From owner-freebsd-alpha Mon Oct 14 22:14:39 2002 Delivered-To: freebsd-alpha@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3E53D37B401 for ; Mon, 14 Oct 2002 22:14:32 -0700 (PDT) Received: from csmail.cscoms.com (mail.cscoms.net [202.183.255.13]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7053E43EB1 for ; Mon, 14 Oct 2002 22:14:30 -0700 (PDT) (envelope-from alain@cscoms.net) Received: from cscoms.net (alain [202.183.160.250]) by csmail.cscoms.com (8.12.3/8.12.3) with ESMTP id g9F5EEZQ005285; Tue, 15 Oct 2002 12:14:15 +0700 (ICT) Received: (from alain@localhost) by cscoms.net (8.11.4/8.9.3) id g9F5EBw08416; Tue, 15 Oct 2002 12:14:11 +0700 Date: Tue, 15 Oct 2002 12:14:11 +0700 From: Alain Fauconnet To: snort-users@lists.sourceforge.net Cc: Prachid Tiyapanjanit , Kunos.Peter@PSZAF.hu, erek@theadamsfamily.net, freebsd-alpha@freebsd.org Subject: Re: [Snort-users] Segfault on Alpha 1.9.0 Message-ID: <20021015121411.J5886@cscoms.net> References: <20021015102920.F5886@cscoms.net> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="z6Eq5LdranGa6ru8" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20021015102920.F5886@cscoms.net>; from alain@cscoms.net on Tue, Oct 15, 2002 at 10:29:21AM +0700 X-Virus-Scanned: by amavisd-milter (http://amavis.org/) Sender: owner-freebsd-alpha@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --z6Eq5LdranGa6ru8 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Following up to my own message about: - SIGSEGV in Snort 1.9.0 on FreeBSD-alpha - lots of "unaligned access" messages [...] > It looks like the argument passed to PreprocUrlDecode is wrong. It should > be a valid (Packet *), which 0x1 can't be. > > (gdb) p p > $3 = (Packet *) 0x1 > Well, it looks like gdb has problem displaying the correct value passed as the 'p' argument in many routines. This value showing as 0x1 is probably an artefact. Yes, FreeBSD 4.2 is old, this box needs an upgrade. It looks like this case was simpler than I thought: Program received signal SIGSEGV, Segmentation fault. 0x120054888 in PreprocUrlDecode (p=0x1) at spp_http_decode.c:443 443 while(index < end && !lookup_whitespace[(u_int)(*index)]) (u_int)(*index) generates a value that is way beyond the allowed 0..255 range for index in lookup_whitespace, so in some cases it raises a SIGSEGV. It could be because all this is Unicode stuff. I've changed all (u_int) casts use to generate an index into lookup_whitespace and lookup_hexvalue to (u_char) in spp_http_decode.c and that fixed the SIGSEGVs for me (patch attached). > I also have gadzillions of unaligned access warnings, all inside > functions CheckSrcIP and CheckDstIP. I suspect a misaligned structure. > > pid 31358 (snort): unaligned access: va=0x120196032 pc=0x12002a210 ra=0x1200293e8 op=ldl > pid 31358 (snort): unaligned access: va=0x120196036 pc=0x12002a428 ra=0x12002a280 op=ldl Here, I've tried "uac -s" to debug the thing so that Snort gets a SIGBUS when unaligned access occurs. Here's what I've got: Program received signal SIGBUS, Bus error. BuildPacket (s=0x12005b6f4, stream_size=301968392, p=0x120179970, direction=301968672) at spp_stream4.c:3360 3360 stream_pkt->iph->ip_dst.s_addr = p->iph->ip_src.s_addr; Can't look at the value of 'p', GDB obviously finds it wrong because the value is different at one stack frame level upper: (gdb) bt #0 BuildPacket (s=0x12005b6f4, stream_size=301968392, p=0x120179970, direction=301968672) at spp_stream4.c:3360 #1 0x12005a5c4 in FlushStream (s=0x12005a5c4, p=0x11ffabd8, direction=538417520) at spp_stream4.c:3241 Let's see the instruction raising the exception: (gdb) x/i $pc 0x12005ab5c : ldq t0,-28576(gp) Registers: (gdb) i r v0 0x12018e01e 4833468446 t0 0x12018e026 4833468454 t1 0x11ffad20 301968672 t2 0x120163260 4833292896 t3 0x10450008ba07c420 1172343315480691744 t4 0xffff000000000000 -281474976710656 t5 0xffffffff 4294967295 t6 0x601053c2b000 105623241011200 t7 0x1045000800000000 1172343312359620608 s0 0x22 34 s1 0x3c 60 s2 0x120163230 4833292848 s3 0x120160000 4833280000 s4 0x120169fce 4833320910 s5 0x3 3 fp 0x11ffab88 301968264 a0 0x12018e01e 4833468446 a1 0x120163252 4833292882 a2 0x6 6 a3 0x120163258 4833292888 a4 0x12018e024 4833468452 a5 0xffffffffba1a8364 -1172667548 t8 0x160242678 5907949176 ---Type to continue, or q to quit--- t9 0x1600893a8 5906142120 t10 0x55dc6 351686 t11 0x41c00 269312 ra 0x12005ab00 4832209664 t12 0x1602260c0 5907833024 at 0x160242678 5907949176 gp 0x12008b638 4832409144 sp 0x11ffab88 301968264 zero 0x0 0 pc 0x12005ab5c 4832209756 vfp 0x11ffabd8 301968344 I'm not fluent enough in Alpha machine code to debug this. I assume that 'ldq' is load quadword, so the problem must be on the right side of the assigment, when reading p->iph->ip_src.s_addr The 'Packet' structure is obviously aligned up to 'iph' since there are only pointers there. So it must be 'iph'? But it exactly maps the IP header format, so there's little that can be changed here! The source IP address in there is 32-bit aligned too. Comments anyone? (I'll Cc: this to freebsd-alpha) For now, "uac -p" in the Snort startup shell script will at least avoid the annoying messages. Greets, _Alain_ --z6Eq5LdranGa6ru8 Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="spp_http_decode.c.patch" *** spp_http_decode.c Tue Oct 15 10:59:32 2002 --- spp_http_decode.c.org Tue Oct 15 10:56:52 2002 *************** *** 440,450 **** psize = (u_int16_t) (p->dsize); /* first skip past the HTTP method */ ! while(index < end && !lookup_whitespace[(u_char)(*index)]) index++; /* skip over whitespace seperator */ ! while(index < end && lookup_whitespace[(u_char)(*index)]) index++; /* evilness check */ --- 440,450 ---- psize = (u_int16_t) (p->dsize); /* first skip past the HTTP method */ ! while(index < end && !lookup_whitespace[(u_int)(*index)]) index++; /* skip over whitespace seperator */ ! while(index < end && lookup_whitespace[(u_int)(*index)]) index++; /* evilness check */ *************** *** 506,512 **** need the original packet data to stay around do { ! if(*index == '%' || lookup_whitespace[(u_char)(*index)]) break; if(*index == '?' && end_on_url_param) break; --- 506,512 ---- need the original packet data to stay around do { ! if(*index == '%' || lookup_whitespace[(u_int)(*index)]) break; if(*index == '?' && end_on_url_param) break; *************** *** 558,565 **** "Double hex encoding received\n");); } ! hex1=lookup_hexvalue[(u_char)(*(index+1))]; ! hex2=lookup_hexvalue[(u_char)(*(index+2))]; if(hex1 != -1 && hex2 != -1) { --- 558,565 ---- "Double hex encoding received\n");); } ! hex1=lookup_hexvalue[(u_int)(*(index+1))]; ! hex2=lookup_hexvalue[(u_int)(*(index+2))]; if(hex1 != -1 && hex2 != -1) { *************** *** 608,614 **** } } ! else if(lookup_whitespace[(u_char)(*index)]) { /* we've reached the delimiting whitespace */ /* UriBufs[0].http_version = (u_int8_t *) index; */ --- 608,614 ---- } } ! else if(lookup_whitespace[(u_int)(*index)]) { /* we've reached the delimiting whitespace */ /* UriBufs[0].http_version = (u_int8_t *) index; */ *************** *** 625,631 **** while(index < end && ((cur - (char *) UriBufs[0].uri) < URI_LENGTH)) { ! if(lookup_whitespace[(u_char)(*index)]) { /* we've reached the delimiting whitespace */ /* Time to get HTTP version? */ --- 625,631 ---- while(index < end && ((cur - (char *) UriBufs[0].uri) < URI_LENGTH)) { ! if(lookup_whitespace[(u_int)(*index)]) { /* we've reached the delimiting whitespace */ /* Time to get HTTP version? */ --z6Eq5LdranGa6ru8-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-alpha" in the body of the message