Project

General

Profile

Actions

Bug #6239

closed

ASAN: double free when multi-tenancy enabled and configured

Added by Jeff Lucovsky over 1 year ago. Updated about 1 year ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

Using 7.0 with multi-tenancy configured, running the suricata-verify tests yields multiple ASAN double free issues.

Several of the tests fail and the error output looks similar: the following is from the bug-2917 test

=================================================================
==1966376==ERROR: AddressSanitizer: attempting double-free on 0x615000296100 in thread T2 (DL#02):
    #0 0x7ffb0dadc517 in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:127
    #1 0x7ffb0cd33da6 in _IO_deallocate_file libio/libioP.h:862
    #2 0x7ffb0cd33da6 in _IO_new_fclose libio/iofclose.c:74
    #3 0x7ffb0dab8e48 in __interceptor_fclose ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:6233
    #4 0x7ffb0dab8e48 in __interceptor_fclose ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:6228
    #5 0x55f4d71b7a8f in CleanupRuleAnalyzer /home/jlucovsky/src/jal/suricata/src/detect-engine-analyzer.c:423
    #6 0x55f4d6985feb in SigLoadSignatures /home/jlucovsky/src/jal/suricata/src/detect-engine-loader.c:391
    #7 0x55f4d693e05c in DetectEngineMultiTenantLoadTenant /home/jlucovsky/src/jal/suricata/src/detect-engine.c:3848
    #8 0x55f4d693e786 in DetectLoaderFuncLoadTenant /home/jlucovsky/src/jal/suricata/src/detect-engine.c:3929
    #9 0x55f4d6986e5b in DetectLoader /home/jlucovsky/src/jal/suricata/src/detect-engine-loader.c:602
    #10 0x55f4d661c3fb in TmThreadsManagement /home/jlucovsky/src/jal/suricata/src/tm-threads.c:555
    #11 0x7ffb0cd49b42 in start_thread nptl/pthread_create.c:442
    #12 0x7ffb0cddb9ff  (/lib/x86_64-linux-gnu/libc.so.6+0x1269ff)

0x615000296100 is located 0 bytes inside of 472-byte region [0x615000296100,0x6150002962d8)
freed by thread T1 (DL#01) here:
    #0 0x7ffb0dadc517 in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:127
    #1 0x7ffb0cd33da6 in _IO_deallocate_file libio/libioP.h:862
    #2 0x7ffb0cd33da6 in _IO_new_fclose libio/iofclose.c:74

previously allocated by thread T3 (DL#03) here:
    #0 0x7ffb0dadc867 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
    #1 0x7ffb0cd346cd in __fopen_internal libio/iofopen.c:65
    #2 0x7ffb0cd346cd in _IO_new_fopen libio/iofopen.c:86

Thread T2 (DL#02) created by T0 (Suricata-Main) here:
    #0 0x7ffb0da80685 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cpp:216
    #1 0x55f4d66215c6 in TmThreadSpawn /home/jlucovsky/src/jal/suricata/src/tm-threads.c:1670
    #2 0x55f4d69873d4 in DetectLoaderThreadSpawn /home/jlucovsky/src/jal/suricata/src/detect-engine-loader.c:648
    #3 0x55f4d693fcd2 in DetectEngineMultiTenantSetup /home/jlucovsky/src/jal/suricata/src/detect-engine.c:4143
    #4 0x55f4d6612371 in PostConfLoadedDetectSetup /home/jlucovsky/src/jal/suricata/src/suricata.c:2553
    #5 0x55f4d6614198 in SuricataMain /home/jlucovsky/src/jal/suricata/src/suricata.c:2976
    #6 0x55f4d6603f5b in main /home/jlucovsky/src/jal/suricata/src/main.c:22
    #7 0x7ffb0ccded8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58

Thread T1 (DL#01) created by T0 (Suricata-Main) here:
    #0 0x7ffb0da80685 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cpp:216
    #1 0x55f4d66215c6 in TmThreadSpawn /home/jlucovsky/src/jal/suricata/src/tm-threads.c:1670
    #2 0x55f4d69873d4 in DetectLoaderThreadSpawn /home/jlucovsky/src/jal/suricata/src/detect-engine-loader.c:648
    #3 0x55f4d693fcd2 in DetectEngineMultiTenantSetup /home/jlucovsky/src/jal/suricata/src/detect-engine.c:4143
    #4 0x55f4d6612371 in PostConfLoadedDetectSetup /home/jlucovsky/src/jal/suricata/src/suricata.c:2553
    #5 0x55f4d6614198 in SuricataMain /home/jlucovsky/src/jal/suricata/src/suricata.c:2976
    #6 0x55f4d6603f5b in main /home/jlucovsky/src/jal/suricata/src/main.c:22
    #7 0x7ffb0ccded8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58

Thread T3 (DL#03) created by T0 (Suricata-Main) here:
    #0 0x7ffb0da80685 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cpp:216
    #1 0x55f4d66215c6 in TmThreadSpawn /home/jlucovsky/src/jal/suricata/src/tm-threads.c:1670
    #2 0x55f4d69873d4 in DetectLoaderThreadSpawn /home/jlucovsky/src/jal/suricata/src/detect-engine-loader.c:648
    #3 0x55f4d693fcd2 in DetectEngineMultiTenantSetup /home/jlucovsky/src/jal/suricata/src/detect-engine.c:4143
    #4 0x55f4d6612371 in PostConfLoadedDetectSetup /home/jlucovsky/src/jal/suricata/src/suricata.c:2553
    #5 0x55f4d6614198 in SuricataMain /home/jlucovsky/src/jal/suricata/src/suricata.c:2976
    #6 0x55f4d6603f5b in main /home/jlucovsky/src/jal/suricata/src/main.c:22
    #7 0x7ffb0ccded8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58

SUMMARY: AddressSanitizer: double-free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:127 in __interceptor_free
==1966376==ABORTING

Failing s-v tests due to the double-free issue:

$ grep -r -e double-free
detect-bytejump-03/output/stderr:==2001013==ERROR: AddressSanitizer: attempting double-free on 0x615000296100 in thread T1 (DL#01):
detect-strip_whitespace-01/output/stderr:==2003286==ERROR: AddressSanitizer: attempting double-free on 0x615000296100 in thread T2 (DL#02):
bug-2917/output/stderr:==1992623==ERROR: AddressSanitizer: attempting double-free on 0x615000296100 in thread T2 (DL#02):
bug-2917/output/stderr:SUMMARY: AddressSanitizer: double-free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:127 in __interceptor_free
bug-3463/output/stderr:==1992906==ERROR: AddressSanitizer: attempting double-free on 0x6150002b5f00 in thread T3 (DL#03):
bug-3515/output/stderr:==1992972==ERROR: AddressSanitizer: attempting double-free on 0x615000296100 in thread T3 (DL#03):
bug-3515/output/stderr:SUMMARY: AddressSanitizer: double-free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:127 in __interceptor_free
detect-bytejump-04/output/stderr:==2001063==ERROR: AddressSanitizer: attempting double-free on 0x615000296100 in thread T3 (DL#03):
detect-bytejump-04/output/stderr:SUMMARY: AddressSanitizer: double-free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:127 in __interceptor_free
datarep-03-bad-reputation/output/stderr:==1997955==ERROR: AddressSanitizer: attempting double-free on 0x6150002a5d80 in thread T1 (DL#01):
datarep-03-bad-reputation/output/stderr:SUMMARY: AddressSanitizer: double-free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:127 in __interceptor_free
rules/dce_stub_data/output/stderr:==2051998==ERROR: AddressSanitizer: attempting double-free on 0x615000296100 in thread T3 (DL#03):
rules/http_uri/output/stderr:==2052205==ERROR: AddressSanitizer: attempting double-free on 0x615000296100 in thread T2 (DL#02):
rules/http_uri/output/stderr:SUMMARY: AddressSanitizer: double-free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:127 in __interceptor_free
detect-compress_whitespace-01/output/stderr:==2001731==ERROR: AddressSanitizer: attempting double-free on 0x6150002c6080 in thread T2 (DL#02):


Related issues 1 (0 open1 closed)

Related to Suricata - Bug #6549: multi-tenancy: ASAN error on engine analysisClosedJeff LucovskyActions
Actions

Also available in: Atom PDF