[Oisf-users] Crash for illegal instruction
vpiserchia at gmail.com
vpiserchia at gmail.com
Tue May 2 11:54:16 UTC 2017
Hello,
I have seen this problems already using virtualized buildhost.
I suggest you to check the availability of the instruction set used on the VM (Host A) and the one on the target machine (Host B).
For example on Host A:
gcc -march=native -Q --help=target | grep enabled
On host B:
grep flags /proc/cpuinfo
In this way you shold be able to figure out where is the mismatch
regards
vito
On 05/02/2017 10:14 AM, tidy at holonetsecurity.com wrote:
> Yes, I Have disabled the option and you can find that from my build-info, the binary libhtp has no diff in both host.
>
>>> GCC march native enabled: no
>
>
>>> compiled with LibHTP v0.5.23, linked against LibHTP v0.5.23
>
> double running the whole steps again and get the same coredump.
>
> -Tidy
>
>
>> On May 2, 2017, at 3:53 PM, Jozef Mlich <jozef.mlich at greycortex.com> wrote:
>>
>> On Tue, 2017-05-02 at 15:38 +0800, tidy at holonetsecurity.com wrote:
>>
>> Use "./configure --disable-gccmarch-native" if you are building on
>> other host.
>>
>> I can see that you are using --enable-non-bundled-htp. Make sure that
>> you are using same version of libhtp.
>>
>>> Oddly, I’ve built in Physical host A and then running in another host
>>> B, it crashed when runs in host B, Any body know whats
>>>
>>> [Thread debugging using libthread_db enabled]
>>> Using host libthread_db library "/lib64/libthread_db.so.1".
>>> Core was generated by `./suricata -c /etc/suricata/suricata.yaml -i
>>> eth0'.
>>> Program terminated with signal 4, Illegal instruction.
>>> #0 0x00000000004500d6 in HTPRegisterPatternsForProtocolDetection ()
>>> at app-layer-htp.c:2741
>>> 2741 app-layer-htp.c: No such file or directory.
>>>
>>>
>>>
>>>
>>>
>>> [root@ ~]# ./suricata --build-info
>>> This is Suricata version 3.2dev
>>> Features: PCAP_SET_BUFF LIBPCAP_VERSION_MAJOR=1 AF_PACKET
>>> HAVE_PACKET_FANOUT LIBCAP_NG HAVE_HTP_URI_NORMALIZE_HOOK PCRE_JIT
>>> HAVE_NSS HAVE_LUA HAVE_LIBJANSSON TLS MAGIC
>>> SIMD support: none
>>> Atomic intrisics: 1 2 4 8 byte(s)
>>> 64-bits, Little-endian architecture
>>> GCC version 4.8.5 20150623 (Red Hat 4.8.5-11), C version 199901
>>> compiled with _FORTIFY_SOURCE=0
>>> L1 cache line size (CLS)=64
>>> thread local storage method: __thread
>>> compiled with LibHTP v0.5.23, linked against LibHTP v0.5.23
>>>
>>> Suricata Configuration:
>>> AF_PACKET support: yes
>>> PF_RING support: no
>>> NFQueue support: no
>>> NFLOG support: no
>>> IPFW support: no
>>> Netmap support: no
>>> DAG enabled: no
>>> Napatech enabled: no
>>>
>>> Unix socket enabled: yes
>>> Detection enabled: yes
>>>
>>> Libmagic support: yes
>>> libnss support: yes
>>> libnspr support: yes
>>> libjansson support: yes
>>> hiredis support: yes
>>> Prelude support: no
>>> PCRE jit: yes
>>> LUA support: yes
>>> libluajit: no
>>> libgeoip: no
>>> Non-bundled htp: yes
>>> Old barnyard2 support: no
>>> CUDA enabled: no
>>> Hyperscan support: yes
>>> Libnet support: no
>>>
>>> Suricatasc install: yes
>>>
>>> Profiling enabled: no
>>> Profiling locks enabled: no
>>>
>>> Development settings:
>>> Coccinelle / spatch: no
>>> Unit tests enabled: no
>>> Debug output enabled: no
>>> Debug validation enabled: no
>>>
>>> Generic build parameters:
>>> Installation prefix: /usr/local/
>>> Configuration directory: /usr/local/etc/suricata/
>>> Log directory:
>>> /usr/local/var/log/suricata/
>>>
>>> --prefix /usr/local/
>>> --sysconfdir /usr/local/etc
>>> --localstatedir /usr/local/var
>>>
>>> Host: x86_64-unknown-linux-gnu
>>> Compiler: gcc (exec name) / gcc
>>> (real)
>>> GCC Protect enabled: no
>>> GCC march native enabled: no
>>> GCC Profile enabled: no
>>> Position Independent Executable enabled: no
>>> CFLAGS -g -O2
>>> PCAP_CFLAGS -I/usr/local/deps/include
>>> SECCFLAGS
>>>
>>>
>>> Thanks,
>>> -Tidy
>>>
>>>> On Apr 22, 2017, at 6:27 AM, Tom DeCanio <decanio.tom at gmail.com>
>>>> wrote:
>>>>
>>>> I've seen illegal instruction crashes in the pcre library on some
>>>> VMs. This sounds similar to your description.
>>>>
>>>
>>>
>> --
>> Jozef Mlich <jozef.mlich at greycortex.com>
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
--
Vito Piserchia
Security and Software Engineer
🖂: vito (dot) piserchia (at) dreamlab (dot) net
🔒: 4915 8835 2C18 9CAE F14F 2314 613D 51C5 106B 83EA
🕾: +41 31 398 66 66
🖷: +41 31 398 66 69
-----------------------------------------
DreamLab Technologies AG
Monbijoustrasse 36
3011 Bern, Switzerland
---------------------------------------------------------------------
This e-mail may contain confidential and/or privileged information.
If you are not the intended recipient (or have received this e-mail
in error) please notify the sender immediately and destroy this
e-mail. Any unauthorised copying, disclosure or distribution of the
material in this e-mail is strictly forbidden.
---------------------------------------------------------------------
More information about the Oisf-users
mailing list