Actions
Bug #6861
closedprofiling/rules: crash when profiling ends
Affected Versions:
Effort:
Difficulty:
Label:
Description
Suricata may crash when stopping ruleset profiling.
$ ./configure --enable-profiling_rule $ sudo suricatasc /var/run/suricata/suricata-command.socket >>> ruleset-profile-start >>> ruleset-profile-stop
It may crash depending on how the timing of the PROFILING_START/PROFILING_END macros
suricata: detect.c:815: DetectRulePacketRules: Assertion `!(profiling_rules_entered < 0)' failed. Thread 7 "W#06-enp6s0f0" received signal SIGABRT, Aborted. [Switching to Thread 0x7fffdb915640 (LWP 3539932)] __pthread_kill_implementation (no_tid=0, signo=6, threadid=140736877123136) at ./nptl/pthread_kill.c:44 44 ./nptl/pthread_kill.c: No such file or directory. (gdb) bt #0 __pthread_kill_implementation (no_tid=0, signo=6, threadid=140736877123136) at ./nptl/pthread_kill.c:44 #1 __pthread_kill_internal (signo=6, threadid=140736877123136) at ./nptl/pthread_kill.c:78 #2 __GI___pthread_kill (threadid=140736877123136, signo=signo@entry=6) at ./nptl/pthread_kill.c:89 #3 0x00007ffff7229476 in __GI_raise (sig=sig@entry=6) at ../sysdeps/posix/raise.c:26 #4 0x00007ffff720f7f3 in __GI_abort () at ./stdlib/abort.c:79 #5 0x00007ffff720f71b in __assert_fail_base (fmt=0x7ffff73c4130 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", assertion=0x5555561081d0 "!(profiling_rules_entered < 0)", file=0x5555561081c7 "detect.c", line=815, function=<optimized out>) at ./assert/assert.c:92 #6 0x00007ffff7220e96 in __GI___assert_fail (assertion=0x5555561081d0 "!(profiling_rules_entered < 0)", file=0x5555561081c7 "detect.c", line=815, function=0x55555610c6f0 <__PRETTY_FUNCTION__.25> "DetectRulePacketRules") at ./assert/assert.c:101 #7 0x000055555584a8cb in DetectRulePacketRules (tv=0x55555ded0f00, de_ctx=0x5555575c0af0, det_ctx=0x7fffd445e740, p=0x7fffd4290130, pflow=0x7fff9d195c90, scratch=0x7fffdb914050) at detect.c:815 #8 0x000055555584906e in DetectRun (th_v=0x55555ded0f00, de_ctx=0x5555575c0af0, det_ctx=0x7fffd445e740, p=0x7fffd4290130) at detect.c:143 #9 0x000055555584d133 in DetectFlow (tv=0x55555ded0f00, de_ctx=0x5555575c0af0, det_ctx=0x7fffd445e740, p=0x7fffd4290130) at detect.c:1780 #10 0x000055555584d3b7 in Detect (tv=0x55555ded0f00, p=0x7fffd4290130, data=0x7fffd445e740) at detect.c:1852 #11 0x0000555555a68bfa in FlowWorker (tv=0x55555ded0f00, p=0x7fffd4290130, data=0x7fffd42ea1e0) at flow-worker.c:606 #12 0x0000555555732016 in TmThreadsSlotVarRun (tv=0x55555ded0f00, p=0x7fffd4290130, slot=0x55555c5935d0) at tm-threads.c:135 #13 0x0000555555ab0eb1 in TmThreadsSlotProcessPkt (tv=0x55555ded0f00, s=0x55555c5935d0, p=0x7fffd4290130) at /home/jlucovsky/src/jal/suricata/src/tm-threads.h:200 #14 0x0000555555ab2652 in AFPReadFromRing (ptv=0x7fffd4290b70) at source-af-packet.c:939 #15 0x0000555555ab38ec in ReceiveAFPLoop (tv=0x55555ded0f00, data=0x7fffd4290b70, slot=0x55556c1de200) at source-af-packet.c:1430 #16 0x00005555557326c8 in TmThreadsSlotPktAcqLoop (td=0x55555ded0f00) at tm-threads.c:318 #17 0x00007ffff727bac3 in start_thread (arg=<optimized out>) at ./nptl/pthread_create.c:442 #18 0x00007ffff730d850 in clone3 () at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81 (gdb) fr 7 (gdb) info locals profile_rule_end_ = 19446383929566616 smatch = false profile_rule_start_ = 0 alert_flags = 0 '\000' s_proto_flags = 0 '\000' s = 0x5555576ac0f0 next_s = 0x5555576ac780 match_cnt = 15 match_array = 0x7fffd4468858 sflags = 1572879 next_sflags = 1572879 __FUNCTION__ = "DetectRulePacketRules" __PRETTY_FUNCTION__ = "DetectRulePacketRules" (gdb) p profiling_rules_entered-- $1 = -1
The crash occurs when the ruleset profiling is disabled because
- RULE_PROFILING_START uses profiling_rules_active
as a gate for profiling (in addition to profiling_rules_enabled)
- RULE_PROFILING_END only uses @profiling_rules_enable
Thus, when RULE_PROFILING_END
is invoked, will decrement profiling_rules_entered
even if RULE_PROFILING_START
didn't increment it.
A candidate fix is to to clear the packet's profiling flag during in RULE_PROFILING_END
Actions