Nmap Development mailing list archives
Re: Follow up to NSE issues and gh_list assert() failure (Was 4.85BETA2 posted...)
From: David Fifield <david () bamsoftware com>
Date: Sun, 1 Mar 2009 13:53:54 -0700
On Thu, Feb 26, 2009 at 01:28:39AM +0000, Brandon Enright wrote:
Previously I reported strange behavior with NSE as well as an assertion failure with gh_list in: http://seclists.org/nmap-dev/2009/q1/0311.html (NSE causing gh_list error) http://seclists.org/nmap-dev/2009/q1/0230.html (NSE eating memory) http://seclists.org/nmap-dev/2009/q1/0258.html (NSE eating CPU) http://seclists.org/nmap-dev/2009/q1/0505.html (NSE backtrace of hang) http://seclists.org/nmap-dev/2009/q1/0519.html (NSE deadlock) David has been most generous with his time and helped me try track down and troubleshoot these problem. It seems all of these problems are probably related to a memory corruption problem in NSE. With some work in Valgrind to cut down OpenSSL warnings[1], I've gotten NSE to die with: nmap: gh_list.c:348: gh_list_remove_elem: Assertion `list->count != 0 || (list->first == ((void *)0) && list->last == ((void *)0))' failed.
I found a bug in NSE that may be related to this, or may not. The list of scripts is divided into waiting and running queues. The waiting scripts are those waiting for an Nsock callback. When there's an error that halts the script scan, the waiting queue is not emptied before the next hostgroup. It contains stale pointers to targets in the previous hostgroup, which lead to invalid memory accesses. I hacked l_nsock_loop to return an error after being called five times. Valgrind catches the error in a trivial test: $ valgrind ./nmap --script=sleep --max-hostgroup 1 localhost localhost ... NSE: An error occured in the nsock loop NSE: Aborting script scan. Interesting ports on localhost (127.0.0.1): ... ==4577== Invalid read of size 4 ==4577== at 0x809E789: Target::timedOut(timeval const*) (Target.cc:413) ==4577== by 0x80B2672: process_mainloop(lua_State*) (nse_main.cc:498) ==4577== by 0x80B31FC: script_scan(std::vector<Target*, std::allocator<Target*> >&) (nse_main.cc:373) ==4577== by 0x8061FDA: nmap_main(int, char**) (nmap.cc:1822) ==4577== by 0x805D5B3: main (main.cc:224) ==4577== Address 0x4996338 is 768 bytes inside a block of size 864 free'd With --script=all and more hosts you don't need Valgrind to see the problem: NSE (2.999s): Finished robots.txt against ɷXJ@o :160 (thread 0x852d488). NSE (3.003s): Finished html-title against ɷXJ@o :160 (thread 0x852ae90). Segmentation fault Here both those threads were started in the previous group. David Fifield _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- Re: 4.85BETA2 posted to Nmap download page - please test, (continued)
- Re: 4.85BETA2 posted to Nmap download page - please test Brandon Enright (Feb 02)
- Re: 4.85BETA2 posted to Nmap download page - please test Brandon Enright (Feb 02)
- Re: 4.85BETA2 posted to Nmap download page - please test Patrick Donnelly (Feb 03)
- Re: 4.85BETA2 posted to Nmap download page - please test David Fifield (Feb 23)
- Re: 4.85BETA2 posted to Nmap download page - please test Brandon Enright (Feb 23)
- Follow up to NSE issues and gh_list assert() failure (Was 4.85BETA2 posted...) Brandon Enright (Feb 25)
- Re: Follow up to NSE issues and gh_list assert() failure (Was 4.85BETA2 posted...) Patrick Donnelly (Feb 25)
- Re: Follow up to NSE issues and gh_list assert() failure (Was 4.85BETA2 posted...) Brandon Enright (Feb 25)
- Re: Follow up to NSE issues -- procedure to reproduce David Fifield (Feb 26)
- Re: Follow up to NSE issues -- procedure to reproduce Patrick Donnelly (Feb 26)
- Re: Follow up to NSE issues and gh_list assert() failure (Was 4.85BETA2 posted...) David Fifield (Mar 01)
- Re: 4.85BETA2 posted to Nmap download page - please test bmenrigh (Feb 23)
- Re: pop3-capabilities error jah (Feb 02)
- Re: pop3-capabilities error Brandon Enright (Feb 02)
- Message not available
- Message not available
- Re: pop3-capabilities error jah (Feb 02)
- Re: pop3-capabilities error Brandon Enright (Feb 02)
- Re: 4.85BETA2 posted to Nmap download page - please test Fyodor (Jan 31)
- Re: 4.85BETA2 posted to Nmap download page - please test Kris Katterjohn (Jan 31)
- Re: 4.85BETA2 posted to Nmap download page - please test Gisle Vanem (Jan 31)