Re: Segfault with Nmap 4.85BETA8

[Patrick Donnelly <batrick () batbytes com>]

On Fri, Apr 24, 2009 at 7:13 AM, Patrick Donnelly <batrick () batbytes com> wrote:
> Hello Lionel,
>
> On Fri, Apr 24, 2009 at 2:44 AM, Lionel Cons <lionel.cons () cern ch> wrote:
> > I'm sometimes getting a segfault while running Nmap 4.85BETA8. Here is
> > a backtrace:
> >
> > Starting Nmap 4.85BETA8 ( http://nmap.org ) at 2009-04-23 16:39 CEST
> >
> > Program received signal SIGSEGV, Segmentation fault.
> > 0x080d7dae in lua_pushnil ()
> > (gdb) bt
> > #0  0x080d7dae in lua_pushnil ()
> > #1  0x080b257e in ncap_restore_lua ()
> > #2  0x080da35b in lua_getinfo ()
> > #3  0x080e2b37 in lua_close ()
> > #4  0x080d9c58 in lua_getinfo ()
> > #5  0x080da850 in lua_resume ()
> > #6  0x080e85c6 in luaL_openlibs ()
> > #7  0x080e86a8 in luaL_openlibs ()
> > #8  0x080da35b in lua_getinfo ()
> > #9  0x080e2b37 in lua_close ()
> > #10 0x080da66f in lua_getinfo ()
> > #11 0x080d85cf in lua_call ()
> > #12 0x080d9c58 in lua_getinfo ()
> > #13 0x080da936 in lua_yield ()
> > #14 0x080d8624 in lua_pcall ()
> > #15 0x080af9fb in ScriptResult::set_output ()
> > #16 0x080da35b in lua_getinfo ()
> > #17 0x080da634 in lua_getinfo ()
> > #18 0x080d86c8 in lua_pcall ()
> > #19 0x080d9c58 in lua_getinfo ()
> > #20 0x080da936 in lua_yield ()
> > #21 0x080d870d in lua_cpcall ()
> > #22 0x080af411 in script_scan ()
> > #23 0x08061ec7 in nmap_main ()
> > #24 0x0805d518 in main ()
>
> This is a very bizarre backtrace with many functions that do not call
> each other (lua_getinfo -> ScriptResult::set_output()). I suspect the
> stack has been corrupted somehow.
>
> On a different note, the ncap_restore_lua procedure does obtain the
> lua_State * through the yield structure inside the nsock userdata. The
> SEGFAULT would occur if this nsock userdata or thread had been
> collected.
>
> > The bug seems to be triggered by an NSE script of mine (see attached).
> > The script may be buggy but IMHO it should not make Nmap segfault.
> > Also, this script worked fine in previous versions of Nmap, up to SVN
> > revision 12857 at least.
> >
> > Finally, the problem is tricky. I can reproduce it when scanning many
> > ports on some sets of hosts. Changing the ports or the hosts scanned
> > sometimes makes the problem disappear, maybe a timing or race
> > condition problem?
> >
> > Any help to improve the NSE script and/or make Nmap more robust would
> > be welcome.
>
> I'm not sure this is related to any changes made to NSE since the
> noted revision. I will investigate this and post my findings.

I have been able to reproduce this issue. I daresay this backtrace
makes a lot more sense:

(gdb) bt
#0  0x00000000004a3410 in lua_pushnil ()
#1  0x000000000046ea68 in ncap_restore_lua (nr=0x4ce9cf0) at nse_nsock.cc:1434
#2  0x00000000004a6a86 in luaD_precall ()
#3  0x00000000004b03c1 in luaV_execute ()
#4  0x00000000004a6677 in luaD_rawrunprotected ()
#5  0x00000000004a6868 in lua_resume ()
#6  0x00000000004b5756 in auxresume ()
#7  0x00000000004b59c1 in luaB_coresume ()
#8  0x00000000004a6a86 in luaD_precall ()
#9  0x00000000004b03c1 in luaV_execute ()
#10 0x00000000004a6ff5 in luaD_call ()
#11 0x00000000004a6677 in luaD_rawrunprotected ()
#12 0x00000000004a66f5 in luaD_pcall ()
#13 0x00000000004a3d82 in lua_pcall ()
#14 0x000000000046d069 in run_main (L=0x47137c0) at nse_main.cc:453
#15 0x00000000004a6a86 in luaD_precall ()
#16 0x00000000004a6f99 in luaD_call ()
#17 0x00000000004a6677 in luaD_rawrunprotected ()
#18 0x00000000004a66f5 in luaD_pcall ()
#19 0x00000000004a3d25 in lua_cpcall ()
#20 0x000000000046cef5 in script_scan (targets=@0x7fffe4a15f30)
    at nse_main.cc:495
#21 0x00000000004204d6 in nmap_main (argc=16, argv=0x7fffe4a191c8)
    at nmap.cc:1810
#22 0x000000000041bc65 in main (argc=16, argv=0x7fffe4a191c8) at main.cc:215

Upon further inspection I learned that the nsock_yield struct was
never set so ncap_restore_lua was using a NULL pointer for the
lua_State *. I have corrected this in r13074.

Thanks again for the report,

-- 
-Patrick Donnelly

"One of the lessons of history is that nothing is often a good thing
to do and always a clever thing to say."

-Will Durant

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org