Snort mailing list archives
Re: PCRE recursion limit override related segv...
From: Will Metcalf <william.metcalf () gmail com>
Date: Fri, 31 Aug 2012 15:11:09 -0500
Seems that you are correct and it is related to stack size. ulimit -s unlimited allows this to run to completion. After reading the pcrestack manpage it seems there is no really great way of avoiding this other than avoiding the use of /O which is probably completely fine :).. Regards, Will On Fri, Aug 31, 2012 at 2:35 PM, Steven Sturges <steve.sturges () sourcefire com> wrote:
This is likely a stack size issue because of the recursion within libpcre -- reference 473 stack frames. If you get more memory and/or change the stack via ulimit, that crash point will change relative to the increase/decrease of the stack. Cheers -steve On 8/31/12 3:26 PM, Joel Esler wrote:Thanks Will. Yes, we need the pcap. I'll send you a link offline where you can upload it. -- Joel Esler Senior Research Engineer, VRT OpenSource Community Manager Sourcefire On Aug 31, 2012, at 3:19 PM, Will Metcalf <william.metcalf () gmail com> wrote:Seems overriding recursion limits via /O can cause a segv under some circumstances. While you would never actually want a rule like this it makes the bug easy to trigger :). Here I just processed a pcap of a HTTP session containing download of the PDF spec from adobe and loading this rule. PCAP is 10mb or so... Let me know if you need it. http://partners.adobe.com/public/developer/en/pdf/PDFReference.pdf alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"Smell that? You smell that? What? Recursion son Nothing in the World Smells like that"; flow:established,from_server; pcre:"/obj((?!I Love the Smell of Recursion in the Morning).)+endobj/Os"; classtype:attempted-user; sid:88; rev:1;) [ Number of patterns truncated to 20 bytes: 0 ] pcap DAQ configured to read-file. Acquiring network traffic from "/storage/pdfspecdownload.pcap". Reload thread starting... Reload thread started, thread 0x7fd08bb11700 (15342) WARNING: active responses disabled since DAQ can't inject packets. --== Initialization Complete ==-- ,,_ -*> Snort! <*- o" )~ Version 2.9.3.1 IPv6 GRE (Build 40) '''' By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team Copyright (C) 1998-2012 Sourcefire, Inc., et al. Using libpcap version 1.1.1 Using PCRE version: 8.12 2011-01-15 Using ZLIB version: 1.2.3.4 Rules Engine: SF_SNORT_DETECTION_ENGINE Version 1.16 <Build 18> Preprocessor Object: SF_REPUTATION (IPV6) Version 1.1 <Build 1> Preprocessor Object: SF_DNS (IPV6) Version 1.1 <Build 4> Preprocessor Object: SF_SIP (IPV6) Version 1.1 <Build 1> Preprocessor Object: SF_FTPTELNET (IPV6) Version 1.2 <Build 13> Preprocessor Object: SF_DCERPC2 (IPV6) Version 1.0 <Build 3> Preprocessor Object: SF_POP (IPV6) Version 1.0 <Build 1> Preprocessor Object: SF_MODBUS (IPV6) Version 1.1 <Build 1> Preprocessor Object: SF_SMTP (IPV6) Version 1.1 <Build 9> Preprocessor Object: SF_SSLPP (IPV6) Version 1.1 <Build 4> Preprocessor Object: SF_DNP3 (IPV6) Version 1.1 <Build 1> Preprocessor Object: SF_SSH (IPV6) Version 1.1 <Build 3> Preprocessor Object: SF_SDF (IPV6) Version 1.1 <Build 1> Preprocessor Object: SF_IMAP (IPV6) Version 1.0 <Build 1> Preprocessor Object: SF_GTP (IPV6) Version 1.1 <Build 1> Commencing packet processing (pid=15342) Segmentation fault (core dumped) stdout: #0 match (eptr=0x2a0aa1f "Columns\n07\n/Colors 3>>\nID x\234c,\232}\260o\335y\006\242\201\271\206\004", ecode=0x28d0e75 "Y", mstart=0x2a08e7b "stream\nq 0.1 0 0 0.1 0 0 cm\n/R7 gs\n/R9 CS\n0 SCN\n/R9 cs\n0 scn\nq\n10 0 0 10 0 0 cm BT\n/R10 8.46 Tf\n0.998057 0 0 1 305.76 757.56 Tm\n( )Tj\n/R10 7.55724 Tf\n0.998126 0 0 1 65.6398 44.8801 Tm\n[(2)-0.801873( )"..., markptr=0x0, offset_top=4, md=0x7fff4fe1b9a0, ims=4, eptrb=0x0, flags=0, rdepth=14139) at pcre_exec.c:473 473 pcre_exec.c: No such file or directory. (gdb) but full Undefined command: "but". Try "help". (gdb) bt full #0 match (eptr=0x2a0aa1f "Columns\n07\n/Colors 3>>\nID x\234c,\232}\260o\335y\006\242\201\271\206\004", ecode=0x28d0e75 "Y", mstart=0x2a08e7b "stream\nq 0.1 0 0 0.1 0 0 cm\n/R7 gs\n/R9 CS\n0 SCN\n/R9 cs\n0 scn\nq\n10 0 0 10 0 0 cm BT\n/R10 8.46 Tf\n0.998057 0 0 1 305.76 757.56 Tm\n( )Tj\n/R10 7.55724 Tf\n0.998126 0 0 1 65.6398 44.8801 Tm\n[(2)-0.801873( )"..., markptr=0x0, offset_top=4, md=0x7fff4fe1b9a0, ims=4, eptrb=0x0, flags=0, rdepth=14139) at pcre_exec.c:473 rrc = <optimized out> i = <optimized out> c = <optimized out> utf8 = <optimized out> minimize = <optimized out> possessive = <optimized out> condcode = <optimized out> charptr = <optimized out> callpat = <optimized out> data = <optimized out> next = <optimized out> pp = <optimized out> prev = <optimized out> saved_eptr = <optimized out> new_recursive = <error reading variable new_recursive (Cannot access memory at address 0x7fff4f61ffb0)> cur_is_word = <optimized out> condition = <optimized out> prev_is_word = <optimized out> original_ims = <optimized out> prop_type = <optimized out> prop_value = <optimized out> prop_fail_result = <optimized out> prop_category = <optimized out> prop_chartype = <optimized out> oclength = <optimized out> occhars = <error reading variable occhars (Cannot access memory at address 0x7fff4f61fff0)> codelink = <optimized out> ctype = <optimized out> length = <optimized out> max = <optimized out> min = <optimized out> number = <optimized out> offset = <optimized out> op = <optimized out> save_capture_last = <optimized out> save_offset1 = <optimized out> save_offset2 = <optimized out> save_offset3 = <optimized out> stacksave = <error reading variable stacksave (Cannot access memory at address 0x7fff4f61fef0)> newptrb = <error reading variable newptrb (Cannot access memory at address 0x7fff4f61ffe0)> ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Please visit http://blog.snort.org for the latest news about Snort!------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- PCRE recursion limit override related segv... Will Metcalf (Aug 31)
- Re: PCRE recursion limit override related segv... Joel Esler (Aug 31)
- Re: PCRE recursion limit override related segv... Joel Esler (Aug 31)
- Re: PCRE recursion limit override related segv... Steven Sturges (Aug 31)
- Re: PCRE recursion limit override related segv... Will Metcalf (Aug 31)
- Re: PCRE recursion limit override related segv... Joel Esler (Aug 31)