Actions
Bug #4273
closedprotodetect: SEGV due to NULL ptr deref
Affected Versions:
Effort:
Difficulty:
Label:
Needs backport, Needs backport to 5.0, Needs backport to 6.0
Description
As reported by - https://github.com/StamusNetworks/SELKS/issues/285#issuecomment-765382351
This is Suricata version 7.0.0-dev (3a8ba663a 2021-01-13) Features: NFQ PCAP_SET_BUFF AF_PACKET HAVE_PACKET_FANOUT LIBCAP_NG LIBNET1.1 HAVE_HTP_URI_NORMALIZE_HOOK PCRE_JIT HAVE_NSS HAVE_LUA HAVE_LUAJIT HAVE_LIBJANSSON TLS TLS_C11 MAGIC RUST SIMD support: none Atomic intrinsics: 1 2 4 8 byte(s) 64-bits, Little-endian architecture GCC version 8.3.0, C version 201112 compiled with _FORTIFY_SOURCE=2 L1 cache line size (CLS)=64 thread local storage method: _Thread_local compiled with LibHTP v0.5.36, linked against LibHTP v0.5.36 Suricata Configuration: AF_PACKET support: yes eBPF support: no XDP support: no PF_RING support: no NFQueue support: yes NFLOG support: no IPFW support: no Netmap support: no DAG enabled: no Napatech enabled: no WinDivert enabled: no Unix socket enabled: yes Detection enabled: yes Libmagic support: yes libjansson support: yes hiredis support: yes hiredis async with libevent: no Prelude support: no PCRE jit: yes LUA support: yes, through luajit libluajit: yes GeoIP2 support: yes Non-bundled htp: yes Hyperscan support: yes Libnet support: yes liblz4 support: yes Rust support: yes Rust strict mode: no Rust compiler path: /root/.cargo/bin/rustc Rust compiler version: rustc 1.49.0 (e1884a8e3 2020-12-29) Cargo path: /root/.cargo/bin/cargo Cargo version: cargo 1.49.0 (d00d64df9 2020-12-05) Cargo vendor: yes Python support: yes Python path: /usr/bin/python3 Python distutils yes Python yaml yes Install suricatactl: yes Install suricatasc: yes Install suricata-update: yes Profiling enabled: no Profiling locks enabled: no Plugin support (experimental): yes Development settings: Coccinelle / spatch: yes Unit tests enabled: no Debug output enabled: no Debug validation enabled: no Generic build parameters: Installation prefix: /usr Configuration directory: /etc/suricata/ Log directory: /var/log/suricata/ --prefix /usr --sysconfdir /etc --localstatedir /var --datarootdir /usr/share Host: x86_64-pc-linux-gnu Compiler: gcc (exec name) / g++ (real) GCC Protect enabled: yes GCC march native enabled: no GCC Profile enabled: no Position Independent Executable enabled: yes CFLAGS -g -O2 -fdebug-prefix-map=/STAMUS/SELKS6/Suricata/suricata-2021011401=. -fstack-protector-strong -Wformat -Werror=format-security -std=c11 -I${srcdir}/../rust/gen -I${srcdir}/../rust/dist PCAP_CFLAGS -I/usr/include SECCFLAGS -fstack-protector -D_FORTIFY_SOURCE=2 -Wformat -Wformat-security
# gdb /usr/bin/suricata /var/log/suricata/core/core GNU gdb (Debian 8.2.1-2+b3) 8.2.1 Copyright (C) 2018 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "x86_64-linux-gnu". Type "show configuration" for configuration details. For bug reporting instructions, please see: <http://www.gnu.org/software/gdb/bugs/>. Find the GDB manual and other documentation resources online at: <http://www.gnu.org/software/gdb/documentation/>. For help, type "help". Type "apropos word" to search for commands related to "word"... Reading symbols from /usr/bin/suricata...Reading symbols from /usr/lib/debug/.build-id/58/346f7cfd5262bc2dccbbd152659197b2e6c512.debug...done. done. warning: core file may not match specified executable file. [New LWP 27105] [New LWP 27111] [New LWP 27110] [New LWP 27107] [New LWP 27106] [New LWP 27108] [New LWP 27109] [New LWP 27094] [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". Core was generated by `/usr/bin/suricata -c /etc/suricata/suricata.yaml --pidfile /var/run/suricata.pi'. Program terminated with signal SIGSEGV, Segmentation fault. #0 SCACTileSearchTiny32 (ctx=0x557696e99ca0, mpm_thread_ctx=<optimized out>, pmq=0x7f15242d12c0, buf=0x0, buflen=8) at util-mpm-ac-ks-small.c:46 46 util-mpm-ac-ks-small.c: No such file or directory. [Current thread is 1 (Thread 0x7f155fe49700 (LWP 27105))] (gdb) (gdb) set logging on Copying output to gdb.txt. (gdb) thread apply all bt Thread 8 (Thread 0x7f1561752b00 (LWP 27094)): #0 0x00007f1561baa720 in __GI___nanosleep (requested_time=requested_time@entry=0x7ffd33997340, remaining=remaining@entry=0x0) at ../sysdeps/unix/sysv/linux/nanosleep.c:28 #1 0x00007f1561bd5874 in usleep (useconds=useconds@entry=10000) at ../sysdeps/posix/usleep.c:32 #2 0x0000557696233b27 in SuricataMainLoop (suri=<optimized out>) at suricata.c:2644 #3 SuricataMain (argc=<optimized out>, argv=<optimized out>) at suricata.c:2805 #4 0x00007f1561b0809b in __libc_start_main (main=0x557696136950 <main>, argc=9, argv=0x7ffd33997498, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7ffd33997488) at ../csu/libc-start.c:308 #5 0x000055769613698a in _start () Thread 7 (Thread 0x7f155d30b700 (LWP 27109)): #0 futex_abstimed_wait_cancelable (private=0, abstime=0x7f155d30aad0, expected=0, futex_word=0x5576ce21cfc8) at ../sysdeps/unix/sysv/linux/futex-internal.h:205 #1 __pthread_cond_wait_common (abstime=0x7f155d30aad0, mutex=0x5576a124a760, cond=0x5576ce21cfa0) at pthread_cond_wait.c:539 #2 __pthread_cond_timedwait (cond=0x5576ce21cfa0, mutex=0x5576a124a760, abstime=abstime@entry=0x7f155d30aad0) at pthread_cond_wait.c:667 #3 0x00005576961679cc in StatsWakeupThread (arg=0x5576a4081250) at counters.c:487 #4 0x00007f1562a5bfa3 in start_thread (arg=<optimized out>) at pthread_create.c:486 #5 0x00007f1561bdd4cf in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95 Thread 6 (Thread 0x7f155db0c700 (LWP 27108)): #0 0x00007f1561baa720 in __GI___nanosleep (requested_time=requested_time@entry=0x7f155db0ba10, remaining=remaining@entry=0x0) at ../sysdeps/unix/sysv/linux/nanosleep.c:28 #1 0x00007f1561bd5874 in usleep (useconds=useconds@entry=100) at ../sysdeps/posix/usleep.c:32 #2 0x00005576961def16 in FlowRecycler (th_v=0x5576a2ea3d40, thread_data=0x7f1508000b20) at flow-manager.c:1210 #3 0x00005576962373e2 in TmThreadsManagement (td=0x5576a2ea3d40) at tm-threads.c:541 #4 0x00007f1562a5bfa3 in start_thread (arg=<optimized out>) at pthread_create.c:486 #5 0x00007f1561bdd4cf in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95 Thread 5 (Thread 0x7f155f0ab700 (LWP 27106)): #0 0x00007f1561bd2819 in __GI___poll (fds=fds@entry=0x7f155f0aa9d0, nfds=nfds@entry=1, timeout=timeout@entry=100) at ../sysdeps/unix/sysv/linux/poll.c:29 #1 0x00005576962195ad in poll (__timeout=100, __nfds=1, __fds=0x7f155f0aa9d0) at /usr/include/x86_64-linux-gnu/bits/poll2.h:46 #2 ReceiveAFPLoop (tv=0x5576b21e13e0, data=0x7f151c274b20, slot=<optimized out>) at source-af-packet.c:1544 #3 0x000055769623768c in TmThreadsSlotPktAcqLoop (td=0x5576b21e13e0) at tm-threads.c:312 #4 0x00007f1562a5bfa3 in start_thread (arg=<optimized out>) at pthread_create.c:486 #5 0x00007f1561bdd4cf in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95 Thread 4 (Thread 0x7f155e30d700 (LWP 27107)): #0 0x00007f1561baa720 in __GI___nanosleep (requested_time=requested_time@entry=0x7f155e30c9b0, remaining=remaining@entry=0x0) at ../sysdeps/unix/sysv/linux/nanosleep.c:28 #1 0x00007f1561bd5874 in usleep (useconds=useconds@entry=100) at ../sysdeps/posix/usleep.c:32 #2 0x00005576961df8a3 in FlowManager (th_v=0x5576a2e7cde0, thread_data=0x7f1520000b20) at flow-manager.c:1014 #3 0x00005576962373e2 in TmThreadsManagement (td=0x5576a2e7cde0) at tm-threads.c:541 #4 0x00007f1562a5bfa3 in start_thread (arg=<optimized out>) at pthread_create.c:486 #5 0x00007f1561bdd4cf in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95 Thread 3 (Thread 0x7f155cb0a700 (LWP 27110)): #0 futex_abstimed_wait_cancelable (private=0, abstime=0x7f155cb09ad0, expected=0, futex_word=0x5576ce26b5c8) at ../sysdeps/unix/sysv/linux/futex-internal.h:205 #1 __pthread_cond_wait_common (abstime=0x7f155cb09ad0, mutex=0x5576a12bb5c0, cond=0x5576ce26b5a0) at pthread_cond_wait.c:539 #2 __pthread_cond_timedwait (cond=0x5576ce26b5a0, mutex=0x5576a12bb5c0, abstime=abstime@entry=0x7f155cb09ad0) at pthread_cond_wait.c:667 #3 0x0000557696168013 in StatsMgmtThread (arg=<optimized out>) at counters.c:415 #4 0x00007f1562a5bfa3 in start_thread (arg=<optimized out>) at pthread_create.c:486 #5 0x00007f1561bdd4cf in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95 Thread 2 (Thread 0x7f155c309700 (LWP 27111)): #0 0x00007f1561bd5037 in __GI___select (nfds=7, readfds=readfds@entry=0x7f155c308850, writefds=writefds@entry=0x0, exceptfds=exceptfds@entry=0x0, timeout=timeout@entry=0x7f155c308840) at ../sysdeps/unix/sysv/linux/select.c:41 #1 0x000055769623ab15 in UnixMain (this=0x557696656f20 <command>) at unix-manager.c:650 #2 UnixManager (th_v=0x55769b359bb0, thread_data=<optimized out>) at unix-manager.c:1125 #3 0x00005576962373e2 in TmThreadsManagement (td=0x55769b359bb0) at tm-threads.c:541 #4 0x00007f1562a5bfa3 in start_thread (arg=<optimized out>) at pthread_create.c:486 #5 0x00007f1561bdd4cf in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95 --Type <RET> for more, q to quit, c to continue without paging-- Thread 1 (Thread 0x7f155fe49700 (LWP 27105)): #0 SCACTileSearchTiny32 (ctx=0x557696e99ca0, mpm_thread_ctx=<optimized out>, pmq=0x7f15242d12c0, buf=0x0, buflen=8) at util-mpm-ac-ks-small.c:46 #1 0x000055769613af7f in PMGetProtoInspect (rflow=0x7f155fe48527, pm_results=0x7f155fe48440, direction=41 ')', buflen=397, buf=0x0, f=0x7f15203aa6a0, mpm_tctx=<optimized out>, pm_ctx=0x557696647fe8 <alpd_ctx+72>, tctx=0x7f15242d12c0) at app-layer-detect-proto.c:275 #2 AppLayerProtoDetectPMGetProto (rflow=0x7f155fe48527, pm_results=0x7f155fe48440, direction=41 ')', buflen=397, buf=0x0, f=0x7f15203aa6a0, tctx=0x7f15242d12c0) at app-layer-detect-proto.c:342 #3 AppLayerProtoDetectGetProto (tctx=0x7f15242d12c0, f=f@entry=0x7f15203aa6a0, buf=buf@entry=0x0, buflen=buflen@entry=397, ipproto=ipproto@entry=6 '\006', direction=direction@entry=41 ')', reverse_flow=0x7f155fe48527) at app-layer-detect-proto.c:1551 #4 0x0000557696138df4 in TCPProtoDetect (tv=0x5576b75b1fa0, ra_ctx=0x7f15242d1270, app_tctx=app_tctx@entry=0x7f15242d12a0, p=p@entry=0x7f1524274150, f=f@entry=0x7f15203aa6a0, ssn=ssn@entry=0x7f151c3321b0, stream=0x7f155fe48648, data=0x0, data_len=397, flags=41 ')') at app-layer.c:336 #5 0x0000557696139921 in AppLayerHandleTCPData (tv=tv@entry=0x5576b75b1fa0, ra_ctx=ra_ctx@entry=0x7f15242d1270, p=p@entry=0x7f1524274150, f=0x7f15203aa6a0, ssn=ssn@entry=0x7f151c3321b0, stream=stream@entry=0x7f155fe48648, data=0x0, data_len=397, flags=41 ')') at app-layer.c:642 #6 0x000055769622dbb7 in ReassembleUpdateAppLayer (dir=UPDATE_DIR_PACKET, p=0x7f1524274150, stream=0x7f155fe48648, ssn=0x7f151c3321b0, ra_ctx=0x7f15242d1270, tv=0x5576b75b1fa0) at stream-tcp-reassemble.c:1175 #7 StreamTcpReassembleAppLayer (tv=tv@entry=0x5576b75b1fa0, ra_ctx=ra_ctx@entry=0x7f15242d1270, ssn=ssn@entry=0x7f151c3321b0, stream=<optimized out>, stream@entry=0x7f151c3321c0, p=p@entry=0x7f1524274150, dir=dir@entry=UPDATE_DIR_PACKET) at stream-tcp-reassemble.c:1238 #8 0x000055769622eb23 in StreamTcpReassembleHandleSegment (tv=tv@entry=0x5576b75b1fa0, ra_ctx=0x7f15242d1270, ssn=ssn@entry=0x7f151c3321b0, stream=0x7f151c3321c0, p=p@entry=0x7f1524274150, pq=pq@entry=0x7f15242d0f68) at stream-tcp-reassemble.c:1900 #9 0x000055769622392e in HandleEstablishedPacketToClient (stt=<optimized out>, pq=<optimized out>, p=<optimized out>, ssn=<optimized out>, tv=<optimized out>) at stream-tcp.c:2318 #10 StreamTcpPacketStateEstablished (tv=0x5576b75b1fa0, p=0x7f1524274150, stt=stt@entry=0x7f15242d0f60, ssn=0x7f151c3321b0, pq=0x7f15242d0f68) at stream-tcp.c:2702 #11 0x0000557696228da8 in StreamTcpStateDispatch (tv=0x5576b75b1fa0, p=0x7f1524274150, stt=0x7f15242d0f60, ssn=0x7f151c3321b0, pq=0x7f15242d0f68, state=<optimized out>) at stream-tcp.c:4703 #12 0x000055769622a682 in StreamTcpPacket (tv=0x5576b75b1fa0, p=0x7f1524274150, stt=0x7f15242d0f60, pq=0x7f15242aeb40) at stream-tcp.c:4889 #13 0x000055769622ae24 in StreamTcp (tv=tv@entry=0x5576b75b1fa0, p=p@entry=0x7f1524274150, data=<optimized out>, pq=pq@entry=0x7f15242aeb40) at stream-tcp.c:5225 #14 0x00005576961e2a2f in FlowWorkerStreamTCPUpdate (detect_thread=0x7f15243a3520, p=0x7f1524274150, fw=0x7f15242aeb10, tv=0x5576b75b1fa0) at flow-worker.c:524 #15 FlowWorker (tv=0x5576b75b1fa0, p=0x7f1524274150, data=0x7f15242aeb10) at flow-worker.c:524 #16 0x0000557696235fa2 in TmThreadsSlotVarRun (tv=tv@entry=0x5576b75b1fa0, p=p@entry=0x7f1524274150, slot=<optimized out>) at tm-threads.c:117 #17 0x0000557696219102 in TmThreadsSlotProcessPkt (p=0x7f1524274150, s=<optimized out>, tv=0x5576b75b1fa0) at tm-threads.h:192 #18 AFPReadFromRing (ptv=ptv@entry=0x7f1524274b20) at source-af-packet.c:1011 #19 0x00005576962196c9 in ReceiveAFPLoop (tv=0x5576b75b1fa0, data=0x7f1524274b20, slot=<optimized out>) at source-af-packet.c:1571 #20 0x000055769623768c in TmThreadsSlotPktAcqLoop (td=0x5576b75b1fa0) at tm-threads.c:312 #21 0x00007f1562a5bfa3 in start_thread (arg=<optimized out>) at pthread_create.c:486 #22 0x00007f1561bdd4cf in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95
Actions