Bug #557
closedsegfault in 1.4beta1
Description
Hello. Decided to give the new beta a try today and received a segfault when using af_packet (pcap mode is OK).
Ubuntu 32 bit with 2.6.32-33-generic-pae.
Some output below. Let me know what else you'd like to see.
Thanks and regards,
Michael
configure options:
./configure --enable-profiling --prefix=/usr/ --sysconfdir=/etc/ --localstatedir=/var/ --enable-af-packet
gdb output:
21/9/2012 -- 16:19:47 - <Info> - Enabling mmaped capture on iface eth1 21/9/2012 -- 16:19:47 - <Info> - Using round-robin cluster mode for AF_PACKET (iface eth1) 21/9/2012 -- 16:19:47 - <Info> - Going to use 1 ReceiveAFP receive thread(s) [New Thread 0xb5fb1b70 (LWP 21234)] 21/9/2012 -- 16:19:47 - <Info> - Enabling zero copy mode by using data release call [New Thread 0xb43beb70 (LWP 21235)] [New Thread 0xb3bbdb70 (LWP 21236)] [New Thread 0xb33bcb70 (LWP 21237)] [New Thread 0xb2bbbb70 (LWP 21238)] [New Thread 0xb23bab70 (LWP 21239)] [New Thread 0xb1bb9b70 (LWP 21240)] 21/9/2012 -- 16:19:48 - <Info> - RunModeIdsAFPAutoFp initialised [New Thread 0xb13b8b70 (LWP 21241)] 21/9/2012 -- 16:19:48 - <Info> - stream "max-sessions": 262144 21/9/2012 -- 16:19:48 - <Info> - stream "prealloc-sessions": 32768 21/9/2012 -- 16:19:48 - <Info> - stream "memcap": 33554432 21/9/2012 -- 16:19:48 - <Info> - stream "midstream" session pickups: disabled 21/9/2012 -- 16:19:48 - <Info> - stream "async-oneside": disabled 21/9/2012 -- 16:19:48 - <Info> - stream "checksum-validation": enabled 21/9/2012 -- 16:19:48 - <Info> - stream."inline": disabled 21/9/2012 -- 16:19:48 - <Info> - stream.reassembly "memcap": 67108864 21/9/2012 -- 16:19:48 - <Info> - stream.reassembly "depth": 1048576 21/9/2012 -- 16:19:48 - <Info> - stream.reassembly "toserver-chunk-size": 2560 21/9/2012 -- 16:19:48 - <Info> - stream.reassembly "toclient-chunk-size": 2560 [New Thread 0xb039db70 (LWP 21242)] [New Thread 0xafb9cb70 (LWP 21243)] 21/9/2012 -- 16:19:48 - <Info> - all 7 packet processing threads, 3 management threads initialized, engine started. 21/9/2012 -- 16:19:48 - <Info> - AF_PACKET RX Ring params: block_size=32768 block_nr=103 frame_size=1584 frame_nr=2060 21/9/2012 -- 16:19:48 - <Info> - Using interface 'eth1' via socket 9 21/9/2012 -- 16:19:48 - <Info> - All AFP capture threads are running. 21/9/2012 -- 16:19:48 - <Info> - Thread RxAFP1 using socket 9 Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 0xb2bbbb70 (LWP 21238)] 0x0818754c in TCPCalculateChecksum (tv=0xba7fac8, p=0xaedcb138, data=0xadba4b8, pq=0xabf17e8, postpq=0xabf183c) at decode-tcp.h:199 199 csum += pkt[0] + pkt[1] + pkt[2] + pkt[3] + pkt[4] + pkt[5] + pkt[6] +
Kernel log:
Sep 21 16:17:35 qleids01 kernel: [22136849.928496] Detect4[17635]: segfault at aeb7f000 ip 0818757c sp b239da10 error 4 in suricata[8048000+19f000]
Updated by Eric Leblond over 12 years ago
Hello,
Thanks for the report. This bug should have been fixed in latest git by commit https://github.com/inliniac/suricata/commit/4a1a008009563f12e995eb1f01dd0bdd4f3c62de. I should have put the traceback in the commit message to help you find it.
Updated by Michael Cox over 12 years ago
OK thanks, Eric. I should have tried the latest from git as a matter of course anyway.
Updated by Michael Cox over 12 years ago
I pulled from git this morning. It runs for a while but still segfaults eventually. Output from a couple of different runs below. I'm not a developer at all, so please educate me if I'm not giving you the info you need or missing some other part of the proper protocol to submit bugs.
Cheers,
Michael
Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 0xb4842b70 (LWP 4757)] 0x080a8b67 in DetectEngineRunHttpHeaderMpm (det_ctx=0xc458ce8, f=0x7e216588, htp_state=0xbbef0cc0, flags=4 '\004') at detect-engine-hhd.c:198 198 cnt += HttpHeaderPatternSearch(det_ctx, (gdb) bt #0 0x080a8b67 in DetectEngineRunHttpHeaderMpm (det_ctx=0xc458ce8, f=0x7e216588, htp_state=0xbbef0cc0, flags=4 '\004') at detect-engine-hhd.c:198 #1 0x0807f18f in DetectMpmPrefilter (th_v=0xaf05740, de_ctx=0x9c4cf00, det_ctx=0xc458ce8, p=0x91a2028) at detect.c:1282 #2 SigMatchSignatures (th_v=0xaf05740, de_ctx=0x9c4cf00, det_ctx=0xc458ce8, p=0x91a2028) at detect.c:1596 #3 0x08081386 in Detect (tv=0xaf05740, p=0x91a2028, data=0x0, pq=0xb94e538, postpq=0x0) at detect.c:2029 #4 0x08165aaf in TmThreadsSlotVarRun (tv=0xaf05740, p=0x91a2028, slot=0xb94e518) at tm-threads.c:524 #5 0x08165de2 in TmThreadsSlotVar (td=0xaf05740) at tm-threads.c:749 #6 0x001ac96e in start_thread () from /lib/tls/i686/cmov/libpthread.so.0 #7 0x002dca4e in clone () from /lib/tls/i686/cmov/libc.so.6
Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 0xb4842b70 (LWP 13314)] SCProfilingAddPacket (p=0x55e539f8) at util-profiling.c:680 680 if (PKT_IS_IPV4(p)) { (gdb) bt #0 SCProfilingAddPacket (p=0x55e539f8) at util-profiling.c:680 #1 0x08168b84 in TmqhOutputPacketpool (t=0xaf05740, p=0x55e539f8) at tmqh-packetpool.c:204 #2 0x08165df5 in TmThreadsSlotVar (td=0xaf05740) at tm-threads.c:757 #3 0x001ac96e in start_thread () from /lib/tls/i686/cmov/libpthread.so.0 #4 0x002dca4e in clone () from /lib/tls/i686/cmov/libc.so.6
Updated by Anoop Saldanha over 12 years ago
Hi Michael,
Can you paste the output of
print det_ctx->hhd_buffers_list_len
and for every i from 0 upto (det_ctx->hhd_buffers_list_len - 1)
print det_ctx->hhd_buffers[i]
print det_ctx->hhd_buffers_len[i]
Updated by Michael Cox over 12 years ago
See below for output. I hope I did it correctly; I only have a vague idea of what I'm looking at.
To answer some of the questions in the email from Peter, this is a busy sensor. The NIC sees ~400-500mbps, but I'm really only trying to inspect ~200mbps of gre-encapsulated proxy traffic. The hardware is a bit overloaded, but it's what I have to test with at the moment. I bumped up all the memcap lines in the yaml, but I'm not running out of physical RAM. Everything else is default except for ip vars and disabling some rules. It will run for a varying amount of time, maybe 10-40 minutes.
Hope that helps.
Regards,
Michael
[6760] 25/9/2012 -- 16:45:59 - (tm-threads.c:2054) <Info> (TmThreadWaitOnThreadInit) -- all 7 packet processing threads, 3 management threads initialized, engine started. [7653] 25/9/2012 -- 16:45:59 - (source-af-packet.c:1322) <Info> (AFPCreateSocket) -- Using interface 'eth1' via socket 9 [7653] 25/9/2012 -- 16:45:59 - (source-af-packet.c:412) <Info> (AFPPeersListReachedInc) -- All AFP capture threads are running. [7653] 25/9/2012 -- 16:45:59 - (source-af-packet.c:938) <Info> (ReceiveAFPLoop) -- Thread RxAFP1 using socket 9 Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 0xb09b8b70 (LWP 7658)] 0x080a8b67 in DetectEngineRunHttpHeaderMpm (det_ctx=0xd417338, f=0x19f2e240, htp_state=0x43c15010, flags=6 '\006') at detect-engine-hhd.c:198 198 cnt += HttpHeaderPatternSearch(det_ctx, (gdb) bt #0 0x080a8b67 in DetectEngineRunHttpHeaderMpm (det_ctx=0xd417338, f=0x19f2e240, htp_state=0x43c15010, flags=6 '\006') at detect-engine-hhd.c:198 #1 0x0807f18f in DetectMpmPrefilter (th_v=0xb8dcec8, de_ctx=0x9528348, det_ctx=0xd417338, p=0x900fd90) at detect.c:1282 #2 SigMatchSignatures (th_v=0xb8dcec8, de_ctx=0x9528348, det_ctx=0xd417338, p=0x900fd90) at detect.c:1596 #3 0x08081386 in Detect (tv=0xb8dcec8, p=0x900fd90, data=0x0, pq=0xcc03328, postpq=0x0) at detect.c:2029 #4 0x08165aaf in TmThreadsSlotVarRun (tv=0xb8dcec8, p=0x900fd90, slot=0xcc03308) at tm-threads.c:524 #5 0x08165de2 in TmThreadsSlotVar (td=0xb8dcec8) at tm-threads.c:749 #6 0x001ac96e in start_thread () from /lib/tls/i686/cmov/libpthread.so.0 #7 0x002dca4e in clone () from /lib/tls/i686/cmov/libc.so.6 (gdb) print det_ctx->hhd_buffers_list_len $1 = 1 (gdb) print det_ctx->hhd_buffers[0] $2 = (uint8_t *) 0x0 (gdb) print det_ctx->hhd_buffers_len[0] Cannot access memory at address 0x0
Updated by Anoop Saldanha over 12 years ago
Thanks. Can you reproduce this frequently?
Updated by Michael Cox over 12 years ago
Every run so far (5 or 6). I'll do some more tests this afternoon if possible and also look for a different location to test with a different mix of traffic and hardware.
Updated by Anoop Saldanha over 12 years ago
I have my fix in this branch - https://github.com/poona/suricata/tree/task_29_bug_557
Can you pull this branch and test it?
OR
you can download the patch and apply it directly on your branch
Patch: https://github.com/poona/suricata/commit/f983fefdf5385bdf5dc281acb3bfb00cc27cc000.patch
Updated by Michael Cox over 12 years ago
With the new branch.
Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 0xb5ab1b70 (LWP 14986)] 0x0812056c in SCACSearch (mpm_ctx=0xbb521d0, mpm_thread_ctx=0xd7e6e04, pmq=0xd7e6e1c, buf=0x0, buflen=180) at util-mpm-ac.c:1232 1232 state = state_table_u16[state & 0x7FFF][u8_tolower(buf[i])]; (gdb) bt #0 0x0812056c in SCACSearch (mpm_ctx=0xbb521d0, mpm_thread_ctx=0xd7e6e04, pmq=0xd7e6e1c, buf=0x0, buflen=180) at util-mpm-ac.c:1232 #1 0x0809b060 in HttpHeaderPatternSearch (det_ctx=0xd7e6db0, headers=0x0, headers_len=180, flags=8 '\b') at detect-engine-mpm.c:393 #2 0x080a8e17 in DetectEngineRunHttpHeaderMpm (det_ctx=0xd7e6db0, f=0x167d3888, htp_state=0x5888fb18, flags=8 '\b') at detect-engine-hhd.c:201 #3 0x0807f3ff in DetectMpmPrefilter (th_v=0xb8cc370, de_ctx=0x9529348, det_ctx=0xd7e6db0, p=0x904a670) at detect.c:1286 #4 SigMatchSignatures (th_v=0xb8cc370, de_ctx=0x9529348, det_ctx=0xd7e6db0, p=0x904a670) at detect.c:1600 #5 0x080815f6 in Detect (tv=0xb8cc370, p=0x904a670, data=0x364ff4, pq=0xd7328f8, postpq=0x0) at detect.c:2033 #6 0x08165c3f in TmThreadsSlotVarRun (tv=0xb8cc370, p=0x904a670, slot=0xd7328d8) at tm-threads.c:524 #7 0x08165f72 in TmThreadsSlotVar (td=0xb8cc370) at tm-threads.c:749 #8 0x001ac96e in start_thread () from /lib/tls/i686/cmov/libpthread.so.0 #9 0x002dca4e in clone () from /lib/tls/i686/cmov/libc.so.6
Updated by Anoop Saldanha over 12 years ago
Updated by Anoop Saldanha over 12 years ago
The patch supplied so far should fix the segv seen so far, but there are more issues <- all of these under low memory conditions. Fixing them
Updated by Anoop Saldanha over 12 years ago
pull request here - https://github.com/inliniac/suricata/pull/103
The memory alloc handling in libhtp needs to be fixed though. You would still see segvs because of this.
Updated by Michael Cox about 12 years ago
Thanks, Anoop (and all for working on a great project!).
I'll make sure I give myself plenty of memory headroom so that I can continue to test the 1.4dev.
Updated by Victor Julien about 12 years ago
Please note that on 32bit you'll be limited to ~3GB per process no matter what you do. So suricata will not be able to use more. I recommend a 64 bit setup for your sensor.
Updated by Victor Julien about 12 years ago
- Status changed from New to Assigned
- Target version set to 1.4beta3
We'll need to fix this in libhtp as well.
Updated by Victor Julien about 12 years ago
- Status changed from Assigned to Closed
These issues are now addressed in libhtp and Suricata itself.