Actions
Bug #7091
closedSegfault on 7.0.5 with generated live traffic
Affected Versions:
Effort:
Difficulty:
Label:
Description
With 7.0.5 I can reproduce a segfault on Cisco T-Rex generated live traffic that occurs after a few hours of runtime.
Notice: suricata: Signature(s) loaded, Detect thread(s) activated. [PostRunStartedDetectSetup:suricata.c:2517]
corrupted double-linked list
corrupted double-linked list
mremap_chunk(): invalid pointer
corrupted double-linked list
corrupted double-linked list
mremap_chunk(): invalid pointer
corrupted double-linked list
corrupted double-linked list
corrupted double-linked list
malloc(): smallbin double linked list corrupted
corrupted double-linked list
double free or corruption (!prev)
corrupted double-linked list
double free or corruption (!prev)
corrupted double-linked list
Thread 21 "W#20-eth6" received signal SIGABRT, Aborted.
[Switching to Thread 0x7ffc5bfff700 (LWP 96846)]
__GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
50 ../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) bt
#0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
#1 0x00007ffff6dff535 in __GI_abort () at abort.c:79
#2 0x00007ffff6e56648 in __libc_message (action=action@entry=do_abort, fmt=fmt@entry=0x7ffff6f602a0 "%s\n") at ../sysdeps/posix/libc_fatal.c:181
#3 0x00007ffff6e5cd6a in malloc_printerr (str=str@entry=0x7ffff6f5e3a6 "corrupted double-linked list") at malloc.c:5359
#4 0x00007ffff6e5e6dc in _int_free (av=av@entry=0x7ffc54000020, p=<optimized out>, p@entry=0x7ff6c3cc92b0, have_lock=have_lock@entry=1) at malloc.c:4340
#5 0x00007ffff6e60f40 in _int_realloc (av=av@entry=0x7ffc54000020, oldp=oldp@entry=0x7ff6c3cc92b0, oldsize=oldsize@entry=12304, nb=nb@entry=16400) at malloc.c:4630
#6 0x00007ffff6e620fb in __GI___libc_realloc (oldmem=0x7ff6c3cc92c0, bytes=16384) at malloc.c:3233
#7 0x00005555556a83b2 in SCReallocFunc (ptr=0x7ff6c3cc92c0, size=16384) at util-mem.c:46
#8 0x00005555556cba31 in HTPRealloc (ptr=0x7ff6c3cc92c0, orig_size=12288, size=16384) at app-layer-htp-mem.c:176
#9 0x000055555580624d in GrowRegionToSize (sb=0x7ff072a02780, cfg=0x555555ee4fc0 <htp_sbcfg>, region=0x7ff072a02780, size=14506) at util-streaming-buffer.c:722
#10 0x0000555555806306 in GrowToSize (sb=0x7ff072a02780, cfg=0x555555ee4fc0 <htp_sbcfg>, size=14506) at util-streaming-buffer.c:746
#11 0x0000555555806d64 in StreamingBufferAppend (sb=0x7ff072a02780, cfg=0x555555ee4fc0 <htp_sbcfg>, seg=0x7ff5bc15fdfc, data=0x7ff0ef4bdea0 '*' <repeats 200 times>..., data_len=2920) at util-streaming-buffer.c:1096
#12 0x000055555582884d in HtpBodyAppendChunk (hcfg=0x555555eee0fc <cfglist+60>, body=0x7ff0702a7f78, data=0x7ff0ef4bdea0 '*' <repeats 200 times>..., len=2920) at app-layer-htp-body.c:71
#13 0x00005555556c7387 in HTPCallbackResponseBodyData (d=0x7ffc5bffdb60) at app-layer-htp.c:2026
#14 0x0000555555c949fa in htp_hook_run_all (hook=0x555555f6ef00, user_data=user_data@entry=0x7ffc5bffdb60) at htp_hooks.c:127
#15 0x0000555555ca2057 in htp_res_run_hook_body_data (connp=<optimized out>, d=d@entry=0x7ffc5bffdb60) at htp_util.c:2358
#16 0x0000555555c9d2d8 in htp_tx_res_process_body_data_ex (tx=0x7ff396217330, data=0x7ff0ef4bdea0, len=len@entry=2920) at htp_transaction.c:1005
#17 0x0000555555c991ba in htp_connp_RES_BODY_IDENTITY_CL_KNOWN (connp=0x7ff07025e260) at htp_response.c:490
#18 0x0000555555c9ae85 in htp_connp_res_data (connp=0x7ff07025e260, timestamp=<optimized out>, data=<optimized out>, len=<optimized out>) at htp_response.c:1355
#19 0x00005555556c5111 in HTPHandleResponseData (f=0x5556ab23af60, htp_state=0x7fefda9b6be0, pstate=0x7fefda9b6cc0, stream_slice=..., local_data=0x0) at app-layer-htp.c:970
#20 0x00005555556d10ac in AppLayerParserParse (tv=0x5556c3daab30, alp_tctx=0x7ffc52722030, f=0x5556ab23af60, alproto=1, flags=8 '\b', input=0x7ff0ef4bdea0 '*' <repeats 200 times>..., input_len=2920) at app-layer-parser.c:1403
#21 0x00005555556b8916 in AppLayerHandleTCPData (tv=0x5556c3daab30, ra_ctx=0x7ffc5271c910, p=0x7ffc526e8f00, f=0x5556ab23af60, ssn=0x7ffc301b9180, stream=0x7ffc5bffdf00, data=0x7ff0ef4bdea0 '*' <repeats 200 times>..., data_len=2920, flags=8 '\b', dir=UPDATE_DIR_OPPOSING) at app-layer.c:787
#22 0x00005555557df15f in ReassembleUpdateAppLayer (tv=0x5556c3daab30, ra_ctx=0x7ffc5271c910, ssn=0x7ffc301b9180, stream=0x7ffc5bffdf00, p=0x7ffc526e8f00, dir=UPDATE_DIR_OPPOSING) at stream-tcp-reassemble.c:1328
#23 0x00005555557df34a in StreamTcpReassembleAppLayer (tv=0x5556c3daab30, ra_ctx=0x7ffc5271c910, ssn=0x7ffc301b9180, stream=0x7ffc301b9190, p=0x7ffc526e8f00, dir=UPDATE_DIR_OPPOSING) at stream-tcp-reassemble.c:1391
#24 0x00005555557e02a4 in StreamTcpReassembleHandleSegmentUpdateACK (tv=0x5556c3daab30, ra_ctx=0x7ffc5271c910, ssn=0x7ffc301b9180, stream=0x7ffc301b9190, p=0x7ffc526e8f00) at stream-tcp-reassemble.c:1949
#25 0x00005555557e0416 in StreamTcpReassembleHandleSegment (tv=0x5556c3daab30, ra_ctx=0x7ffc5271c910, ssn=0x7ffc301b9180, stream=0x7ffc301b9218, p=0x7ffc526e8f00) at stream-tcp-reassemble.c:1997
#26 0x00005555557ccd36 in HandleEstablishedPacketToServer (tv=0x5556c3daab30, ssn=0x7ffc301b9180, p=0x7ffc526e8f00, stt=0x7ffc5271c660) at stream-tcp.c:2666
#27 0x00005555557ce697 in StreamTcpPacketStateEstablished (tv=0x5556c3daab30, p=0x7ffc526e8f00, stt=0x7ffc5271c660, ssn=0x7ffc301b9180) at stream-tcp.c:3209
#28 0x00005555557d6657 in StreamTcpStateDispatch (tv=0x5556c3daab30, p=0x7ffc526e8f00, stt=0x7ffc5271c660, ssn=0x7ffc301b9180, state=4 '\004') at stream-tcp.c:5236
#29 0x00005555557d6e3b in StreamTcpPacket (tv=0x5556c3daab30, p=0x7ffc526e8f00, stt=0x7ffc5271c660, pq=0x7ffc527047b0) at stream-tcp.c:5433
#30 0x00005555557d76ad in StreamTcp (tv=0x5556c3daab30, p=0x7ffc526e8f00, data=0x7ffc5271c660, pq=0x7ffc527047b0) at stream-tcp.c:5745
#31 0x00005555557807b5 in FlowWorkerStreamTCPUpdate (tv=0x5556c3daab30, fw=0x7ffc52704780, p=0x7ffc526e8f00, detect_thread=0x5556ef2c13d0, timeout=false) at flow-worker.c:391
#32 0x0000555555780f84 in FlowWorker (tv=0x5556c3daab30, p=0x7ffc526e8f00, data=0x7ffc52704780) at flow-worker.c:619
#33 0x0000555555692c68 in TmThreadsSlotVarRun (tv=0x5556c3daab30, p=0x7ffc526e8f00, slot=0x5556c3daacb0) at tm-threads.c:135
#34 0x00005555557ba389 in TmThreadsSlotProcessPkt (tv=0x5556c3daab30, s=0x5556c3daacb0, p=0x7ffc526e8f00) at tm-threads.h:200
#35 0x00005555557bbadb in AFPParsePacketV3 (ptv=0x7ffc54001970, pbd=0x7ff83c000000, ppd=0x7ff83c08c9b8) at source-af-packet.c:1013
#36 0x00005555557bbb70 in AFPWalkBlock (ptv=0x7ffc54001970, pbd=0x7ff83c000000) at source-af-packet.c:1032
#37 0x00005555557bbc26 in AFPReadFromRingV3 (ptv=0x7ffc54001970) at source-af-packet.c:1079
#38 0x00005555557bc80a in ReceiveAFPLoop (tv=0x5556c3daab30, data=0x7ffc54001970, slot=0x5556c3daac60) at source-af-packet.c:1431
#39 0x00005555556932db in TmThreadsSlotPktAcqLoop (td=0x5556c3daab30) at tm-threads.c:318
#40 0x00007ffff7b22fa3 in start_thread (arg=<optimized out>) at pthread_create.c:486
#41 0x00007ffff6ed606f in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95
(gdb) p *ptr
No symbol "ptr" in current context.
(gdb) f 8
#8 0x00005555556cba31 in HTPRealloc (ptr=0x7ff6c3cc92c0, orig_size=12288, size=16384) at app-layer-htp-mem.c:176
176 void *rptr = SCRealloc(ptr, size);
(gdb) p *ptr
Attempt to dereference a generic pointer.
(gdb) f 9
#9 0x000055555580624d in GrowRegionToSize (sb=0x7ff072a02780, cfg=0x555555ee4fc0 <htp_sbcfg>, region=0x7ff072a02780, size=14506) at util-streaming-buffer.c:722
722 void *ptr = REALLOC(cfg, region->buf, region->buf_size, grow);
(gdb) print region->buf[0]
$1 = 60 '<'
(gdb) print region->buf
$2 = (uint8_t *) 0x7ff6c3cc92c0 "<html><pre>", '*' <repeats 189 times>...
(gdb)
</pre>
And the build info
<pre>This is Suricata version 7.0.5 RELEASE
Features: PCAP_SET_BUFF AF_PACKET HAVE_PACKET_FANOUT LIBCAP_NG LIBNET1.1 HAVE_HTP_URI_NORMALIZE_HOOK PCRE_JIT HAVE_NSS HTTP2_DECOMPRESSION HAVE_LIBJANSSON TLS TLS_C11 MAGIC RUST
SIMD support: SSE_4_2 SSE_4_1 SSE_3
Atomic intrinsics: 1 2 4 8 16 byte(s)
64-bits, Little-endian architecture
GCC version 8.3.0, C version 201112
compiled with _FORTIFY_SOURCE=0
L1 cache line size (CLS)=64
thread local storage method: _Thread_local
compiled with LibHTP v0.5.48, linked against LibHTP v0.5.48
Suricata Configuration:
AF_PACKET support: yes
AF_XDP support: no
DPDK support: no
eBPF support: no
XDP support: no
PF_RING support: no
NFQueue support: no
NFLOG support: no
IPFW support: no
Netmap support: no
DAG enabled: no
Napatech enabled: no
WinDivert enabled: no
Unix socket enabled: yes
Detection enabled: yes
Libmagic support: yes
libjansson support: yes
hiredis support: no
hiredis async with libevent: no
PCRE jit: yes
LUA support: no
libluajit: no
GeoIP2 support: no
Non-bundled htp: no
Hyperscan support: yes
Libnet support: yes
liblz4 support: yes
Landlock support: no
Rust support: yes
Rust strict mode: no
Rust compiler path: /home/snuser/.cargo/bin/rustc
Rust compiler version: rustc 1.78.0 (9b00956e5 2024-04-29)
Cargo path: /home/snuser/.cargo/bin/cargo
Cargo version: cargo 1.78.0 (54d8815d0 2024-03-26)
Python support: yes
Python path: /usr/bin/python3
Install suricatactl: yes
Install suricatasc: yes
Install suricata-update: yes
Profiling enabled: no
Profiling locks enabled: no
Profiling rules enabled: no
Plugin support (experimental): yes
DPDK Bond PMD: no
Development settings:
Coccinelle / spatch: no
Unit tests enabled: no
Debug output enabled: no
Debug validation enabled: no
Fuzz targets enabled: no
Generic build parameters:
Installation prefix: /usr/local
Configuration directory: /usr/local/etc/suricata/
Log directory: /usr/local/var/log/suricata/
--prefix /usr/local
--sysconfdir /usr/local/etc
--localstatedir /usr/local/var
--datarootdir /usr/local/share
Host: x86_64-pc-linux-gnu
Compiler: gcc (exec name) / g++ (real)
GCC Protect enabled: no
GCC march native enabled: yes
GCC Profile enabled: no
Position Independent Executable enabled: no
CFLAGS -O0 -ggdb -fno-omit-frame-pointer -fPIC -std=c11 -march=native -I${srcdir}/../rust/gen -I${srcdir}/../rust/dist
PCAP_CFLAGS -I/usr/include
SECCFLAGS
</pre>
Actions