Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Follow up to NSE issues and gh_list assert() failure (Was 4.85BETA2 posted...)

From: David Fifield <david () bamsoftware com>
Date: Sun, 1 Mar 2009 13:53:54 -0700
On Thu, Feb 26, 2009 at 01:28:39AM +0000, Brandon Enright wrote:

Previously I reported strange behavior with NSE as well as an assertion
failure with gh_list in:

http://seclists.org/nmap-dev/2009/q1/0311.html (NSE causing gh_list error)
http://seclists.org/nmap-dev/2009/q1/0230.html (NSE eating memory)
http://seclists.org/nmap-dev/2009/q1/0258.html (NSE eating CPU)
http://seclists.org/nmap-dev/2009/q1/0505.html (NSE backtrace of hang)
http://seclists.org/nmap-dev/2009/q1/0519.html (NSE deadlock)

David has been most generous with his time and helped me try track down
and troubleshoot these problem.  It seems all of these problems are
probably related to a memory corruption problem in NSE.

With some work in Valgrind to cut down OpenSSL warnings[1], I've gotten
NSE to die with:

nmap: gh_list.c:348: gh_list_remove_elem: Assertion `list->count != 0 || (list->first == ((void *)0) && list->last == 
((void *)0))' failed.


I found a bug in NSE that may be related to this, or may not. The list
of scripts is divided into waiting and running queues. The waiting
scripts are those waiting for an Nsock callback. When there's an error
that halts the script scan, the waiting queue is not emptied before the
next hostgroup. It contains stale pointers to targets in the previous
hostgroup, which lead to invalid memory accesses.

I hacked l_nsock_loop to return an error after being called five times.
Valgrind catches the error in a trivial test:

$ valgrind ./nmap --script=sleep --max-hostgroup 1 localhost localhost
...
NSE: An error occured in the nsock loop
NSE: Aborting script scan.
Interesting ports on localhost (127.0.0.1):
...

==4577== Invalid read of size 4
==4577==    at 0x809E789: Target::timedOut(timeval const*) (Target.cc:413)
==4577==    by 0x80B2672: process_mainloop(lua_State*) (nse_main.cc:498)
==4577==    by 0x80B31FC: script_scan(std::vector<Target*, std::allocator<Target*> >&) (nse_main.cc:373)
==4577==    by 0x8061FDA: nmap_main(int, char**) (nmap.cc:1822)
==4577==    by 0x805D5B3: main (main.cc:224)
==4577==  Address 0x4996338 is 768 bytes inside a block of size 864 free'd

With --script=all and more hosts you don't need Valgrind to see the
problem:

NSE (2.999s): Finished robots.txt against ɷXJ@o :160 (thread 0x852d488).
NSE (3.003s): Finished html-title against ɷXJ@o :160 (thread 0x852ae90).
Segmentation fault

Here both those threads were started in the previous group.

David Fifield

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org
Previous By Date Next
Previous By Thread Next

Current thread: