search

cisagov / icsnpp-bacnet

Zeek BACnet Parser - CISA ICSNPP
BSD 3-Clause "New" or "Revised" License
15 stars 11 forks source link

Segfault in zeek-6.0.1 - binpac::BACNET::get_string2 (data=...) at bacnet_pac.cc:4505 #35

Closed initconf closed 3 months ago

initconf commented 7 months ago

🐛 Summary

I enabled the ICSNPP::BACnet - BACnet Protocol analyzer (dynamic, version 1.4.0) on zeek-6.0.1 and since I have started seeing workers crashing with segfault.

To reproduce

I don't yet have pcap but I think I can collect a few to see if I can help reproduce this crash.

Here is the coredump

Coredump pointer for future: ~zeek/post-terminate-worker-2024-01-12-16-10-00-71290-crash 

(gdb) bt
#0  binpac::BACNET::get_string2 (data=...) at /usr/local/zeek-cpp/host/policies/icsnpp-bacnet/build/bacnet_pac.cc:4505
#1  binpac::BACNET::BACNET_Flow::process_atomic_read_file_ack (this=0x85c91cf60, is_orig=true, invoke_id=38 '&', tags=<optimized out>) at /usr/local/zeek-cpp/host/policies/icsnpp-bacnet/build/bacnet_pac.cc:4071
#2  0x00000008053120c2 in binpac::BACNET::Complex_ACK_PDU::Parse (this=<optimized out>, t_begin_of_data=t_begin_of_data@entry=0x84f1cb2c1 <error: Cannot access memory at address 0x84f1cb2c1>, t_end_of_data=t_end_of_data@entry=0x84f1cb370 <error: Cannot access memory at address 0x84f1cb370>,
    t_context=t_context@entry=0x86b656ad0, t_byteorder=t_byteorder@entry=0) at /usr/local/zeek-cpp/host/policies/icsnpp-bacnet/build/bacnet_pac.cc:2229
#3  0x00000008053106f0 in binpac::BACNET::APDU_Header::Parse (this=0x86bd00160, t_begin_of_data=t_begin_of_data@entry=0x84f1cb2c0 <error: Cannot access memory at address 0x84f1cb2c0>, t_end_of_data=t_end_of_data@entry=0x84f1cb370 <error: Cannot access memory at address 0x84f1cb370>, t_context=0x83,
    t_context@entry=0x86b656ad0, t_byteorder=t_byteorder@entry=0) at /usr/local/zeek-cpp/host/policies/icsnpp-bacnet/build/bacnet_pac.cc:1507
#4  0x000000080530fc32 in binpac::BACNET::NPDU_Header::Parse (this=0x869459300, t_begin_of_data=t_begin_of_data@entry=0x84f1cb2ba <error: Cannot access memory at address 0x84f1cb2ba>, t_end_of_data=t_end_of_data@entry=0x84f1cb370 <error: Cannot access memory at address 0x84f1cb370>,
    t_context=t_context@entry=0x86b656ad0, t_byteorder=t_byteorder@entry=0) at /usr/local/zeek-cpp/host/policies/icsnpp-bacnet/build/bacnet_pac.cc:1206
#5  0x000000080530dea6 in binpac::BACNET::BVLC_Header::Parse (this=0x86ca57b40, t_begin_of_data=t_begin_of_data@entry=0x84f1cb2b6 <error: Cannot access memory at address 0x84f1cb2b6>, t_end_of_data=t_end_of_data@entry=0x84f1cb370 <error: Cannot access memory at address 0x84f1cb370>, t_context=0x83,
    t_context@entry=0x86b656ad0, t_byteorder=t_byteorder@entry=0) at /usr/local/zeek-cpp/host/policies/icsnpp-bacnet/build/bacnet_pac.cc:975
#6  0x000000080530d6e0 in binpac::BACNET::BACNET_PDU::Parse (this=0x86cbda200, t_begin_of_data=0x84f1cb2b6 <error: Cannot access memory at address 0x84f1cb2b6>, t_end_of_data=0x84f1cb370 <error: Cannot access memory at address 0x84f1cb370>, t_context=0x86b656ad0)
    at /usr/local/zeek-cpp/host/policies/icsnpp-bacnet/build/bacnet_pac.cc:85
#7  binpac::BACNET::BACNET_Flow::NewData (this=0x85c91cf60, t_begin_of_data=0x84f1cb2b6 <error: Cannot access memory at address 0x84f1cb2b6>, t_end_of_data=0x84f1cb370 <error: Cannot access memory at address 0x84f1cb370>) at /usr/local/zeek-cpp/host/policies/icsnpp-bacnet/build/bacnet_pac.cc:2805
#8  0x000000080531b65e in analyzer::BACNET::BACNET_Analyzer::DeliverPacket (this=this@entry=0x86ff2ab60, len=186, data=0x84f1cb2b6 <error: Cannot access memory at address 0x84f1cb2b6>, orig=true, seq=<optimized out>, ip=<optimized out>, caplen=232)
    at /usr/local/zeek-cpp/host/policies/icsnpp-bacnet/src/BACNET.cc:32
#9  0x00000000007517a7 in zeek::analyzer::Analyzer::NextPacket (this=this@entry=0x86ff2ab60, len=<optimized out>, len@entry=186, data=<optimized out>, data@entry=0x84f1cb2b6 <error: Cannot access memory at address 0x84f1cb2b6>, is_orig=<optimized out>, seq=<optimized out>, seq@entry=18446744073709551615,
    ip=<optimized out>, ip@entry=0x869e97518, caplen=<optimized out>) at /usr/local/src/zeek-6.0.1-jw/src/analyzer/Analyzer.cc:227
#10 0x0000000000751ca6 in zeek::analyzer::Analyzer::ForwardPacket (this=<optimized out>, len=0, data=0x82 <error: Cannot access memory at address 0x82>, is_orig=<optimized out>, seq=0, ip=0x0, caplen=232) at /usr/local/src/zeek-6.0.1-jw/src/analyzer/Analyzer.cc:310
#11 0x00000000009a135d in zeek::packet_analysis::UDP::UDPAnalyzer::DeliverPacket (this=0x809cb3318, c=0x86b4c7600, t=<optimized out>, is_orig=<optimized out>, remaining=<optimized out>, pkt=0x80bd7a540) at /usr/local/src/zeek-6.0.1-jw/src/packet_analysis/protocol/udp/UDP.cc:229
#12 0x000000000099d827 in zeek::packet_analysis::IP::IPBasedAnalyzer::AnalyzePacket (this=0x809cb3318, len=194, data=<optimized out>, pkt=0x80bd7a540) at /usr/local/src/zeek-6.0.1-jw/src/packet_analysis/protocol/ip/IPBasedAnalyzer.cc:99
#13 0x000000000098a619 in zeek::packet_analysis::Analyzer::ForwardPacket (this=<optimized out>, len=194, data=0x84f1cb2ae <error: Cannot access memory at address 0x84f1cb2ae>, packet=0x80bd7a540, identifier=<optimized out>) at /usr/local/src/zeek-6.0.1-jw/src/packet_analysis/Analyzer.cc:120
#14 0x000000000099c8e3 in zeek::packet_analysis::IP::IPAnalyzer::AnalyzePacket (this=<optimized out>, len=194, data=0x84f1cb2ae <error: Cannot access memory at address 0x84f1cb2ae>, packet=0x80bd7a540) at /usr/local/src/zeek-6.0.1-jw/src/packet_analysis/protocol/ip/IP.cc:298
#15 0x000000000098a619 in zeek::packet_analysis::Analyzer::ForwardPacket (this=<optimized out>, len=214, data=0x84f1cb29a <error: Cannot access memory at address 0x84f1cb29a>, packet=0x80bd7a540, identifier=<optimized out>) at /usr/local/src/zeek-6.0.1-jw/src/packet_analysis/Analyzer.cc:120
#16 0x000000000098a619 in zeek::packet_analysis::Analyzer::ForwardPacket (this=<optimized out>, len=218, data=0x84f1cb296 <error: Cannot access memory at address 0x84f1cb296>, packet=0x80bd7a540, identifier=<optimized out>) at /usr/local/src/zeek-6.0.1-jw/src/packet_analysis/Analyzer.cc:120
#17 0x000000000098a619 in zeek::packet_analysis::Analyzer::ForwardPacket (this=<optimized out>, len=232, data=0x84f1cb288 <error: Cannot access memory at address 0x84f1cb288>, packet=0x80bd7a540, identifier=<optimized out>) at /usr/local/src/zeek-6.0.1-jw/src/packet_analysis/Analyzer.cc:120
#18 0x000000000098d76d in zeek::packet_analysis::Manager::ProcessPacket (this=0x803d078c0, packet=0x80bd7a540) at /usr/local/src/zeek-6.0.1-jw/src/packet_analysis/Manager.cc:131
#19 0x0000000000d15fcc in zeek::run_state::detail::dispatch_packet (pkt=pkt@entry=0x80bd7a540, pkt_src=<optimized out>, pkt_src@entry=0x80bd7a500) at /usr/local/src/zeek-6.0.1-jw/src/RunState.cc:290
#20 0x0000000000a74964 in zeek::iosource::PktSrc::Process (this=0x80bd7a500) at /usr/local/src/zeek-6.0.1-jw/src/iosource/PktSrc.cc:160
#21 0x0000000000d164c6 in zeek::run_state::detail::run_loop () at /usr/local/src/zeek-6.0.1-jw/src/RunState.cc:349
#22 0x000000000074fff8 in main (argc=<optimized out>, argv=<optimized out>) at /usr/local/src/zeek-6.0.1-jw/src/main.cc:102
(gdb) up
#1  binpac::BACNET::BACNET_Flow::process_atomic_read_file_ack (this=0x85c91cf60, is_orig=true, invoke_id=38 '&', tags=<optimized out>) at /usr/local/zeek-cpp/host/policies/icsnpp-bacnet/build/bacnet_pac.cc:4071
4071    in /usr/local/zeek-cpp/host/policies/icsnpp-bacnet/build/bacnet_pac.cc
(gdb) p *this
$1 = {<binpac::FlowAnalyzer> = {_vptr$FlowAnalyzer = 0x80531ea48 <vtable for binpac::BACNET::BACNET_Flow+16>}, dataunit_ = 0x86cbda200, context_ = 0x86b656ad0, connection_ = 0x80bf26be0, is_orig_ = true}
(gdb) p *this->dataunit_
$2 = {bacnet_ = 0x86ca57b40, is_orig_ = true, byteorder_ = 0}
(gdb) p *this->dataunit_->bacnet_
$3 = {bvlc_type_ = 129 '\201', bvlc_function_ = 10 '\n', length_ = 186, body_case_index_ = 10 '\n', bvlc_result_ = 0x0, write_broadcast_ = 0x0, read_broadcast_ = 0x0, read_broadcast_ack_ = 0x0, forwarded_npdu_ = 0x0, register_foreign_device_ = 0x0, read_foreign_device_table_ = 0x0,
  read_foreign_device_table_ack_ = 0x0, delete_foreign_device_table_entry_ = 0x0, distribute_broadcast_to_network_ = 0x0, original_unicast_npdu_ = 0x86bd4b9e0, broadcast_npdu_ = 0x0, secure_bvll_ = 0x0, unknown_ = {data_ = 0x0, length_ = 0}, is_orig_ = true, originator_ = false}
kkvarfordt commented 5 months ago

Unable to duplicate. If an example pcap showing the behavior could be provided, that would be great.

Test Environment Configuration:

$ git clone git@github.com:cisagov/icsnpp-bacnet.git
$ docker pull zeek/zeek:6.0.1

Inside the docker container within the icsnpp-bacnet directory:

$ apt install cmake build-essential libssl-dev libpcap-dev
$ ./configure
$ make
$ export ZEEK_PLUGIN_PATH=$PWD/build/
$ zeek -N // Verify the Bacnet plugin was found
$ cd tests
$ btest // All test pass
kkvarfordt commented 3 months ago

Closing. Unable to duplicate.