-2.rules",
    st=st@entry=0x7fffe7c05410, good_sigs=good_sigs@entry=0x7fffe89fd1c8, bad_sigs=bad_sigs@entry=0x7fffe89fd1cc) at detect-engine-loader.c:252
#11 0x00005555556dc9c6 in SigLoadSignatures (de_ctx=de_ctx@entry=0x7fffe7c04000, sig_file=sig_file@entry=0x0, sig_file_exclusive=sig_file_exclusive@entry=0)
    at detect-engine-loader.c:312
#12 0x00005555556c7bd6 in DetectEngineMultiTenantLoadTenant (loader_id=1, filename=<optimized out>, tenant_id=2) at detect-engine.c:3348
#13 DetectLoaderFuncLoadTenant (vctx=<optimized out>, loader_id=1) at detect-engine.c:3429
#14 0x00005555556dc3fb in DetectLoader (thread_data=<optimized out>, th_v=<optimized out>) at detect-engine-loader.c:593
#15 DetectLoader (th_v=0x7ffff1a768c0, thread_data=0x7fffe7c00000) at detect-engine-loader.c:572
#16 0x0000555555782a43 in TmThreadsManagement (td=0x7ffff1a768c0) at tm-threads.c:562
#17 0x00007ffff64abf3e in start_thread (arg=0x7fffe89ff640) at pthread_create.c:463
#18 0x00007ffff69f114f in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

Subtasks 1 (0 open — 1 closed)

Related issues 1 (0 open — 1 closed)

Actions

Copy link

Updated by Victor Julien 9 months ago

Status changed from New to In Progress
Assignee changed from OISF Dev to Victor Julien
Target version changed from TBD to 7.0.1
Label Needs backport to 6.0 added

Actions

Copy link

Updated by OISF Ticketbot 9 months ago

Subtask #6248 added

Actions

Copy link

Updated by OISF Ticketbot 9 months ago

Label deleted (~~Needs backport to 6.0~~)

Actions

Copy link

Updated by Victor Julien 9 months ago

Related to Bug #6044: detect: multi-tenancy leaks memory if more than 1 tenant registered added

Actions

Copy link

Updated by Victor Julien 9 months ago

Subject changed from Multi-tenancy: crash under test mode when tenant signature load fails to multi-tenancy: crash under test mode when tenant signature load fails
Status changed from In Progress to In Review

https://github.com/OISF/suricata/pull/9359

Actions

Copy link