Bug #7611
closedSegmentation Fault When Using YAML Configuration with eve-log and stats.totals Output
Description
I encountered a segmentation fault when running Suricata 7.0.8 in test mode with a configuration that enables eve-log JSON output with stats.totals
Suricata version: 7.0.8 RELEASE
root@suricata-host1:~# cat /etc/os-release
PRETTY_NAME="Ubuntu 22.04.5 LTS"
root@suricata-host1:~# uname -a
Linux suricata-host1 5.15.146.1-microsoft-standard-WSL2 #1 SMP Thu Jan 11 04:09:03 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux
Steps to Reproduce:
1. Create a configuration file with the following content:
%YAML 1.1
---
outputs:
- eve-log:
enabled: True
filetype: regular
filename: suricata-stats.json
threaded: false
types.stats.totals: yes
2. Run Suricata in test mode with this configuration:
root@suricata-host1:~# suricata -T -c /etc/suricata/cluster-config.yaml
Notice: suricata: This is Suricata version 7.0.8 RELEASE running in SYSTEM mode
Info: cpu: CPUs/cores online: 24
Info: suricata: Running suricata under test mode
Info: suricata: Setting engine mode to IDS mode by default
Info: suricata: No 'host-mode': suricata is in IDS mode, using default setting 'sniffer-only'
Info: logopenfile: eve-log output device (regular) initialized: suricata-stats.json
Segmentation fault
root@suricata-host1:~#
Expected Result:
Suricata should successfully validate the configuration without crashing.
Actual Result:
Suricata crashes with a segmentation fault after initializing the eve-log output device.
Files
Updated by Andreas Herz 6 months ago
could you add the full yaml file so it's easier to reproduce?
Also add `suricata --build-info`
Updated by IDSTower Support 6 months ago
- File crash.yaml crash.yaml added
- File build-info.txt build-info.txt added
Andreas Herz wrote in #note-1:
could you add the full yaml file so it's easier to reproduce?
Also add `suricata --build-info`
please find the requested info attached, see how to repreudce below:
root@suricata-host1:/etc/suricata# suricata -T -c /etc/suricata/crash.yaml Notice: suricata: This is Suricata version 7.0.8 RELEASE running in SYSTEM mode Info: cpu: CPUs/cores online: 24 Info: suricata: Running suricata under test mode Info: suricata: Setting engine mode to IDS mode by default Info: suricata: No 'host-mode': suricata is in IDS mode, using default setting 'sniffer-only' Info: logopenfile: eve-log output device (regular) initialized: suricata-stats.json Segmentation fault root@suricata-host1:/etc/suricata#
Updated by Philippe Antoine about 1 month ago
- Affected Versions 8.0.0 added
- Affected Versions deleted (
7.0.8)
=================================================================
1113ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x000102f12490 bp 0x7ff7bf0211d0 sp 0x7ff7bf020970 T0)
1113The signal is caused by a READ memory access.
1113Hint: address points to the zero page.
#0 0x000102f12490 in strcmp+0x30 (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x1a490)
#1 0x00010125bb57 in RunModeInitializeOutputs runmodes.c:850
#2 0x0001012d8fa4 in SuricataInit suricata.c:3067
#3 0x000100edfcd5 in main main.c:57
Updated by Philippe Antoine about 1 month ago
- Status changed from New to In Review
- Assignee changed from OISF Dev to Philippe Antoine
- Target version changed from TBD to 8.0.1
Updated by Philippe Antoine 29 days ago
Not sure if we want to backport it or not
Updated by Jason Ish 24 days ago
- Status changed from In Review to Closed
Merged via https://github.com/OISF/suricata/pull/13683.