Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update LPeg to v1.0.0. Closes #432 #478

Closed
wants to merge 2 commits into from
Closed

Update LPeg to v1.0.0. Closes #432 #478

wants to merge 2 commits into from

Conversation

sergeykhegay
Copy link

This update closes #432.

I used Devin's amalgamation script to create lpeg.c file from LPeg v1.0.0 distribution files
https://svn.nmap.org/nmap-private-dev/misc-scripts/amalgamate.py
https://www.inf.puc-rio.br/~roberto/lpeg/lpeg-1.0.0.tar.gz

Tested banner.nse and ntp-info.nse scripts, which indirectly use lpeg library through lpeg-utility library.

An indication that the LPeg v1.0.0 is fully backward compatible with v0.12 is that re.lua module which is distributed with LPeg source code did not have any changes since v0.12. Nmap includes re.lua as one of the libraries.

@dmiller-nmap
Copy link

Stack overflow. Valgrind output:

==6585== Process terminating with default action of signal 11 (SIGSEGV)
==6585==  Access not within mapped region at address 0xFFE801FF8
==6585==    at 0x4B6AC3: hascaptures(TTree*) (lpeg.c:1074)
==6585==  If you believe this happened as a result of a stack
==6585==  overflow in your program's main thread (unlikely but
==6585==  possible), you can try to increase the size of the
==6585==  main thread stack using the --main-stacksize= flag.
==6585==  The main thread stack size used in this run was 8388608.
==6585== Stack overflow in thread 1: can't grow stack to 0xffe801ff0

gdb backtrace (truncated):

#0  0x00000000004b6ac3 in hascaptures (tree=tree@entry=0xd7e79c) at lpeg.c:1074
#1  0x00000000004b6ac8 in hascaptures (tree=0xd7e794, tree@entry=0xd7e7a4) at lpeg.c:1074
#2  0x00000000004b6ac8 in hascaptures (tree=tree@entry=0xd7e79c) at lpeg.c:1074
#3  0x00000000004b6ac8 in hascaptures (tree=0xd7e794, tree@entry=0xd7e7a4) at lpeg.c:1074

The overflow does not happen every time, but it does happen frequently with this command:

./nmap -d --datadir . --script=unittest --script-args='unittest.run'

@batrick
Copy link

batrick commented Jul 27, 2016

@sergeykhegay, please just make this one commit which modifies (not deletes) lpeg.c.

@bonsaiviking, are we sure this problem doesn't also exist in lpeg v0.12?

@sergeykhegay
Copy link
Author

@batrick, this issue does not exist in v0.12.

@sergeykhegay
Copy link
Author

@batrick, I am afraid I did not understand the part with one commit...
What I did was:

  1. rename lpeg.c -> lpeg_old.c
  2. add new amalgamated lpeg.c
  3. delete lpeg_old.c

So technically it looks like I modified lpeg.c. No? Sorry, I am puzzled...

@batrick
Copy link

batrick commented Jul 27, 2016

@sergeykhegay I'm referring to e1a666c and 4142031. Please make them one commit. (This PR should only be one commit but right now there are 8: https://github.com/nmap/nmap/pull/478/commits.)

@batrick
Copy link

batrick commented Jul 27, 2016

@batrick, this issue does not exist in v0.12.

If possible, we should try to collapse the problematic pattern into a simple test case which we can verify using only lua standalone with lpeg.

@sergeykhegay sergeykhegay force-pushed the gsoc-lpeg branch 2 times, most recently from 1ac8b7a to 5c91f0c Compare July 27, 2016 19:07
@batrick
Copy link

batrick commented Aug 9, 2016

@sergeykhegay this commit looks much better. Have you tried figuring out which pattern is causing the error? You could modify lpeg.c's match function [1] to print a stack backtrace to figure out where the valgrind error is happening. Use [2] to print the stack. (The output will be verbose probably but at the end you should find the culprit!)

[1] https://github.com/nmap/nmap/pull/478/files#diff-0c64b58f70b0b7935ac1d99fa8f3c673L3211
[2] https://www.lua.org/manual/5.3/manual.html#luaL_traceback

@sergeykhegay
Copy link
Author

@batrick, I tried to use luaL_traceback, but for some reason, it does not print anything. Anyway, I managed to catch the error with Visual Studio. As I suspected the problem arises when json module is loaded. Here is the traceback if it helps:

<lots of hascaptures(...) calls>
    nmap.exe!hascaptures(TTree * tree) Line 1074    C++
nmap.exe!hascaptures(TTree * tree) Line 1074    C++
nmap.exe!codecapture(CompileState * compst, TTree * tree, int tt, const Charset * fl) Line 1650 C++
nmap.exe!codegen(CompileState * compst, TTree * tree, int opt, int tt, const Charset * fl) Line 1835    C++
nmap.exe!coderuntime(CompileState * compst, TTree * tree, int tt) Line 1664 C++
nmap.exe!codegen(CompileState * compst, TTree * tree, int opt, int tt, const Charset * fl) Line 1836    C++
nmap.exe!codechoice(CompileState * compst, TTree * p1, TTree * p2, int opt, const Charset * fl) Line 1608   C++
nmap.exe!codegen(CompileState * compst, TTree * tree, int opt, int tt, const Charset * fl) Line 1830    C++
nmap.exe!codechoice(CompileState * compst, TTree * p1, TTree * p2, int opt, const Charset * fl) Line 1612   C++
nmap.exe!codegen(CompileState * compst, TTree * tree, int opt, int tt, const Charset * fl) Line 1830    C++
nmap.exe!codechoice(CompileState * compst, TTree * p1, TTree * p2, int opt, const Charset * fl) Line 1612   C++
nmap.exe!codegen(CompileState * compst, TTree * tree, int opt, int tt, const Charset * fl) Line 1830    C++
nmap.exe!codechoice(CompileState * compst, TTree * p1, TTree * p2, int opt, const Charset * fl) Line 1612   C++
nmap.exe!codegen(CompileState * compst, TTree * tree, int opt, int tt, const Charset * fl) Line 1830    C++
nmap.exe!codechoice(CompileState * compst, TTree * p1, TTree * p2, int opt, const Charset * fl) Line 1612   C++
nmap.exe!codegen(CompileState * compst, TTree * tree, int opt, int tt, const Charset * fl) Line 1830    C++
nmap.exe!codechoice(CompileState * compst, TTree * p1, TTree * p2, int opt, const Charset * fl) Line 1612   C++
nmap.exe!codegen(CompileState * compst, TTree * tree, int opt, int tt, const Charset * fl) Line 1830    C++
nmap.exe!codechoice(CompileState * compst, TTree * p1, TTree * p2, int opt, const Charset * fl) Line 1612   C++
nmap.exe!codegen(CompileState * compst, TTree * tree, int opt, int tt, const Charset * fl) Line 1830    C++
nmap.exe!codechoice(CompileState * compst, TTree * p1, TTree * p2, int opt, const Charset * fl) Line 1612   C++
nmap.exe!codegen(CompileState * compst, TTree * tree, int opt, int tt, const Charset * fl) Line 1830    C++
nmap.exe!codegrammar(CompileState * compst, TTree * grammar) Line 1780  C++
nmap.exe!codegen(CompileState * compst, TTree * tree, int opt, int tt, const Charset * fl) Line 1837    C++
nmap.exe!compile(lua_State * L, Pattern * p) Line 1907  C++
nmap.exe!prepcompile(lua_State * L, Pattern * p, int idx) Line 3251 C++
nmap.exe!lp_match(lua_State * L) Line 3306  C++
nmap.exe!luaD_precall(lua_State * L, lua_TValue * func, int nresults) Line 365  C
nmap.exe!luaD_call(lua_State * L, lua_TValue * func, int nResults) Line 495 C
nmap.exe!luaD_callnoyield(lua_State * L, lua_TValue * func, int nResults) Line 506  C
nmap.exe!f_call(lua_State * L, void * ud) Line 942  C
nmap.exe!luaD_rawrunprotected(lua_State * L, void (lua_State *, void *) * f, void * ud) Line 144    C
nmap.exe!luaD_pcall(lua_State * L, void (lua_State *, void *) * func, void * u, int old_top, int ef) Line 727   C
nmap.exe!lua_pcallk(lua_State * L, int nargs, int nresults, int errfunc, int ctx, int (lua_State *, int, int) * k) Line 968 C
nmap.exe!luaB_pcall(lua_State * L) Line 424 C
nmap.exe!luaD_precall(lua_State * L, lua_TValue * func, int nresults) Line 365  C
nmap.exe!luaV_execute(lua_State * L) Line 1134  C
nmap.exe!luaD_call(lua_State * L, lua_TValue * func, int nResults) Line 496 C
nmap.exe!luaD_callnoyield(lua_State * L, lua_TValue * func, int nResults) Line 506  C
nmap.exe!lua_callk(lua_State * L, int nargs, int nresults, int ctx, int (lua_State *, int, int) * k) Line 924   C
nmap.exe!ll_require(lua_State * L) Line 570 C
nmap.exe!luaD_precall(lua_State * L, lua_TValue * func, int nresults) Line 365  C
nmap.exe!luaD_call(lua_State * L, lua_TValue * func, int nResults) Line 495 C
nmap.exe!lua_pcallk(lua_State * L, int nargs, int nresults, int errfunc, int ctx, int (lua_State *, int, int) * k) Line 980 C
nmap.exe!luaB_pcall(lua_State * L) Line 424 C
nmap.exe!luaD_precall(lua_State * L, lua_TValue * func, int nresults) Line 365  C
nmap.exe!luaV_execute(lua_State * L) Line 1134  C
nmap.exe!unroll(lua_State * L, void * ud) Line 555  C
nmap.exe!resume(lua_State * L, void * ud) Line 648  C
nmap.exe!luaD_rawrunprotected(lua_State * L, void (lua_State *, void *) * f, void * ud) Line 144    C
nmap.exe!lua_resume(lua_State * L, lua_State * from, int nargs) Line 662    C
nmap.exe!auxresume(lua_State * L, lua_State * co, int narg) Line 39 C
nmap.exe!luaB_coresume(lua_State * L) Line 60   C
nmap.exe!luaD_precall(lua_State * L, lua_TValue * func, int nresults) Line 365  C
nmap.exe!luaV_execute(lua_State * L) Line 1134  C
nmap.exe!luaD_call(lua_State * L, lua_TValue * func, int nResults) Line 496 C
nmap.exe!luaD_callnoyield(lua_State * L, lua_TValue * func, int nResults) Line 506  C
nmap.exe!lua_callk(lua_State * L, int nargs, int nresults, int ctx, int (lua_State *, int, int) * k) Line 924   C
nmap.exe!run_main(lua_State * L) Line 652   C++
nmap.exe!luaD_precall(lua_State * L, lua_TValue * func, int nresults) Line 365  C
nmap.exe!luaD_call(lua_State * L, lua_TValue * func, int nResults) Line 495 C
nmap.exe!luaD_callnoyield(lua_State * L, lua_TValue * func, int nResults) Line 506  C
nmap.exe!f_call(lua_State * L, void * ud) Line 942  C
nmap.exe!luaD_rawrunprotected(lua_State * L, void (lua_State *, void *) * f, void * ud) Line 144    C
nmap.exe!luaD_pcall(lua_State * L, void (lua_State *, void *) * func, void * u, int old_top, int ef) Line 727   C
nmap.exe!lua_pcallk(lua_State * L, int nargs, int nresults, int errfunc, int ctx, int (lua_State *, int, int) * k) Line 968 C
nmap.exe!script_scan(std::vector<Target *,std::allocator<Target *> > & targets, stype scantype) Line 810    C++
nmap.exe!nmap_main(int argc, char * * argv) Line 1969   C++
nmap.exe!main(int argc, char * * argv) Line 228 C++

As I understand the way to fix this is to find a bug in the grammar for json which is implemented in json.lua?

@batrick
Copy link

batrick commented Aug 10, 2016

There is no bug in json. The bug is likely in lpeg.

For luaL_traceback, it just pushes a Lua string on the stack. You should print that string to stderr and then pop the string off the stack. e.g. something like:

luaL_traceback(L, L, "lpeg", 1);
fprintf(stderr, "%s", lua_tostring(L, -1));
lua_pop(L, 1);

@batrick
Copy link

batrick commented Aug 10, 2016

Oh, the C traceback is not very useful without knowing which lpeg pattern and subject string caused the problem.

@sergeykhegay
Copy link
Author

sergeykhegay commented Aug 10, 2016
edited
Loading

@batrick, I discovered that there are two places where Nmap fails.

i. When NSE script arguments are parsed.

https://github.com/sergeykhegay/nmap/blob/gsoc-lpeg/nse_main.lua#L1189-L1204
Somehow parser returns not a table but a number which is assigned to nmap.registry.args. The latter is supposed to be a table.

Command: ./nmap.exe -d --script=unittest --script-args unittest.run

Update: it turns out that parser returns a number only when I enable a grammar debugger https://github.com/sergeykhegay/nmap/blob/gsoc-lpeg/nse_main.lua#L1202 , otherwise it silently segfaults, which I catch in the Visual Studio debugger.

ii. When running JSON unit tests.

Did not investigate in detail, but I know that it fails on the very first test.

@sergeykhegay
Copy link
Author

sergeykhegay commented Aug 10, 2016
edited
Loading

@batrick, if it helps this is what I get in debug:

$ ./nmap.exe -d --script=unittest --script-args unittest.run

Starting Nmap 7.25SVN ( https://nmap.org ) at 2016-08-10 01:52 Eastern Daylight Time
PORTS: Using top 1000 ports found open (TCP:1000, UDP:0, SCTP:0)
Winpcap present, dynamic linked to: WinPcap version 4.1.3 (packet.dll version 4.1.0.2980), based on libpcap version 1.0 branch 1_0_rel0b (20091008)
Error in OpenService
--------------- Timing report ---------------
  hostgroups: min 1, max 100000
  rtt-timeouts: init 1000, min 100, max 10000
  max-scan-delay: TCP 1000, UDP 1000, SCTP 1000
  parallelism: min 0, max 0
  max-retries: 10, host-timeout: 0
  min-rate: 0, max-rate: 0
---------------------------------------------
NSE: Using Lua 5.3.
NSE: Arguments from CLI: unittest.run
NSE: Arguments parsed: unittest.run
NSE: args: unittest.run
NSE: ENTER 1
NSE: ENTER space
NSE: LEAVE space
NSE: ENTER table
NSE: ENTER space
NSE: LEAVE space
NSE: ENTER fieldlst
NSE: ENTER field
NSE: ENTER kv
NSE: ENTER string
NSE: ENTER qstring
NSE: LEAVE qstring
NSE: ENTER uqstring
NSE: ENTER hws
NSE: ENTER space
NSE: LEAVE space
NSE: LEAVE hws
NSE: ENTER hws
NSE: ENTER space
NSE: LEAVE space
NSE: LEAVE hws
NSE: ENTER hws
NSE: ENTER space
NSE: LEAVE space
NSE: LEAVE hws
NSE: ENTER hws
NSE: ENTER space
NSE: LEAVE space
NSE: LEAVE hws
NSE: ENTER hws
NSE: ENTER space
NSE: LEAVE space
NSE: LEAVE hws
NSE: ENTER hws
NSE: ENTER space
NSE: LEAVE space
NSE: LEAVE hws
NSE: ENTER hws
NSE: ENTER space
NSE: LEAVE space
NSE: LEAVE hws
NSE: ENTER hws
NSE: ENTER space
NSE: LEAVE space
NSE: LEAVE hws
NSE: ENTER hws
NSE: ENTER space
NSE: LEAVE space
NSE: LEAVE hws
NSE: ENTER hws
NSE: ENTER space
NSE: LEAVE space
NSE: LEAVE hws
NSE: ENTER hws
NSE: ENTER space
NSE: LEAVE space
NSE: LEAVE hws
NSE: ENTER hws
NSE: ENTER space
NSE: LEAVE space
NSE: LEAVE hws
NSE: ENTER hws
NSE: ENTER space
NSE: LEAVE space
NSE: LEAVE hws
NSE: ENTER hws
NSE: ENTER space
NSE: LEAVE space
NSE: LEAVE hws
NSE: ENTER hws
NSE: ENTER space
NSE: LEAVE space
NSE: LEAVE hws
NSE: ---uqstring---
NSE: pos: 14, [{unittest.run]
NSE: ---string---
NSE: pos: 14, [{unittest.run]
NSE: ENTER hws
NSE: ENTER space
NSE: LEAVE space
NSE: LEAVE hws
NSE: LEAVE kv
NSE: ENTER av
NSE: ENTER value
NSE: ENTER table
NSE: LEAVE table
NSE: ENTER string
NSE: ENTER qstring
NSE: LEAVE qstring
NSE: ENTER uqstring
NSE: ENTER hws
NSE: ENTER space
NSE: LEAVE space
NSE: LEAVE hws
NSE: ENTER hws
NSE: ENTER space
NSE: LEAVE space
NSE: LEAVE hws
NSE: ENTER hws
NSE: ENTER space
NSE: LEAVE space
NSE: LEAVE hws
NSE: ENTER hws
NSE: ENTER space
NSE: LEAVE space
NSE: LEAVE hws
NSE: ENTER hws
NSE: ENTER space
NSE: LEAVE space
NSE: LEAVE hws
NSE: ENTER hws
NSE: ENTER space
NSE: LEAVE space
NSE: LEAVE hws
NSE: ENTER hws
NSE: ENTER space
NSE: LEAVE space
NSE: LEAVE hws
NSE: ENTER hws
NSE: ENTER space
NSE: LEAVE space
NSE: LEAVE hws
NSE: ENTER hws
NSE: ENTER space
NSE: LEAVE space
NSE: LEAVE hws
NSE: ENTER hws
NSE: ENTER space
NSE: LEAVE space
NSE: LEAVE hws
NSE: ENTER hws
NSE: ENTER space
NSE: LEAVE space
NSE: LEAVE hws
NSE: ENTER hws
NSE: ENTER space
NSE: LEAVE space
NSE: LEAVE hws
NSE: ENTER hws
NSE: ENTER space
NSE: LEAVE space
NSE: LEAVE hws
NSE: ENTER hws
NSE: ENTER space
NSE: LEAVE space
NSE: LEAVE hws
NSE: ENTER hws
NSE: ENTER space
NSE: LEAVE space
NSE: LEAVE hws
NSE: ---uqstring---
NSE: pos: 14, [{unittest.run]
NSE: ---string---
NSE: pos: 14, [{unittest.run]
NSE: ---value---
NSE: pos: 14, [{unittest.run]
NSE: ---av---
NSE: pos: 14, [{unittest.run]
NSE: ---field---
NSE: pos: 14, [{unittest.run]
NSE: ENTER hws
NSE: ENTER space
NSE: LEAVE space
NSE: LEAVE hws
NSE: ---fieldlst---
NSE: pos: 14, [{unittest.run]
NSE: ENTER space
NSE: LEAVE space
NSE: ---table---
NSE: pos: 15, [{unittest.run}]
NSE: ENTER space
NSE: LEAVE space
NSE: ---1---
NSE: pos: 15, [{unittest.run}]
NSE: nmap.registry.args is number
NSE: nmap.registry.args is 15
NSE: Failed to load C:\Users\picnic\Desktop\nmap-lpeg\mswin32\Debug/scripts\unittest.nse:
...picnic\Desktop\nmap-lpeg\mswin32\Debug/nselib/stdnse.lua:835: attempt to index a number value (field 'args')
stack traceback:
        ...picnic\Desktop\nmap-lpeg\mswin32\Debug/nselib/stdnse.lua:835: in upvalue 'arg_value'
        ...picnic\Desktop\nmap-lpeg\mswin32\Debug/nselib/stdnse.lua:884: in function 'stdnse.get_script_args'
        ...cnic\Desktop\nmap-lpeg\mswin32\Debug/nselib/unittest.lua:141: in main chunk
        [C]: in function 'require'
        ...nic\Desktop\nmap-lpeg\mswin32\Debug/scripts\unittest.nse:2: in function <...nic\Desktop\nmap-lpeg\mswin32\Debug/scripts\unittest.nse:1>
NSE: failed to initialize the script engine:
...sers\picnic\Desktop\nmap-lpeg\mswin32\Debug/nse_main.lua:601: could not load script
stack traceback:
        [C]: in function 'error'
        ...sers\picnic\Desktop\nmap-lpeg\mswin32\Debug/nse_main.lua:601: in field 'new'
        ...sers\picnic\Desktop\nmap-lpeg\mswin32\Debug/nse_main.lua:777: in global 'Entry'
        ...picnic\Desktop\nmap-lpeg\mswin32\Debug/scripts\script.db:513: in local 'db_closure'
        ...sers\picnic\Desktop\nmap-lpeg\mswin32\Debug/nse_main.lua:790: in local 'get_chosen_scripts'
        ...sers\picnic\Desktop\nmap-lpeg\mswin32\Debug/nse_main.lua:1256: in main chunk
        [C]: in ?

QUITTING!

@sergeykhegay
Copy link
Author

@batrick, do you think the problem raises because of LPeg implementation, or might it be because of grammar rules? Is there any good way to debug if it is former? We now have the grammar and the string to blame.

@batrick
Copy link

batrick commented Aug 11, 2016

@sergeykhegay I can confirm the segfault running:

./nmap -d --script=unittest --script-args unittest.run

Just to check, I tried using my system lpeg (Arch Linux) by commenting out lpeg in nse_main.cc:

static void set_nmap_libraries (lua_State *L)
{ 
  static const luaL_Reg libs[] = {
    {NSE_PCRELIBNAME, luaopen_pcrelib},
    {NSE_NMAPLIBNAME, luaopen_nmap},
    {LFSLIBNAME, luaopen_lfs},
    //{LPEGLIBNAME, luaopen_lpeg},
#ifdef HAVE_OPENSSL
    {OPENSSLLIBNAME, luaopen_openssl},
#endif
    {NULL, NULL}
  };

  for (int i = 0; libs[i].name; i++) {
    luaL_requiref(L, libs[i].name, libs[i].func, 1);
    lua_pop(L, 1);
  }
}

I didn't get the segfault anymore. There is probably a problem in the amalgamated lpeg library. Can you check?

@batrick
Copy link

batrick commented Aug 11, 2016

@sergeykhegay nevermind. The segmentation fault is apparently random. It's a bug in lpeg. I'll look into it...

@sebcat sebcat mentioned this pull request Sep 13, 2016
Open
@sebcat
Copy link

sebcat commented Sep 13, 2016

Hello,

I wanted to see if the fix I posted to the lua-l mailinglist worked with your test suite, and I think it did.

I opened up a pull request to sergeykhegay:gsoc-lpeg: sergeykhegay#1

I don't know how you want to do it, if you wanna merge it or wait for a new release of lua-lpeg, or at least a comment from roberto. If you go ahead and merge it, it would be nice if my commit was kept as-is, for bragging rights and Internet points ;)

@batrick
Copy link

batrick commented Sep 13, 2016

I'm fine with merging your commit as well into /nmap if this indeed resolves the problem. @sergeykhegay, can you check this when you have some time please?

@sergeykhegay
Copy link
Author

@batrick, @sebcat, I have tested the fix. It seems to be working. Nmap fails neither during parsing the arguments nor during json.lua unit testing (nor during other unittesting).

I have tested on Linux (Ubuntu), MacOS X, Windows 7. Since the problem sometimes occurred randomly, I wrote a script to consecutively run Nmap 10^3 times.
./nmap -d --datadir . --script=unittest --script-args='unittest.run'.
It did not fail.

@batrick, if that is enough for testing, what do I do? Merge Sebastian's PR first?

@batrick
Copy link

batrick commented Sep 14, 2016

@sergeykhegay make sure your branch is only the one commit being merged into master (it seems there are extraneous merge commits in the PR again). Then you can cherry-pick @sebcat 's commit or ask him to rebase on top of your new branch.

After that, I think @bonsaiviking will merge it as he handles github merges AFAIK.

@sergeykhegay
Copy link
Author

@dmiller-nmap , @batrick, @sebcat. I have tested the branch after @sebcat's Lua fix merge. Everything seems to be ok.

I think the branch is ready for merge, @dmiller-nmap

@sebcat
Copy link

sebcat commented Apr 9, 2017

LPeg 1.0.1[1] is out, with a fix for this issue [2]

[1] https://www.inf.puc-rio.br/~roberto/lpeg/lpeg-1.0.1.tar.gz
[2] https://lua-users.org/lists/lua-l/2017-01/msg00163.html

@slashdd
Copy link

slashdd commented Aug 15, 2019
edited
Loading

I have a similar (intermittent stack exhaustion due to many hascaptures() calls) issue using nmap (7.01-2ubuntu2) which contains lpeg.c (#define VERSION "0.12"). I saw in the above comments that the problem doesn't exist in "0.12". Can someone re-confirm for me ? because based on what I see "0.12" seems affected as well.

I'll try to apply to 2 commits and see how it goes in the meantime.

Core was generated by `nmap -sV <IP_ADDRESS>'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 0x00007f8e05b3f257 in hascaptures () from /usr/lib/x86_64-linux-gnu/liblua5.2-lpeg.so.2
(gdb) bt
#0 0x00007f8e05b3f257 in hascaptures () from /usr/lib/x86_64-linux-gnu/liblua5.2-lpeg.so.2
#1 0x00007f8e05b3f25c in hascaptures () from /usr/lib/x86_64-linux-gnu/liblua5.2-lpeg.so.2
#2 0x00007f8e05b3f25c in hascaptures () from /usr/lib/x86_64-linux-gnu/liblua5.2-lpeg.so.2
#3 0x00007f8e05b3f25c in hascaptures () from /usr/lib/x86_64-linux-gnu/liblua5.2-lpeg.so.2
#4 0x00007f8e05b3f25c in hascaptures () from /usr/lib/x86_64-linux-gnu/liblua5.2-lpeg.so.2
#5 0x00007f8e05b3f25c in hascaptures () from /usr/lib/x86_64-linux-gnu/liblua5.2-lpeg.so.2
#6 0x00007f8e05b3f25c in hascaptures () from /usr/lib/x86_64-linux-gnu/liblua5.2-lpeg.so.2
#7 0x00007f8e05b3f25c in hascaptures () from /usr/lib/x86_64-linux-gnu/liblua5.2-lpeg.so.2
#8 0x00007f8e05b3f25c in hascaptures () from /usr/lib/x86_64-linux-gnu/liblua5.2-lpeg.so.2
....

@sebcat
Copy link

sebcat commented Aug 15, 2019
edited
Loading

@slashdd nmap-7.01-2ubuntu2[1] depends on lua-lpeg[2] which is at version 0.12.2 (for Ubuntu). The referenced bug was present [0.12.1, 1.0.0] if I can trust my previous analysis[3].

EDIT: To clarify, nmap-7.01 links against the system lpeg (see patches/0003-Link-against-lua-lpeg.patch in nmap_7.01-2ubuntu2.debian.tar.xz)

[1] https://packages.ubuntu.com/xenial/nmap
[2] https://packages.ubuntu.com/xenial/lua-lpeg
[3] https://lua-users.org/lists/lua-l/2016-09/msg00153.html

@slashdd
Copy link

slashdd commented Aug 15, 2019

@sebcat ok thanks for the ML list link much appreciated. It was confusing since above in the bug it says the opposite for v 0.12.

With that being said, this bug is still open, but it seems like there is a commit to fix the segmentation fault -> d9487fe (not yet merged).

What is the appropriate way to fix this bug ? Is this still an ongoing issue in later lua-lpeg/nmap version ?

@sebcat sebcat mentioned this pull request Aug 15, 2019
Open
@sebcat
Copy link

sebcat commented Aug 15, 2019
edited
Loading

@slashdd I made a PR bumping the version to 1.0.2. Havn't tried building it (no suitable computer ATM). #1695

EDIT: That being said, if you build nmap from source instead of using Ubuntus packaged version, you will not see the hascaptures problem.

@slashdd
Copy link

slashdd commented Aug 15, 2019

@sebcat Thanks, I will follow the PR you just point out.
Note: My intent here is to do fix the Ubuntu nmap package for all the affected stable release of Ubuntu.

@sergeykhegay
Copy link
Author

I deem this outdated.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Update LPeg to v1.0.0
5 participants
@sergeykhegay @dmiller-nmap @batrick @sebcat @slashdd