Nmap Development mailing list archives
Follow up to NSE issues and gh_list assert() failure (Was 4.85BETA2 posted...)
From: Brandon Enright <bmenrigh () ucsd edu>
Date: Thu, 26 Feb 2009 01:28:39 +0000
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Previously I reported strange behavior with NSE as well as an assertion failure with gh_list in: http://seclists.org/nmap-dev/2009/q1/0311.html (NSE causing gh_list error) http://seclists.org/nmap-dev/2009/q1/0230.html (NSE eating memory) http://seclists.org/nmap-dev/2009/q1/0258.html (NSE eating CPU) http://seclists.org/nmap-dev/2009/q1/0505.html (NSE backtrace of hang) http://seclists.org/nmap-dev/2009/q1/0519.html (NSE deadlock) David has been most generous with his time and helped me try track down and troubleshoot these problem. It seems all of these problems are probably related to a memory corruption problem in NSE. With some work in Valgrind to cut down OpenSSL warnings[1], I've gotten NSE to die with: nmap: gh_list.c:348: gh_list_remove_elem: Assertion `list->count != 0 || (list->first == ((void *)0) && list->last == ((void *)0))' failed. This error is slightly different than the previous gh_list error I reported. I have included a backtrace[2] at the end of this email as to not clutter things more than they already are. I have produced two Valgrind outputs, the first using the Gentoo-provided Lua here: http://noh.ucsd.edu/~bmenrigh/val_log.txt And the second using the included Lua (for line numbers and symbol names): http://noh.ucsd.edu/~bmenrigh/val_log2.txt The first log appears to be the more interesting of the two. David has pointed out that the entries like this one indicate that NSE is reading and using memory that was already freed by the Lua garbage collector: ==12614== ==12614== Invalid read of size 8 ==12614== at 0x58427C3: lua_pushboolean (in /usr/lib64/liblua.so.5.1.3) ==12614== by 0x46B523: l_nsock_checkstatus(lua_State*, void*) (nse_nsock.cc:412) ==12614== by 0x46F02D: l_nsock_receive_handler(void*, void*, void*) (nse_nsock.cc:605) ==12614== by 0x47BBA9: msevent_dispatch_and_delete (nsock_event.c:297) ==12614== by 0x47A0BC: nsock_loop (nsock_core.c:913) ==12614== by 0x468FBB: process_mainloop(lua_State*) (nse_main.cc:465) ==12614== by 0x469DE7: script_scan(std::vector<Target*, std::allocator<Target*> >&) (nse_main.cc:368) ==12614== by 0x41DA73: nmap_main(int, char**) (nmap.cc:1822) ==12614== by 0x4197D6: main (main.cc:224) ==12614== Address 0xa5ab3c8 is 16 bytes inside a block of size 184 free'd ==12614== at 0x4C20A6A: free (in /usr/lib64/valgrind/amd64-linux/vgpreload_memcheck.so) ==12614== by 0x5850634: (within /usr/lib64/liblua.so.5.1.3) ==12614== by 0x584973B: (within /usr/lib64/liblua.so.5.1.3) ==12614== by 0x5847ECB: (within /usr/lib64/liblua.so.5.1.3) ==12614== by 0x58480F2: (within /usr/lib64/liblua.so.5.1.3) ==12614== by 0x58484C2: (within /usr/lib64/liblua.so.5.1.3) ==12614== by 0x5842CA7: lua_gc (in /usr/lib64/liblua.so.5.1.3) ==12614== by 0x4691C5: process_mainloop(lua_State*) (nse_main.cc:500) ==12614== by 0x469DE7: script_scan(std::vector<Target*, std::allocator<Target*> >&) (nse_main.cc:368) ==12614== by 0x41DA73: nmap_main(int, char**) (nmap.cc:1822) ==12614== by 0x4197D6: main (main.cc:224) He and I also think that the errors like ==12614== Use of uninitialised value of size 8 Where OpenSSL was involved, eg: l_rand_pseudo_bytes(lua_State*) (nse_openssl.cc:201) are not a problem and stem from the way OpenSSL gathers entropy. What all of this probably boils down to is that NSE is holding onto and even making use of important values that are getting reaped by lua_gc(). The bug may be subtle or it may be blatant. I suppose it would be worthwhile to try to determine which commit(s) started the error(s) showing up. Because of the random nature of the problem (memory, CPU, deadlock, assertion) this could be very difficult to do with any certainty. Hopefully we'll be able figure this one out in a reasonable amount of time. Brandon [1] If you are going to run Nmap in Valgrind you'll want to exclude all the warnings OpenSSL generates by using this file: http://noh.ucsd.edu/~bmenrigh/nmap_val.supp [2] A backtrace of the gh_list assertion error: #0 0x00007fbebe4823c5 in raise () from /lib/libc.so.6 (gdb) bt #0 0x00007fbebe4823c5 in raise () from /lib/libc.so.6 #1 0x00007fbebe48373e in abort () from /lib/libc.so.6 #2 0x00007fbebe47bb1f in __assert_fail () from /lib/libc.so.6 #3 0x000000000047cf8c in gh_list_remove_elem (list=<value optimized out>, elem=<value optimized out>) at gh_list.c:348 #4 0x000000000047a0cd in nsock_loop (nsp=0xcec0e0, msec_timeout=50) at nsock_core.c:915 #5 0x0000000000468fbc in process_mainloop (L=0xc99da0) at nse_main.cc:465 #6 0x0000000000469de8 in script_scan (targets=@0x305c240) at nse_main.cc:368 #7 0x000000000041da74 in nmap_main (argc=17, argv=0x7fffc7f77658) at nmap.cc:1822 #8 0x00000000004197d7 in main (argc=17, argv=0x7fffc7f77658) at main.cc:224 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) iEYEARECAAYFAkml8E0ACgkQqaGPzAsl94J0qwCeKVJ5IFwLMKuhwnYX4jB7qjLz 8VMAn2ldvBF0eY65BJ751dltMspANfsD =m6sq -----END PGP SIGNATURE----- _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- Re: 4.85BETA2 posted to Nmap download page - please test, (continued)
- Re: 4.85BETA2 posted to Nmap download page - please test Brandon Enright (Jan 30)
- Re: 4.85BETA2 posted to Nmap download page - please test Brandon Enright (Jan 30)
- Re: 4.85BETA2 posted to Nmap download page - please test Patrick Donnelly (Jan 30)
- Re: 4.85BETA2 posted to Nmap download page - please test Brandon Enright (Jan 30)
- Re: 4.85BETA2 posted to Nmap download page - please test Brandon Enright (Feb 01)
- Re: 4.85BETA2 posted to Nmap download page - please test Brandon Enright (Feb 02)
- Re: 4.85BETA2 posted to Nmap download page - please test Brandon Enright (Feb 02)
- Re: 4.85BETA2 posted to Nmap download page - please test Patrick Donnelly (Feb 03)
- Re: 4.85BETA2 posted to Nmap download page - please test David Fifield (Feb 23)
- Re: 4.85BETA2 posted to Nmap download page - please test Brandon Enright (Feb 23)
- Follow up to NSE issues and gh_list assert() failure (Was 4.85BETA2 posted...) Brandon Enright (Feb 25)
- Re: Follow up to NSE issues and gh_list assert() failure (Was 4.85BETA2 posted...) Patrick Donnelly (Feb 25)
- Re: Follow up to NSE issues and gh_list assert() failure (Was 4.85BETA2 posted...) Brandon Enright (Feb 25)
- Re: Follow up to NSE issues -- procedure to reproduce David Fifield (Feb 26)
- Re: Follow up to NSE issues -- procedure to reproduce Patrick Donnelly (Feb 26)
- Re: 4.85BETA2 posted to Nmap download page - please test Brandon Enright (Jan 30)
- Re: Follow up to NSE issues and gh_list assert() failure (Was 4.85BETA2 posted...) David Fifield (Mar 01)
- Re: 4.85BETA2 posted to Nmap download page - please test Brandon Enright (Jan 30)
- Re: 4.85BETA2 posted to Nmap download page - please test bmenrigh (Feb 23)
- Re: pop3-capabilities error jah (Feb 02)
- Re: pop3-capabilities error Brandon Enright (Feb 02)
- Message not available
- Message not available
- Re: pop3-capabilities error jah (Feb 02)
- Re: pop3-capabilities error Brandon Enright (Feb 02)