Bug #612
closedFreeBSD DIVERT segfault
Description
Version: 1.3.2
OS: FreeBSD 9.0-RELEASE (amd64)
Compiled options: IPFW (+DEBUG)
Brief description of problem: Every time I start suricata using IPFW's divert facility, it segfaults and crashes.
Steps to reproduce:
1. Build suricata with the IPFW option enabled
2. Set up basic configuration (copying suricata.yaml.sample to suricata.yaml works well enough)
3. Configure IPFW with a divert rule (ipfw add 2 divert 8000 ip from any to any)
4. Attempt to execute suricata using IPFW divert (suricata -c /path/to/suricata.yaml -d 8000)
5. SIGSEGV
After trying this multiple times, I recompiled with debugging enabled and opened the core dump in gdb. Stepping through, the error occurs within the strcmp() function referenced on line 196 of source-ipfw.c (within IPFWMutexInit()). The offending ASM instruction is "<strcmp+11> mov (%rsi),%dl." Upon execution of this command, it fails every time it's called from IPFWMutexInit(). Perhaps this is evidence of some kind of stack corruption? The segfault is caused by attempting to dereference the pointer stored in %rsi, but not being able to access such memory.
Is there anything I can do to help figure out what's going on and/or how to fix it?
Thanks,
Jake
Updated by Eric Leblond about 12 years ago
Is it possible for you to provide a backtrace ? Given the type of error you describe, it should have explicit result.
Updated by Victor Julien about 12 years ago
- Status changed from New to Assigned
- Assignee set to Eric Leblond
- Target version set to 1.3.3
I guess RunmodeGetActive returns an invalid ptr?
Updated by Jake Guffey about 12 years ago
Eric Leblond wrote:
Is it possible for you to provide a backtrace ? Given the type of error you describe, it should have explicit result.
$ gdb $(which suricata) suricata.core
...
#0 0x0000000801f16f3b in strcmp () from /lib/libc.so.7
[New Thread 802409400 (LWP 100246/FlowManagerThre)]
[New Thread 802409000 (LWP 100245/Verdict0)]
[New Thread 802408c00 (LWP 100244/Detect3)]
[New Thread 802408800 (LWP 100243/Detect2)]
[New Thread 802408400 (LWP 100242/Detect1)]
[New Thread 802408000 (LWP 100241/Recv-Q8000)]
[New Thread 802407400 (LWP 100060/Suricata-Main)]
(gdb) backtrace
#0 0x0000000801f16f3b in strcmp () from /lib/libc.so.7
#1 0x00000000004251c1 in IPFWMutexInit (nq=0x9df4e0) at source-ipfw.c:196
#2 0x0000000000424892 in ReceiveIPFWThreadInit (tv=0x8048e1900, initdata=0x9df260, data=0x7fffffbfd748) at source-ipfw.c:437
#3 0x00000000005ffa16 in TmThreadsSlotPktAcqLoop (td=0x8048e1900) at tm-threads.c:617
#4 0x00000008017a4274 in pthread_getprio () from /lib/libthr.so.3
#5 0x0000000000000000 in ?? ()
Cannot access memory at address 0x7fffffbfe000
Updated by Eric Leblond about 12 years ago
- % Done changed from 0 to 90
It is fixed by last patch of https://github.com/inliniac/suricata/pull/164 : https://github.com/regit/suricata/commit/59954102b9f728f2afffae9c43cf8e794c4c426c
Updated by Victor Julien about 12 years ago
- Status changed from Assigned to Closed
- % Done changed from 90 to 100
Merged, thanks!
Updated by Jake Guffey about 12 years ago
Eric Leblond wrote:
It is fixed by last patch of https://github.com/inliniac/suricata/pull/164 : https://github.com/regit/suricata/commit/59954102b9f728f2afffae9c43cf8e794c4c426c
Awesome. Thanks!