Project

General

Profile

Actions

Bug #6861

closed

profiling/rules: crash when profiling ends

Added by Jeff Lucovsky 9 months ago. Updated 6 months ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

Suricata may crash when stopping ruleset profiling.

$ ./configure --enable-profiling_rule
$  sudo suricatasc /var/run/suricata/suricata-command.socket
>>> ruleset-profile-start
>>> ruleset-profile-stop

It may crash depending on how the timing of the PROFILING_START/PROFILING_END macros

suricata: detect.c:815: DetectRulePacketRules: Assertion `!(profiling_rules_entered < 0)' failed.

Thread 7 "W#06-enp6s0f0" received signal SIGABRT, Aborted.
[Switching to Thread 0x7fffdb915640 (LWP 3539932)]
__pthread_kill_implementation (no_tid=0, signo=6, threadid=140736877123136) at ./nptl/pthread_kill.c:44
44    ./nptl/pthread_kill.c: No such file or directory.
(gdb) bt
#0  __pthread_kill_implementation (no_tid=0, signo=6, threadid=140736877123136) at ./nptl/pthread_kill.c:44
#1  __pthread_kill_internal (signo=6, threadid=140736877123136) at ./nptl/pthread_kill.c:78
#2  __GI___pthread_kill (threadid=140736877123136, signo=signo@entry=6) at ./nptl/pthread_kill.c:89
#3  0x00007ffff7229476 in __GI_raise (sig=sig@entry=6) at ../sysdeps/posix/raise.c:26
#4  0x00007ffff720f7f3 in __GI_abort () at ./stdlib/abort.c:79
#5  0x00007ffff720f71b in __assert_fail_base (fmt=0x7ffff73c4130 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n",
    assertion=0x5555561081d0 "!(profiling_rules_entered < 0)", file=0x5555561081c7 "detect.c", line=815, function=<optimized out>) at ./assert/assert.c:92
#6  0x00007ffff7220e96 in __GI___assert_fail (assertion=0x5555561081d0 "!(profiling_rules_entered < 0)", file=0x5555561081c7 "detect.c", line=815,
    function=0x55555610c6f0 <__PRETTY_FUNCTION__.25> "DetectRulePacketRules") at ./assert/assert.c:101
#7  0x000055555584a8cb in DetectRulePacketRules (tv=0x55555ded0f00, de_ctx=0x5555575c0af0, det_ctx=0x7fffd445e740, p=0x7fffd4290130, pflow=0x7fff9d195c90,
    scratch=0x7fffdb914050) at detect.c:815
#8  0x000055555584906e in DetectRun (th_v=0x55555ded0f00, de_ctx=0x5555575c0af0, det_ctx=0x7fffd445e740, p=0x7fffd4290130) at detect.c:143
#9  0x000055555584d133 in DetectFlow (tv=0x55555ded0f00, de_ctx=0x5555575c0af0, det_ctx=0x7fffd445e740, p=0x7fffd4290130) at detect.c:1780
#10 0x000055555584d3b7 in Detect (tv=0x55555ded0f00, p=0x7fffd4290130, data=0x7fffd445e740) at detect.c:1852
#11 0x0000555555a68bfa in FlowWorker (tv=0x55555ded0f00, p=0x7fffd4290130, data=0x7fffd42ea1e0) at flow-worker.c:606
#12 0x0000555555732016 in TmThreadsSlotVarRun (tv=0x55555ded0f00, p=0x7fffd4290130, slot=0x55555c5935d0) at tm-threads.c:135
#13 0x0000555555ab0eb1 in TmThreadsSlotProcessPkt (tv=0x55555ded0f00, s=0x55555c5935d0, p=0x7fffd4290130)
    at /home/jlucovsky/src/jal/suricata/src/tm-threads.h:200
#14 0x0000555555ab2652 in AFPReadFromRing (ptv=0x7fffd4290b70) at source-af-packet.c:939
#15 0x0000555555ab38ec in ReceiveAFPLoop (tv=0x55555ded0f00, data=0x7fffd4290b70, slot=0x55556c1de200) at source-af-packet.c:1430
#16 0x00005555557326c8 in TmThreadsSlotPktAcqLoop (td=0x55555ded0f00) at tm-threads.c:318
#17 0x00007ffff727bac3 in start_thread (arg=<optimized out>) at ./nptl/pthread_create.c:442
#18 0x00007ffff730d850 in clone3 () at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81
(gdb) fr 7
(gdb)  info locals
profile_rule_end_ = 19446383929566616
smatch = false
profile_rule_start_ = 0
alert_flags = 0 '\000'
s_proto_flags = 0 '\000'
s = 0x5555576ac0f0
next_s = 0x5555576ac780
match_cnt = 15
match_array = 0x7fffd4468858
sflags = 1572879
next_sflags = 1572879
__FUNCTION__ = "DetectRulePacketRules" 
__PRETTY_FUNCTION__ = "DetectRulePacketRules" 
(gdb) p profiling_rules_entered--
$1 = -1

The crash occurs when the ruleset profiling is disabled because
- RULE_PROFILING_START uses profiling_rules_active as a gate for profiling (in addition to profiling_rules_enabled)
- RULE_PROFILING_END only uses @profiling_rules_enable

Thus, when RULE_PROFILING_END is invoked, will decrement profiling_rules_entered even if RULE_PROFILING_START didn't increment it.

A candidate fix is to to clear the packet's profiling flag during in RULE_PROFILING_END


Subtasks 1 (0 open1 closed)

Bug #6862: profiling/rules: crash when profiling ends (7.0.x backport)ClosedJeff LucovskyActions
Actions #1

Updated by Jeff Lucovsky 9 months ago

  • Target version changed from TBD to 8.0.0-beta1
Actions #2

Updated by OISF Ticketbot 9 months ago

  • Subtask #6862 added
Actions #3

Updated by OISF Ticketbot 9 months ago

  • Label deleted (Needs backport to 7.0)
Actions #4

Updated by Jeff Lucovsky 9 months ago

  • Subject changed from Lightweight rules profiling: crash during to Lightweight rules profiling: crash when profiling ends
Actions #5

Updated by Jeff Lucovsky 9 months ago

  • Private changed from Yes to No
Actions #6

Updated by Jeff Lucovsky 9 months ago

  • Status changed from New to Resolved
Actions #7

Updated by Victor Julien 6 months ago

  • Subject changed from Lightweight rules profiling: crash when profiling ends to profiling/rules: crash when profiling ends
  • Status changed from Resolved to Closed
  • Assignee changed from OISF Dev to Jeff Lucovsky
Actions

Also available in: Atom PDF