[Bro] bro segfaults on startup

David Vasil dmvasil at ornl.gov
Tue Jan 10 05:55:00 PST 2006 

Vern Paxson wrote:
> What happens if you run it by hand inside gdb?
> 
> (Also, FWIW, I were to make a wild guess, it would be that this relates
> to permissions for reading the packet filter.)
> 
> 		Vern

Which packet filter do you mean?

Scott Campbell mentioned it may be a problem with the resolver library, 
as others have had similar problems in the past.

Here is the output from strace, ltrace, gdb, ldd, and version 
information for suspect libraries:

[strace -f bin/bro -i eth0 mt http ftp scan]
open("/opt/bro/policy/scan.bro", O_RDONLY) = 9
ioctl(9, SNDCTL_TMR_TIMEBASE or TCGETS, 0x7fffffa9a0e0) = -1 ENOTTY 
(Inappropriate ioctl for device)
fstat(9, {st_mode=S_IFREG|0644, st_size=13655, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) 
= 0x2aaaaaab1000
read(9, "# $Id: scan.bro,v 1.11 2005/10/0"..., 8192) = 8192
open(".state/.bro-dns-cache", O_RDONLY) = -1 ENOENT (No such file or 
directory)
sendto(4, ":\343\1\0\0\1\0\0\0\0\0\0\5j5004\rinktomisearch"..., 41, 0, 
NULL, 0) = 41
select(5, [4], NULL, NULL, {20, 0})     = 1 (in [4], left {19, 972000})
recvfrom(4, ":\343\201\200\0\1\0\1\0\5\0\5\5j5004\rinktomisearch"..., 
1024, 0, {sa_family=AF_INET, sin_port=htons(53), 
sin_addr=inet_addr("160.91.198.66")}, [16]) = 233
--- SIGSEGV (Segmentation fault) @ 0 (0) ---
+++ killed by SIGSEGV +++
Process 14764 detached



[ltrace -f bin/bro -i eth0 mt http ftp scan]
strcmp("/opt/bro/policy/scan.bro", "/opt/bro/policy/scan.bro")  = 0
_Znwm(56, 0x8505a9, 0x709200, 0, 0x36b062f778)                  = 0x8f3dc0
malloc(80)                                                      = 0x8f3e00
strncpy(0x705a60, "\t", 127)                                    = 0x705a60
strncpy(0x705a60, "# who knows why we see these, bu"..., 127)   = 0x705a60
strncpy(0x705a60, "\n", 127)                                    = 0x705a60
strncpy(0x705a60, "\n", 127)                                    = 0x705a60
strncpy(0x705a60, "\t", 127)                                    = 0x705a60
strncpy(0x705a60, "j5004.inktomisearch.com", 127)               = 0x705a60
strlen(".state")                                                = 6
_Znam(70, 0x8ded1e, 0xfeff64736073722d, 25972, 0xfefefefefefefeff) = 
0x8f3e60
sprintf("\001\200\255\373\377\177", "")                         = 21
fopen(".state/.bro-dns-cache", "r")                             = 0
strlen("dns_mapping_valid")                                     = 17
strlen("dns_mapping_unverified")                                = 22
strlen("dns_mapping_new_name")                                  = 20
strlen("dns_mapping_lost_name")                                 = 21
strlen("dns_mapping_name_changed")                              = 24
strlen("dns_mapping_altered")                                   = 19
strcmp("GLOBAL", "GLOBAL")                                      = 0
_ZNSsC1EPKcRKSaIcE(0x7fffffe91690, 0x571e25, 0x7fffffe91600, 0, 
0x89d780) = 0x8f26c8
_ZNSsC1EPKcRKSaIcE(0x7fffffe91600, 0x8f26c8, 0x7fffffe915f0, 0, 
0xfefefefefefefeff) = 0x8f3ec8
strlen("::")                                                    = 2
_ZNKSs5rfindEPKcmm(0x7fffffe91600, 0x5724c1, -1, 2, 0x36b062f6f8) = -1
_ZNSsC1EPKcRKSaIcE(0x7fffffe91680, 0x567aeb, 0x7fffffe915f0, 1, -2) = 
0x8f3ef8
_ZN9__gnu_cxx18__exchange_and_addEPVii(0x8f3ec0, 0xffffffff, 6, 0, 
0x36b062f6f8) = 0
_ZNSs4_Rep10_M_destroyERKSaIcE(0x8f3eb0, 0x7fffffe915f0, 6, 0, 
0x36b062f6f8) = 0x36b062f640
_ZNKSs7compareEPKc(0x7fffffe91680, 0x567aeb, 0, 4, 0x36b062f6f8) = 0
strlen("dns_mapping")                                           = 11
_ZN9__gnu_cxx18__exchange_and_addEPVii(0x8f3ef0, 0xffffffff, 274, 0, 
0x73cbc0) = 0
_ZNSs4_Rep10_M_destroyERKSaIcE(0x8f3ee0, 0x7fffffe91640, 274, 0, 
0x73cbc0) = 0x36b062f640
_ZN9__gnu_cxx18__exchange_and_addEPVii(0x8f26c0, 0xffffffff, 0x8f3ea0, 
4, 0x73cbc0) = 0
_ZNSs4_Rep10_M_destroyERKSaIcE(0x8f26b0, 0x7fffffe91640, 0x8f3ea0, 4, 
0x73cbc0) = 0x36b062f640
strlen("j5004.inktomisearch.com")                               = 23
_Znwm(16, 0x8ded1e, 6, 0, 0)                                    = 0x8f3f10
_Znam(24, 41185, 0x36b062f620, -25, 0x36b062f6f8)               = 0x8f3f30
strcpy(0x8f3f30, "j5004.inktomisearch.com")                     = 0x8f3f30
malloc(1064)                                                    = 0x8f3f50
memset(0x8f3f50, '\000', 1064)                                  = 0x8f3f50
strncpy(0x8f3f58, "j5004.inktomisearch.com", 1026)              = 0x8f3f58
__res_mkquery(0, 0x8f3f30, 1, 1, 0)                             = 41
send(4, 0x7fffffe90fd0, 41, 0, 32)                              = 41
select(5, 0x7fffffe91660, 0, 0, 0x7fffffe91650)                 = 1
recvfrom(4, 0x7fffffe910d0, 1024, 0, 0x7fffffe914d0)            = 233
--- SIGSEGV (Segmentation fault) ---
+++ killed by SIGSEGV +++



[gdb bin/bro]
(gdb) run -i eth0 mt http ftp scan
Starting program: /opt/bro-1.0/bin/bro -i eth0 mt http ftp scan

Program received signal SIGSEGV, Segmentation fault.
0x0000000000561ef5 in __ns_initparse ()
(gdb) bt
#0  0x0000000000561ef5 in __ns_initparse ()
Cannot access memory at address 0xffd2a510



[rpm -qif /lib64/libresolv-2.3.4.so]
Name        : glibc                        Relocations: (not relocatable)
Version     : 2.3.4                             Vendor: Red Hat, Inc.
Release     : 2.13                          Build Date: Fri 19 Aug 2005 
08:34:11 PM EDT
Install Date: Thu 10 Nov 2005 05:53:07 PM EST      Build Host: 
crowe.devel.redhat.com
Group       : System Environment/Libraries   Source RPM: 
glibc-2.3.4-2.13.src.rpm
Size        : 11474270                         License: LGPL
Signature   : DSA/SHA1, Wed 21 Sep 2005 11:48:40 AM EDT, Key ID 
219180cddb42a60e
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
Summary     : The GNU libc libraries.
Description :
The glibc package contains standard libraries which are used by
multiple programs on the system. In order to save disk space and
memory, as well as to make upgrading easier, common system code is
kept in one place and shared between programs. This particular package
contains the most important sets of shared libraries: the standard C
library and the standard math library. Without these two libraries, a
Linux system will not function.



[ldd bin/bro]
	libresolv.so.2 => /lib64/libresolv.so.2 (0x00000036b0f00000)
	libz.so.1 => /usr/lib64/libz.so.1 (0x00000036b0b00000)
	libssl.so.4 => /lib64/libssl.so.4 (0x00000036a9a00000)
	libcrypto.so.4 => /lib64/libcrypto.so.4 (0x00000036a9700000)
	libtermcap.so.2 => /lib64/libtermcap.so.2 (0x00000036b1900000)
	libstdc++.so.6 => /usr/lib64/libstdc++.so.6 (0x00000036b2800000)
	libm.so.6 => /lib64/tls/libm.so.6 (0x00000036b0900000)
	libgcc_s.so.1 => /lib64/libgcc_s.so.1 (0x00000036b2600000)
	libc.so.6 => /lib64/tls/libc.so.6 (0x00000036b0400000)
	libgssapi_krb5.so.2 => /usr/lib64/libgssapi_krb5.so.2 (0x00000036b1b00000)
	libkrb5.so.3 => /usr/lib64/libkrb5.so.3 (0x00000036b1f00000)
	libcom_err.so.2 => /lib64/libcom_err.so.2 (0x00000036b1500000)
	libk5crypto.so.3 => /usr/lib64/libk5crypto.so.3 (0x00000036b1d00000)
	libdl.so.2 => /lib64/libdl.so.2 (0x00000036b0700000)
	/lib64/ld-linux-x86-64.so.2 (0x00000036b0200000)


Sorry for the long post, please let me know if I can provide any further 
information.  Thank you for your help.

-- 
| David Vasil <dmvasil at ornl.gov>
| Oak Ridge National Laboratory NCCS Division
| High Performance Computing Systems Administrator
| Bldg: 5600-A115  Phone: (865)241-5562

More information about the Bro mailing list