Project

General

Profile

Actions

Bug #942

closed

segfault in libc

Added by Christophe Vandeplas over 11 years ago. Updated over 8 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Target version:
-
Affected Versions:
Effort:
Difficulty:
Label:

Description

The last few days I've got many segfaults with Suricata 1.4.5.
It runs in afpacket mode. Unfortunately only 8 GB of RAM for 8 cores,
waiting for more.

I unfortunately have no pcaps to reproduce the crash. However the
crash happens daily now. I installed the -dbg packet and ran suri
again to get a good core dump.

dmesg says:
[Mon Sep 2 18:00:48 2013] Detect1[26101] general protection
ip:7f0302c1af47 sp:7f02bfffd200 error:0 in
libc-2.15.so[7f0302bea000+1b5000]
[Mon Sep 2 18:02:04 2013] init: suricata main process (21845) killed
by SEGV signal

When I load the core file:
Program terminated with signal 11, Segmentation fault.
#0 0x00007f0302c1af47 in ?? () from /lib/x86_64-linux-gnu/libc.so.6

(gdb) bt
#0 0x00007f0302c1af47 in ?? () from /lib/x86_64-linux-gnu/libc.so.6
#1 0x00007f0302c1917e in __assert_fail () from /lib/x86_64-linux-gnu/libc.so.6
#2 0x00000000005ac84d in StreamTcpReassembleAppLayer (tv=0x23258570,
ra_ctx=0x7f02b8001540, ssn=0x7f027c72c9e0,
stream=0x7f027c72ca30, p=0x25057a0) at stream-tcp-reassemble.c:2979
#3 0x0000000000000000 in ?? ()

(gdb) frame 2
#2 0x00000000005ac84d in StreamTcpReassembleAppLayer (tv=0x23258570,
ra_ctx=0x7f02b8001540, ssn=0x7f027c72c9e0,
stream=0x7f027c72ca30, p=0x25057a0) at stream-tcp-reassemble.c:2979
2979 stream-tcp-reassemble.c: No such file or directory.

(gdb) info locals
flags = 4 '\004'
seg_tail = 0x7f02b22dd170
ra_base_seq = 2651792181
data = (upon request)
data_len = 64360
payload_offset = 0
payload_len = 284
next_seq = 2651726646
seg = 0x0
__PRETTY_FUNCTION__ = "StreamTcpReassembleAppLayer"

Quote Victor Julien:

This is really strange. The error you get is SEGV, but the bt says it
crashes on a line:
BUG_ON(data_len > sizeof(data));

BUG_ON is a wrapper around assert, which should exit/crash with a
different signal. Weird.

To get at this point there has to be some bug during reassembly. The
data_len variable is too big, that is clear.

There are a few more 'BUG_ON' statements in that same function. They are
enabled by debug mode. Running with debugging enabled is probably not
feasible, so maybe you can edit the code to remove the various:

if (SCLogDebugEnabled()) {

and their corresponding

}

and then recompile. If it crashes slightly sooner, it may give us the
clue we need.


Files

suricata-buildinfo.txt (2.06 KB) suricata-buildinfo.txt Christophe Vandeplas, 09/09/2013 02:48 AM
suri.yaml (6.47 KB) suri.yaml Christophe Vandeplas, 09/09/2013 02:51 AM
Actions

Also available in: Atom PDF