Bug #7611
closedSegmentation Fault When Using YAML Configuration with eve-log and stats.totals Output
Description
I encountered a segmentation fault when running Suricata 7.0.8 in test mode with a configuration that enables eve-log JSON output with stats.totals
Suricata version: 7.0.8 RELEASE
root@suricata-host1:~# cat /etc/os-release
PRETTY_NAME="Ubuntu 22.04.5 LTS"
root@suricata-host1:~# uname -a
Linux suricata-host1 5.15.146.1-microsoft-standard-WSL2 #1 SMP Thu Jan 11 04:09:03 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux
Steps to Reproduce:
1. Create a configuration file with the following content:
%YAML 1.1
---
outputs:
- eve-log:
enabled: True
filetype: regular
filename: suricata-stats.json
threaded: false
types.stats.totals: yes
2. Run Suricata in test mode with this configuration:
root@suricata-host1:~# suricata -T -c /etc/suricata/cluster-config.yaml
Notice: suricata: This is Suricata version 7.0.8 RELEASE running in SYSTEM mode
Info: cpu: CPUs/cores online: 24
Info: suricata: Running suricata under test mode
Info: suricata: Setting engine mode to IDS mode by default
Info: suricata: No 'host-mode': suricata is in IDS mode, using default setting 'sniffer-only'
Info: logopenfile: eve-log output device (regular) initialized: suricata-stats.json
Segmentation fault
root@suricata-host1:~#
Expected Result:
Suricata should successfully validate the configuration without crashing.
Actual Result:
Suricata crashes with a segmentation fault after initializing the eve-log output device.
Files
Updated by Andreas Herz 5 months ago
could you add the full yaml file so it's easier to reproduce?
Also add `suricata --build-info`
Updated by IDSTower Support 5 months ago
- File crash.yaml crash.yaml added
- File build-info.txt build-info.txt added
Andreas Herz wrote in #note-1:
could you add the full yaml file so it's easier to reproduce?
Also add `suricata --build-info`
please find the requested info attached, see how to repreudce below:
root@suricata-host1:/etc/suricata# suricata -T -c /etc/suricata/crash.yaml Notice: suricata: This is Suricata version 7.0.8 RELEASE running in SYSTEM mode Info: cpu: CPUs/cores online: 24 Info: suricata: Running suricata under test mode Info: suricata: Setting engine mode to IDS mode by default Info: suricata: No 'host-mode': suricata is in IDS mode, using default setting 'sniffer-only' Info: logopenfile: eve-log output device (regular) initialized: suricata-stats.json Segmentation fault root@suricata-host1:/etc/suricata#
Updated by Philippe Antoine 20 days ago
- Affected Versions 8.0.0 added
- Affected Versions deleted (
7.0.8)
=================================================================
1113ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x000102f12490 bp 0x7ff7bf0211d0 sp 0x7ff7bf020970 T0)
1113The signal is caused by a READ memory access.
1113Hint: address points to the zero page.
#0 0x000102f12490 in strcmp+0x30 (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x1a490)
#1 0x00010125bb57 in RunModeInitializeOutputs runmodes.c:850
#2 0x0001012d8fa4 in SuricataInit suricata.c:3067
#3 0x000100edfcd5 in main main.c:57
Updated by Philippe Antoine 20 days ago
- Status changed from New to In Review
- Assignee changed from OISF Dev to Philippe Antoine
- Target version changed from TBD to 8.0.1
Updated by Philippe Antoine 8 days ago
Not sure if we want to backport it or not
Updated by Jason Ish 3 days ago
- Status changed from In Review to Closed
Merged via https://github.com/OISF/suricata/pull/13683.