[Openvas-devel] openvasd - bug in OpenVAS server, right after portscan

Vlatko Kosturjak kost at linux.hr
Thu Aug 7 11:44:55 CEST 2008


Hello!

I tried to submit the bug at the following URL:
http://wald.intevation.org/tracker/?group_id=29

But, I couldn't submit bug for openvas-server, there is only
openvas-client and openvas-plugins in components drop down list.
So. i'm sending bug report to this mailing list.

I took latest SVN source as of today and recompile it. I'm using
following CPU (cat /proc/cpuinfo):

processor       : 0
vendor_id       : GenuineIntel
cpu family      : 15
model           : 6
model name      : Intel(R) Pentium(R) D CPU 3.00GHz
stepping        : 5
cpu MHz         : 2400.000
cache size      : 2048 KB
physical id     : 0
siblings        : 2
core id         : 0
cpu cores       : 2
fdiv_bug        : no
hlt_bug         : no
f00f_bug        : no
coma_bug        : no
fpu             : yes
fpu_exception   : yes
cpuid level     : 6
wp              : yes
flags           : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge
mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe lm
constant_tsc pebs bts sync_rdtsc pni monitor ds_cpl est cid cx16 xtpr
lahf_lm
bogomips        : 6004.42
clflush size    : 64

processor       : 1
vendor_id       : GenuineIntel
cpu family      : 15
model           : 6
model name      : Intel(R) Pentium(R) D CPU 3.00GHz
stepping        : 5
cpu MHz         : 2400.000
cache size      : 2048 KB
physical id     : 0
siblings        : 2
core id         : 1
cpu cores       : 2
fdiv_bug        : no
hlt_bug         : no
f00f_bug        : no
coma_bug        : no
fpu             : yes
fpu_exception   : yes
cpuid level     : 6
wp              : yes
flags           : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge
mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe lm
constant_tsc pebs bts sync_rdtsc pni monitor ds_cpl est cid cx16 xtpr
lahf_lm
bogomips        : 6000.00
clflush size    : 64

I tried to do simple vulnerability scan on single host (with all 1-65535
ports). I used only openvas TCP scanner as port scan and right after the
portscan, the openvasd child dies with sigsegv (not good sign at all!).
The problem is reproducible and it is happening every time.

These are the log messages (with debug option turned on):
[Thu Aug  7 06:34:56 2008][25806] user XXXXXXXX starts a new scan.
Target(s) : 192.168.xx.xx, with max_hosts = 20 and max_checks = 4
[Thu Aug  7 06:34:56 2008][25806] user XXXXXXXXXX : testing
192.168.xx.xx (192.168.xx.xx) [25809]
[Thu Aug  7 06:38:07 2008][25809] SIGSEGV occured !
[Thu Aug  7 06:38:07 2008][25806] user XXXXXXXXX : test complete
[Thu Aug  7 06:38:07 2008][25806] SIGSEGV occured !

I tried to run gdb against the openvasd running and attached to the
running openvasd process. This is the backtrace:

# gdb -p 28021
GNU gdb 6.8-debian
Copyright (C) 2008 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later
<http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "i486-linux-gnu".
Attaching to process 28021
Reading symbols from /opt/openvas-svn/sbin/openvasd...done.
Reading symbols from /opt/openvas-svn/lib/libopenvasnasl.so.1...done.
Loaded symbols for /opt/openvas-svn/lib/libopenvasnasl.so.1
Reading symbols from /opt/openvas-svn/lib/libopenvas.so.1...done.
Loaded symbols for /opt/openvas-svn/lib/libopenvas.so.1
Reading symbols from /opt/openvas-svn/lib/libopenvas_hg.so.1...done.
Loaded symbols for /opt/openvas-svn/lib/libopenvas_hg.so.1
Reading symbols from /lib/tls/i686/cmov/libutil.so.1...done.
Loaded symbols for /lib/tls/i686/cmov/libutil.so.1
Reading symbols from /lib/tls/i686/cmov/libnsl.so.1...done.
Loaded symbols for /lib/tls/i686/cmov/libnsl.so.1
Reading symbols from /usr/lib/libpcap.so.0.8...done.
Loaded symbols for /usr/lib/libpcap.so.0.8
Reading symbols from /usr/lib/libgnutls.so.13...done.
Loaded symbols for /usr/lib/libgnutls.so.13
Reading symbols from /lib/tls/i686/cmov/libresolv.so.2...done.
Loaded symbols for /lib/tls/i686/cmov/libresolv.so.2
Reading symbols from /lib/tls/i686/cmov/libdl.so.2...done.
Loaded symbols for /lib/tls/i686/cmov/libdl.so.2
Reading symbols from /lib/tls/i686/cmov/libc.so.6...done.
Loaded symbols for /lib/tls/i686/cmov/libc.so.6
Reading symbols from /lib/libgcrypt.so.11...done.
Loaded symbols for /lib/libgcrypt.so.11
Reading symbols from /usr/lib/libgpgme.so.11...done.
Loaded symbols for /usr/lib/libgpgme.so.11
Reading symbols from /lib/libgpg-error.so.0...done.
Loaded symbols for /lib/libgpg-error.so.0
Reading symbols from /usr/lib/libtasn1.so.3...done.
Loaded symbols for /usr/lib/libtasn1.so.3
Reading symbols from /usr/lib/libz.so.1...done.
Loaded symbols for /usr/lib/libz.so.1
Reading symbols from /lib/ld-linux.so.2...done.
Loaded symbols for /lib/ld-linux.so.2
Reading symbols from /lib/tls/i686/cmov/libnss_files.so.2...done.
Loaded symbols for /lib/tls/i686/cmov/libnss_files.so.2
Reading symbols from /lib/libnss_mdns4_minimal.so.2...done.
Loaded symbols for /lib/libnss_mdns4_minimal.so.2
Reading symbols from /lib/tls/i686/cmov/libnss_dns.so.2...done.
Loaded symbols for /lib/tls/i686/cmov/libnss_dns.so.2
Reading symbols from /lib/libnss_mdns4.so.2...done.
Loaded symbols for /lib/libnss_mdns4.so.2
0xb7fd0410 in __kernel_vsyscall ()
(gdb) cont
Continuing.

Program received signal SIGSEGV, Segmentation fault.
0xb7d1087b in ?? () from /lib/tls/i686/cmov/libc.so.6
(gdb) bt
#0  0xb7d1087b in ?? () from /lib/tls/i686/cmov/libc.so.6
#1  0xb7d105e0 in strtol () from /lib/tls/i686/cmov/libc.so.6
#2  0xb7d0d891 in atoi () from /lib/tls/i686/cmov/libc.so.6
#3  0x08058182 in get_closed_ports ()
#4  0x080584a6 in requirements_plugin ()
#5  0x0804c1b2 in launch_plugin ()
#6  0x0804c659 in attack_host ()
#7  0x0804c92b in attack_start ()
#8  0x0805046d in create_process ()
#9  0x0804d5aa in attack_network ()
#10 0x08059265 in server_thread ()
#11 0x0805046d in create_process ()
#12 0x08059902 in main_loop ()
#13 0x0805a69c in main ()
(gdb)


I tried to print the content of ports->name with single printf in
get_closed_ports(), but then openvasd failed in printing the argument:


(gdb) cont
Continuing.

Program received signal SIGSEGV, Segmentation fault.
0xb7ce025b in strlen () from /lib/tls/i686/cmov/libc.so.6
(gdb) bt
#0  0xb7ce025b in strlen () from /lib/tls/i686/cmov/libc.so.6
#1  0xb7cca635 in puts () from /lib/tls/i686/cmov/libc.so.6
#2  0x08058189 in get_closed_ports ()
#3  0x080584be in requirements_plugin ()
#4  0x0804c1b2 in launch_plugin ()
#5  0x0804c659 in attack_host ()
#6  0x0804c92b in attack_start ()
#7  0x0805046d in create_process ()
#8  0x0804d5aa in attack_network ()
#9  0x0805927d in server_thread ()
#10 0x0805046d in create_process ()
#11 0x0805991a in main_loop ()
#12 0x0805a6b4 in main ()
(gdb)

It seems like that linked list is trashed somehow. Any help finding the
source of this problem?

Kost


More information about the Openvas-devel mailing list