Nmap Development mailing list archives

Re: Sergey. [Status report 12/17]

From: Sergey Khegay <g.sergeykhegay () gmail com>
Date: Tue, 19 Jul 2016 20:25:31 -0400

On Tue, Jul 19, 2016 at 2:25 PM, Patrick Donnelly <batrick () batbytes com>
wrote:

On Tue, Jul 19, 2016 at 12:41 PM, Sergey Khegay
<g.sergeykhegay () gmail com> wrote:

- As for the bug with libssh2 integration. As I said before the bug is
  a consequence of my attempt to resolve memory leak/consumption issue,
  when libssh2 sessions were not properly freed. Somehow Lua's garbage
  collector did not call session's gc function (actually called, but
  not for all sessions).


That would lead to a leak, not a segfault right?



Right, my attempt to fix it led to segfault.

- On Windows segmentation fault happens when some cclosure is freed:

  msvcr120d.dll!5b24d179()  Unknown
  [Frames below may be incorrect and/or missing, no symbols loaded for
msvcr120d.dll]
  [External Code]
  nmap.exe!l_alloc(void * ud, void * ptr, unsigned int osize, unsigned

int

nsize) Line 1003 C
  nmap.exe!luaM_realloc_(lua_State * L, void * block, unsigned int osize,
unsigned int nsize) Line 86 C

nmap.exe!freeLclosure(lua_State * L, LClosure * cl) Line 692  C

  nmap.exe!freeobj(lua_State * L, GCObject * o) Line 700  C
  nmap.exe!sweeplist(lua_State * L, GCObject * * p, unsigned int count)

Line

743  C
  nmap.exe!sweepstep(lua_State * L, global_State * g, int nextstate,
GCObject * * nextlist) Line 1030 C
  nmap.exe!singlestep(lua_State * L) Line 1068  C
  nmap.exe!luaC_runtilstate(lua_State * L, int statesmask) Line 1104  C
  nmap.exe!luaC_fullgc(lua_State * L, int isemergency) Line 1166  C
  nmap.exe!lua_gc(lua_State * L, int what, int data) Line 1055  C
  nmap.exe!luaB_collectgarbage(lua_State * L) Line 182  C
  nmap.exe!luaD_precall(lua_State * L, lua_TValue * func, int nresults)

Line

365  C
  nmap.exe!luaV_execute(lua_State * L) Line 1134  C
  nmap.exe!luaD_call(lua_State * L, lua_TValue * func, int nResults) Line
496 C
  nmap.exe!luaD_callnoyield(lua_State * L, lua_TValue * func, int

nResults)

Line 506  C
  nmap.exe!lua_callk(lua_State * L, int nargs, int nresults, int ctx, int
(lua_State *, int, int) * k) Line 924 C
  nmap.exe!run_main(lua_State * L) Line 651 C++
  nmap.exe!luaD_precall(lua_State * L, lua_TValue * func, int nresults)

Line

365  C
  nmap.exe!luaD_call(lua_State * L, lua_TValue * func, int nResults) Line
495 C
  nmap.exe!luaD_callnoyield(lua_State * L, lua_TValue * func, int

nResults)

Line 506  C
  nmap.exe!f_call(lua_State * L, void * ud) Line 942  C
  nmap.exe!luaD_rawrunprotected(lua_State * L, void (lua_State *, void

*) *

f, void * ud) Line 144  C
  nmap.exe!luaD_pcall(lua_State * L, void (lua_State *, void *) * func,

void

* u, int old_top, int ef) Line 727 C
  nmap.exe!lua_pcallk(lua_State * L, int nargs, int nresults, int

errfunc,

int ctx, int (lua_State *, int, int) * k) Line 968 C
  nmap.exe!script_scan(std::vector<Target *,std::allocator<Target *> > &
targets, stype scantype) Line 809  C++
  nmap.exe!nmap_main(int argc, char * * argv) Line 2155 C++
  nmap.exe!main(int argc, char * * argv) Line 228 C++
  [External Code]


  Using the closure's address I traced it down to a closure with 6
  upvalues. I do not know how to find a function declaration using its
  memory address, but in the whole NSE engine's project there are only
  two closures that use 6 upvalues:


This happened in a Lua function (not C) closure. The closure structure
(not upvalue) was being freed in this segfault.


Yes, now I read stack trace more carefully. Thank you for pointing this out!

I suggest rebuilding Lua with assertions enabled:

https://www.lua.org/source/5.3/llimits.h.html

Define lua_assert and luai_apicheck (in the Makefile, also make sure
to use --with-liblua=included).

This should help check if we did something wrong in the libssh2 library
wrapper.



 Thank you, I'll try this.

_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/

Current thread:

Sergey. [Status report 12/17] Sergey Khegay (Jul 19)
- Re: Sergey. [Status report 12/17] Patrick Donnelly (Jul 19)
  - Re: Sergey. [Status report 12/17] Sergey Khegay (Jul 19)
    - Re: Sergey. [Status report 12/17] Sergey Khegay (Jul 22)
    - Re: Sergey. [Status report 12/17] Patrick Donnelly (Jul 22)
    - Re: Sergey. [Status report 12/17] Sergey Khegay (Jul 23)