Project

General

Profile

Actions

Security #5408

closed

filestore: Segfault with filestore enabled and forced

Added by Jeff Lucovsky over 2 years ago. Updated over 2 years ago.

Status:
Closed
Priority:
Normal
Target version:
Affected Versions:
Label:
CVE:
Git IDs:
Severity:
MODERATE
Disclosure Date:

Description

Suricata will crash when filestore is enabled and the bigFlows.pcap is used. This was reported in the forum: https://forum.suricata.io/t/file-store-core-dumping-on-specific-pcap/2587

I've confirmed that the crash occurs on
  • master
  • master-6.0.x

The crash does not occur on master-5.0.x

The bigFlows.pcap is available here: https://tcpreplay.appneta.com/wiki/captures.html#bigflows-pcap

master: args" -c suricata.yaml -l /tmp/ll -r /home/jlucovsky/bigFlows.pcap"

Thread 15 "W#13" received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7fffd9d13700 (LWP 241346)]
0x0000000000000000 in ?? ()
(gdb) bt
#0  0x0000000000000000 in ?? ()
#1  0x0000555555a1cb37 in AppLayerParserGetTx (ipproto=1 '\001', alproto=1, alstate=0x60c001eca3c0, tx_id=0) at app-layer-parser.c:1126
#2  0x0000555556106875 in CloseFile (p=0x61d0068f1080, f=0x612003090940, file=0x61100035ac40) at output-filedata.c:128
#3  0x0000555556107161 in OutputFiledataLogFfc (tv=0x612001d36ec0, td=0x602002e7d670, p=0x61d0068f1080, ffc=0x602002e60250, call_flags=8 '\b', file_close=false, file_trunc=false, dir=8 '\b') at output-filedata.c:209
#4  0x0000555556107493 in OutputFiledataLog (tv=0x612001d36ec0, p=0x61d0068f1080, thread_data=0x602002e7d670) at output-filedata.c:244
#5  0x00005555561038c4 in OutputLoggerLog (tv=0x612001d36ec0, p=0x61d0068f1080, thread_data=0x6020021117d0) at output.c:885
#6  0x00005555560ecf19 in FlowWorker (tv=0x612001d36ec0, p=0x61d0068f1080, data=0x61000016b040) at flow-worker.c:565
#7  0x00005555558953a8 in TmThreadsSlotVarRun (tv=0x612001d36ec0, p=0x61d0068f1080, slot=0x6060029821a0) at tm-threads.c:117
#8  0x0000555555897682 in TmThreadsSlotVar (td=0x612001d36ec0) at tm-threads.c:457
#9  0x00007ffff730d609 in start_thread (arg=<optimized out>) at pthread_create.c:477
#10 0x00007ffff69ab133 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

(gdb) fr 1
#1  0x0000555555a1cb37 in AppLayerParserGetTx (ipproto=1 '\001', alproto=1, alstate=0x60c001eca3c0, tx_id=0) at app-layer-parser.c:1126
1126        void *r = alp_ctx.ctxs[FlowGetProtoMapping(ipproto)][alproto].StateGetTx(alstate, tx_id);
(gdb) p alp_ctx.ctxs[FlowGetProtoMapping(ipproto)][alproto]
$1 = {Parser = {0x0, 0x0}, logger = false, first_data_dir = 0 '\000', logger_bits = 0, StateAlloc = 0x0, StateFree = 0x0, StateTransactionFree = 0x0, LocalStorageAlloc = 0x0, LocalStorageFree = 0x0, Truncate = 0x0, StateGetFiles = 0x0, StateGetProgress = 0x0, StateGetTxCnt = 0x0, StateGetTx = 0x0, StateGetTxIterator = 0x0,
  complete_ts = 0, complete_tc = 0, StateGetEventInfoById = 0x0, StateGetEventInfo = 0x0, GetTxData = 0x0, ApplyTxConfig = 0x0, SetStreamDepthFlag = 0x0, GetFrameIdByName = 0x0, GetFrameNameById = 0x0, stream_depth = 1048576, option_flags = 0, internal_flags = 0, RegisterUnittests = 0x0}
(gdb) p FlowGetProtoMapping(ipproto)
$2 = 2 '\002'
(gdb) p alproto
$3 = 1
(gdb) p ipproto
$4 = 1 '\001'

master-6.0.x: args" -c suricata.yaml -l /tmp/ll -r /home/jlucovsky/bigFlows.pcap"

gdb) bt
#0  0x0000000000000000 in ?? ()
#1  0x000055555595eea3 in AppLayerParserGetTx (ipproto=1 '\001', alproto=1, alstate=0x6080004cd920, tx_id=0) at app-layer-parser.c:1095
#2  0x00005555561f3383 in CloseFile (p=0x61d00026de80, f=0x612000d83640, file=0x6110007dc5c0) at output-filedata.c:137
#3  0x00005555561f3c69 in OutputFiledataLogFfc (tv=0x612001526bc0, td=0x602001f0de10, p=0x61d00026de80, ffc=0x6020009ede70, call_flags=8 '\b', file_close=false, file_trunc=false, dir=8 '\b') at output-filedata.c:218
#4  0x00005555561f3fe3 in OutputFiledataLog (tv=0x612001526bc0, p=0x61d00026de80, thread_data=0x602001f0de10) at output-filedata.c:253
#5  0x00005555561f03f3 in OutputLoggerLog (tv=0x612001526bc0, p=0x61d00026de80, thread_data=0x602001417f10) at output.c:882
#6  0x00005555561b1d21 in FlowWorker (tv=0x612001526bc0, p=0x61d00026de80, data=0x60d00073f1b0) at flow-worker.c:556
#7  0x00005555563c084f in TmThreadsSlotVarRun (tv=0x612001526bc0, p=0x61d00026de80, slot=0x60600225f0e0) at tm-threads.c:117
#8  0x00005555563c2b5e in TmThreadsSlotVar (td=0x612001526bc0) at tm-threads.c:463
#9  0x00007ffff730d609 in start_thread (arg=<optimized out>) at pthread_create.c:477
#10 0x00007ffff6767133 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95
(gdb) fr 1
#1  0x000055555595eea3 in AppLayerParserGetTx (ipproto=1 '\001', alproto=1, alstate=0x6080004cd920, tx_id=0) at app-layer-parser.c:1095
1095        r = alp_ctx.ctxs[FlowGetProtoMapping(ipproto)][alproto].
(gdb) list
1090
1091    void *AppLayerParserGetTx(uint8_t ipproto, AppProto alproto, void *alstate, uint64_t tx_id)
1092    {
1093        SCEnter();
1094        void * r = NULL;
1095        r = alp_ctx.ctxs[FlowGetProtoMapping(ipproto)][alproto].
1096                    StateGetTx(alstate, tx_id);
1097        SCReturnPtr(r, "void *");
1098    }
1099
(gdb) p alp_ctx.ctxs[FlowGetProtoMapping(ipproto)][alproto]
$2 = {Parser = {0x0, 0x0}, logger = false, logger_bits = 0, StateAlloc = 0x0, StateFree = 0x0, StateTransactionFree = 0x0, LocalStorageAlloc = 0x0, LocalStorageFree = 0x0, Truncate = 0x0, StateGetFiles = 0x0, StateGetEvents = 0x0, StateGetProgress = 0x0, StateGetTxCnt = 0x0, StateGetTx = 0x0, StateGetTxIterator = 0x0,
  StateGetProgressCompletionStatus = 0x0, StateGetEventInfoById = 0x0, StateGetEventInfo = 0x0, GetTxDetectState = 0x0, SetTxDetectState = 0x0, GetTxData = 0x0, ApplyTxConfig = 0x0, SetStreamDepthFlag = 0x0, stream_depth = 1048576, first_data_dir = 0 '\000', option_flags = 0, internal_flags = 0, RegisterUnittests = 0x0}
(gdb) p FlowGetProtoMapping(ipproto)
$3 = 2 '\002'
(gdb) p alproto
$4 = 1
(gdb) p ipproto
$5 = 1 '\001'


Files

bad_icmp_test4.3.pcap (3.07 MB) bad_icmp_test4.3.pcap JP J, 06/30/2022 02:49 PM

Subtasks 1 (0 open1 closed)

Security #5431: filestore: Segfault with filestore enabled and forced (6.0.x backport)ClosedJason IshActions

Related issues 1 (0 open1 closed)

Related to Suricata - Bug #5568: files: null function pointer dereference on icmp packetsRejectedActions
Actions

Also available in: Atom PDF