Bug #5022: log-pcap: fix segfault on lz4 compressed pcaps - Suricata - Open Information Security Foundation

Actions

Copy link

Bug #5022

closed

log-pcap: fix segfault on lz4 compressed pcaps

Added by Marshall Whittaker almost 3 years ago. Updated over 1 year ago.

Status:

Closed

Priority:

Normal

Assignee:

Jason Ish

Target version:

7.0.0

Affected Versions:

7.0.0-beta1, 6.0.13

Effort:

low

Difficulty:

Label:

Description

When Suricata is set to log to a lz4 compressed pcap, if it is unable to write to the file because of a permissions issue, Suricata will segfault (I think this happens on the first packet received). Note Suricata must be set to lz4 compression as well as drop its privileges on startup for this to occur.

```
PID: 412168 (Suricata-Main)
UID: 1001 (suri)
GID: 1001 (suri)
Signal: 11 (SEGV)
Timestamp: Sat 2022-01-29 20:11:08 EST (2min 59s ago)
Command Line: suricata -c /home/marshall/suricata.yaml -i eno1
Executable: /usr/local/bin/suricata
Control Group: /user.slice/user-1000.slice/user@1000.service/apps.slice/apps-org.gnome.Terminal.slice/vte-spawn-d9df648d-7519-4f22-a86f-6b58167fef71.scope
Unit: user@1000.service
User Unit: vte-spawn-d9df648d-7519-4f22-a86f-6b58167fef71.scope
Slice: user-1000.slice
Owner UID: 1000 (marshall)
Boot ID: 8b3353cc733b4d75a8a98c81e3a118c3
Machine ID: 85f77d5a4cad4c39b30e64dc35de8a40
Hostname: jerkon
Storage: /var/lib/systemd/coredump/core.Suricata-Main.1001.8b3353cc733b4d75a8a98c81e3a118c3.412168.1643505068000000000000.lz4
Message: Process 412168 (Suricata-Main) of user 1001 dumped core.

Stack trace of thread 412198:
                #0  0x00007f830743d4a5 _GI_IO_fwrite (libc.so.6 + 0x864a5)
                #1  0x0000560e786a7c5b PcapLog (suricata + 0x27ac5b)
                #2  0x0000560e7863e1e2 OutputPacketLog (suricata + 0x2111e2)
                #3  0x0000560e786256c4 OutputLoggerLog (suricata + 0x1f86c4)
                #4  0x0000560e78620c38 FlowWorker (suricata + 0x1f3c38)
                #5  0x0000560e78580b65 TmThreadsSlotVarRun (suricata + 0x153b65)
                #6  0x0000560e7864a55c TmThreadsSlotProcessPkt (suricata + 0x21d55c)
                #7  0x0000560e78649525 ReceiveAFPLoop (suricata + 0x21c525)
                #8  0x0000560e78582291 TmThreadsSlotPktAcqLoop (suricata + 0x155291)
                #9  0x00007f83076e8609 start_thread (libpthread.so.0 + 0x9609)
                #10 0x00007f83074d9293 __clone (libc.so.6 + 0x122293)

Stack trace of thread 412168:
                #0  0x00007f83074973bf GI_clock_nanosleep (libc.so.6 + 0xe03bf)
                #1  0x00007f830749d047 GI_nanosleep (libc.so.6 + 0xe6047)
                #2  0x00007f83074cf9bf usleep (libc.so.6 + 0x1189bf)
                #3  0x0000560e7857ecc6 SuricataMainLoop (suricata + 0x151cc6)
                #4  0x00007f83073de0b3 __libc_start_main (libc.so.6 + 0x270b3)
                #5  0x0000560e7857acfe _start (suricata + 0x14dcfe)

Stack trace of thread 412199:
                #0  0x00007f83074ccaff GI_poll (libc.so.6 + 0x115aff)
                #1  0x0000560e786495e4 poll (suricata + 0x21c5e4)
                #2  0x0000560e78582291 TmThreadsSlotPktAcqLoop (suricata + 0x155291)
                #3  0x00007f83076e8609 start_thread (libpthread.so.0 + 0x9609)
                #4  0x00007f83074d9293 __clone (libc.so.6 + 0x122293)

Stack trace of thread 412207:
                #0  0x00007f83074973bf GI_clock_nanosleep (libc.so.6 + 0xe03bf)
                #1  0x00007f830749d047 GI_nanosleep (libc.so.6 + 0xe6047)
                #2  0x00007f83074cf9bf usleep (libc.so.6 + 0x1189bf)
                #3  0x0000560e7861d134 FlowRecycler (suricata + 0x1f0134)
                #4  0x0000560e78581fe6 TmThreadsManagement (suricata + 0x154fe6)
                #5  0x00007f83076e8609 start_thread (libpthread.so.0 + 0x9609)
                #6  0x00007f83074d9293 __clone (libc.so.6 + 0x122293)

Stack trace of thread 412206:
                #0  0x00007f83074973bf GI_clock_nanosleep (libc.so.6 + 0xe03bf)
                #1  0x00007f830749d047 GI_nanosleep (libc.so.6 + 0xe6047)
                #2  0x00007f83074cf9bf usleep (libc.so.6 + 0x1189bf)
                #3  0x0000560e7861d8a2 FlowManager (suricata + 0x1f08a2)
                #4  0x0000560e78581fe6 TmThreadsManagement (suricata + 0x154fe6)
                #5  0x00007f83076e8609 start_thread (libpthread.so.0 + 0x9609)
                #6  0x00007f83074d9293 __clone (libc.so.6 + 0x122293)

Stack trace of thread 412200:
                #0  0x00007f83074ccaff GI_poll (libc.so.6 + 0x115aff)
                #1  0x0000560e786495e4 poll (suricata + 0x21c5e4)
                #2  0x0000560e78582291 TmThreadsSlotPktAcqLoop (suricata + 0x155291)
                #3  0x00007f83076e8609 start_thread (libpthread.so.0 + 0x9609)
                #4  0x00007f83074d9293 __clone (libc.so.6 + 0x122293)

Stack trace of thread 412204:
                #0  0x00007f83074ccaff GI_poll (libc.so.6 + 0x115aff)
                #1  0x0000560e78649f73 poll (suricata + 0x21cf73)
                #2  0x0000560e78582291 TmThreadsSlotPktAcqLoop (suricata + 0x155291)
                #3  0x00007f83076e8609 start_thread (libpthread.so.0 + 0x9609)
                #4  0x00007f83074d9293 __clone (libc.so.6 + 0x122293)

Stack trace of thread 412208:
                #0  0x00007f83076ef7b1 futex_abstimed_wait_cancelable (libpthread.so.0 + 0x107b1)
                #1  0x0000560e785b7eec StatsWakeupThread (suricata + 0x18aeec)
                #2  0x00007f83076e8609 start_thread (libpthread.so.0 + 0x9609)
                #3  0x00007f83074d9293 __clone (libc.so.6 + 0x122293)

Stack trace of thread 412209:
                #0  0x00007f83076ef7b1 futex_abstimed_wait_cancelable (libpthread.so.0 + 0x107b1)
                #1  0x0000560e785b8533 StatsMgmtThread (suricata + 0x18b533)
                #2  0x00007f83076e8609 start_thread (libpthread.so.0 + 0x9609)
                #3  0x00007f83074d9293 __clone (libc.so.6 + 0x122293)
```

Subtasks 1 (0 open — 1 closed)