Project

General

Profile

Actions

Bug #7611

closed

Segmentation Fault When Using YAML Configuration with eve-log and stats.totals Output

Added by IDSTower Support 5 months ago. Updated 3 days ago.

Status:
Closed
Priority:
Normal
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

I encountered a segmentation fault when running Suricata 7.0.8 in test mode with a configuration that enables eve-log JSON output with stats.totals

Suricata version: 7.0.8 RELEASE

root@suricata-host1:~# cat /etc/os-release
PRETTY_NAME="Ubuntu 22.04.5 LTS"

root@suricata-host1:~# uname -a
Linux suricata-host1 5.15.146.1-microsoft-standard-WSL2 #1 SMP Thu Jan 11 04:09:03 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux

Steps to Reproduce:

1. Create a configuration file with the following content:

%YAML 1.1
---
outputs:
  - eve-log:
      enabled: True
      filetype: regular
      filename: suricata-stats.json
      threaded: false
      types.stats.totals: yes

2. Run Suricata in test mode with this configuration:

root@suricata-host1:~# suricata -T -c /etc/suricata/cluster-config.yaml
Notice: suricata: This is Suricata version 7.0.8 RELEASE running in SYSTEM mode
Info: cpu: CPUs/cores online: 24
Info: suricata: Running suricata under test mode
Info: suricata: Setting engine mode to IDS mode by default
Info: suricata: No 'host-mode': suricata is in IDS mode, using default setting 'sniffer-only'
Info: logopenfile: eve-log output device (regular) initialized: suricata-stats.json
Segmentation fault
root@suricata-host1:~#

Expected Result:
Suricata should successfully validate the configuration without crashing.

Actual Result:
Suricata crashes with a segmentation fault after initializing the eve-log output device.


Files

crash.yaml (177 Bytes) crash.yaml IDSTower Support, 03/15/2025 07:24 AM
build-info.txt (4.37 KB) build-info.txt IDSTower Support, 03/15/2025 07:24 AM
Actions #1

Updated by Andreas Herz 5 months ago

could you add the full yaml file so it's easier to reproduce?

Also add `suricata --build-info`

Updated by IDSTower Support 5 months ago

Andreas Herz wrote in #note-1:

could you add the full yaml file so it's easier to reproduce?

Also add `suricata --build-info`

please find the requested info attached, see how to repreudce below:

root@suricata-host1:/etc/suricata# suricata -T -c /etc/suricata/crash.yaml
Notice: suricata: This is Suricata version 7.0.8 RELEASE running in SYSTEM mode
Info: cpu: CPUs/cores online: 24
Info: suricata: Running suricata under test mode
Info: suricata: Setting engine mode to IDS mode by default
Info: suricata: No 'host-mode': suricata is in IDS mode, using default setting 'sniffer-only'
Info: logopenfile: eve-log output device (regular) initialized: suricata-stats.json
Segmentation fault
root@suricata-host1:/etc/suricata#
Actions #3

Updated by Philippe Antoine 20 days ago

  • Affected Versions 8.0.0 added
  • Affected Versions deleted (7.0.8)

=================================================================
1113ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x000102f12490 bp 0x7ff7bf0211d0 sp 0x7ff7bf020970 T0)
1113The signal is caused by a READ memory access.
1113Hint: address points to the zero page.
#0 0x000102f12490 in strcmp+0x30 (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x1a490)
#1 0x00010125bb57 in RunModeInitializeOutputs runmodes.c:850
#2 0x0001012d8fa4 in SuricataInit suricata.c:3067
#3 0x000100edfcd5 in main main.c:57

Actions #4

Updated by Philippe Antoine 20 days ago

  • Status changed from New to In Review
  • Assignee changed from OISF Dev to Philippe Antoine
  • Target version changed from TBD to 8.0.1
Actions #5

Updated by Philippe Antoine 8 days ago

Not sure if we want to backport it or not

Actions #6

Updated by Jason Ish 3 days ago

  • Status changed from In Review to Closed
Actions

Also available in: Atom PDF