-
Notifications
You must be signed in to change notification settings - Fork 2.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update LPeg to v1.0.0. Closes #432 #478
Conversation
Stack overflow. Valgrind output:
gdb backtrace (truncated):
The overflow does not happen every time, but it does happen frequently with this command:
|
@sergeykhegay, please just make this one commit which modifies (not deletes) lpeg.c. @bonsaiviking, are we sure this problem doesn't also exist in lpeg v0.12? |
@batrick, this issue does not exist in v0.12. |
@batrick, I am afraid I did not understand the part with one commit...
So technically it looks like I modified lpeg.c. No? Sorry, I am puzzled... |
@sergeykhegay I'm referring to e1a666c and 4142031. Please make them one commit. (This PR should only be one commit but right now there are 8: https://github.com/nmap/nmap/pull/478/commits.) |
If possible, we should try to collapse the problematic pattern into a simple test case which we can verify using only lua standalone with lpeg. |
1ac8b7a
to
5c91f0c
Compare
@sergeykhegay this commit looks much better. Have you tried figuring out which pattern is causing the error? You could modify lpeg.c's match function [1] to print a stack backtrace to figure out where the valgrind error is happening. Use [2] to print the stack. (The output will be verbose probably but at the end you should find the culprit!) [1] https://github.com/nmap/nmap/pull/478/files#diff-0c64b58f70b0b7935ac1d99fa8f3c673L3211 |
@batrick, I tried to use
As I understand the way to fix this is to find a bug in the grammar for |
There is no bug in json. The bug is likely in lpeg. For luaL_traceback, it just pushes a Lua string on the stack. You should print that string to stderr and then pop the string off the stack. e.g. something like:
|
Oh, the C traceback is not very useful without knowing which lpeg pattern and subject string caused the problem. |
@batrick, I discovered that there are two places where Nmap fails. i. When NSE script arguments are parsed. https://github.com/sergeykhegay/nmap/blob/gsoc-lpeg/nse_main.lua#L1189-L1204 Command: Update: it turns out that
|
@batrick, if it helps this is what I get in debug:
|
@batrick, do you think the problem raises because of LPeg implementation, or might it be because of grammar rules? Is there any good way to debug if it is former? We now have the grammar and the string to blame. |
@sergeykhegay I can confirm the segfault running:
Just to check, I tried using my system lpeg (Arch Linux) by commenting out lpeg in nse_main.cc:
I didn't get the segfault anymore. There is probably a problem in the amalgamated lpeg library. Can you check? |
@sergeykhegay nevermind. The segmentation fault is apparently random. It's a bug in lpeg. I'll look into it... |
Hello, I wanted to see if the fix I posted to the lua-l mailinglist worked with your test suite, and I think it did. I opened up a pull request to sergeykhegay:gsoc-lpeg: sergeykhegay#1 I don't know how you want to do it, if you wanna merge it or wait for a new release of lua-lpeg, or at least a comment from roberto. If you go ahead and merge it, it would be nice if my commit was kept as-is, for bragging rights and Internet points ;) |
I'm fine with merging your commit as well into /nmap if this indeed resolves the problem. @sergeykhegay, can you check this when you have some time please? |
@batrick, @sebcat, I have tested the fix. It seems to be working. Nmap fails neither during parsing the arguments nor during json.lua unit testing (nor during other unittesting). I have tested on Linux (Ubuntu), MacOS X, Windows 7. Since the problem sometimes occurred randomly, I wrote a script to consecutively run Nmap 10^3 times. @batrick, if that is enough for testing, what do I do? Merge Sebastian's PR first? |
@sergeykhegay make sure your branch is only the one commit being merged into master (it seems there are extraneous merge commits in the PR again). Then you can cherry-pick @sebcat 's commit or ask him to rebase on top of your new branch. After that, I think @bonsaiviking will merge it as he handles github merges AFAIK. |
d6e8df5
to
d9487fe
Compare
@dmiller-nmap , @batrick, @sebcat. I have tested the branch after @sebcat's Lua fix merge. Everything seems to be ok. I think the branch is ready for merge, @dmiller-nmap |
LPeg 1.0.1[1] is out, with a fix for this issue [2] [1] https://www.inf.puc-rio.br/~roberto/lpeg/lpeg-1.0.1.tar.gz |
I have a similar (intermittent stack exhaustion due to many hascaptures() calls) issue using nmap (7.01-2ubuntu2) which contains lpeg.c (#define VERSION "0.12"). I saw in the above comments that the problem doesn't exist in "0.12". Can someone re-confirm for me ? because based on what I see "0.12" seems affected as well. I'll try to apply to 2 commits and see how it goes in the meantime.
|
@slashdd nmap-7.01-2ubuntu2[1] depends on lua-lpeg[2] which is at version 0.12.2 (for Ubuntu). The referenced bug was present [0.12.1, 1.0.0] if I can trust my previous analysis[3]. EDIT: To clarify, nmap-7.01 links against the system lpeg (see patches/0003-Link-against-lua-lpeg.patch in nmap_7.01-2ubuntu2.debian.tar.xz) [1] https://packages.ubuntu.com/xenial/nmap |
@sebcat ok thanks for the ML list link much appreciated. It was confusing since above in the bug it says the opposite for v 0.12. With that being said, this bug is still open, but it seems like there is a commit to fix the segmentation fault -> d9487fe (not yet merged). What is the appropriate way to fix this bug ? Is this still an ongoing issue in later lua-lpeg/nmap version ? |
@sebcat Thanks, I will follow the PR you just point out. |
I deem this outdated. |
This update closes #432.
I used Devin's amalgamation script to create
lpeg.c
file from LPeg v1.0.0 distribution fileshttps://svn.nmap.org/nmap-private-dev/misc-scripts/amalgamate.py
https://www.inf.puc-rio.br/~roberto/lpeg/lpeg-1.0.0.tar.gz
Tested
banner.nse
andntp-info.nse
scripts, which indirectly uselpeg
library throughlpeg-utility
library.An indication that the LPeg v1.0.0 is fully backward compatible with v0.12 is that
re.lua
module which is distributed with LPeg source code did not have any changes since v0.12. Nmap includesre.lua
as one of the libraries.