Attachment #230006 for bug #260250

Lines 1-6 Link Here

(-)b/security/suricata/Makefile (-2 / +1 lines)
1	PORTNAME= suricata	1	PORTNAME= suricata
2	DISTVERSION= 6.0.3	2	DISTVERSION= 6.0.4
3	PORTREVISION= 5
4	CATEGORIES= security	3	CATEGORIES= security
5	MASTER_SITES= https://www.openinfosecfoundation.org/download/	4	MASTER_SITES= https://www.openinfosecfoundation.org/download/
6		5

Lines 1-3 Link Here

(-)b/security/suricata/distinfo (-3 / +3 lines)
1	TIMESTAMP = 1628041281	1	TIMESTAMP = 1637246038
2	SHA256 (suricata-6.0.3.tar.gz) = daf134bb2d7c980035e9ae60f7aaf313323a809340009f26e48110ccde81f602	2	SHA256 (suricata-6.0.4.tar.gz) = a8f197e33d1678689ebbf7bc1abe84934c465d22c504c47c2c7e9b74aa042d0d
3	SIZE (suricata-6.0.3.tar.gz) = 32421197	3	SIZE (suricata-6.0.4.tar.gz) = 32498036




From 3c53a1601b6f861f8b7f0cd0984b18e78291fe85 Mon Sep 17 00:00:00 2001
From: Victor Julien <victor@inliniac.net>
Date: Wed, 18 Aug 2021 20:14:48 +0200
Subject: [PATCH] threading: don't pass locked flow between threads

Previously the flow manager would share evicted flows with the workers
while keeping the flows mutex locked. This reduced the number of unlock/
lock cycles while there was guaranteed to be no contention.

This turns out to be undefined behavior. A lock is supposed to be locked
and unlocked from the same thread. It appears that FreeBSD is stricter on
this than Linux.

This patch addresses the issue by unlocking before handing a flow off
to another thread, and locking again from the new thread.

Issue was reported and largely analyzed by Bill Meeks.

Bug: #4478
(cherry picked from commit 9551cd05357925e8bec8e0030d5f98fd07f17839)
---
 src/flow-hash.c    | 1 +
 src/flow-manager.c | 2 +-
 src/flow-timeout.c | 1 +
 src/flow-worker.c  | 1 +
 4 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/src/flow-hash.c b/src/flow-hash.c
index ebbd836e81a..760bc53e0a8 100644
--- src/flow-hash.c
+++ src/flow-hash.c
@@ -669,6 +669,7 @@ static inline void MoveToWorkQueue(ThreadVars *tv, FlowLookupStruct *fls,
         f->fb = NULL;
         f->next = NULL;
         FlowQueuePrivateAppendFlow(&fls->work_queue, f);
+        FLOWLOCK_UNLOCK(f);
     } else {
         /* implied: TCP but our thread does not own it. So set it
          * aside for the Flow Manager to pick it up. */
diff --git a/src/flow-manager.c b/src/flow-manager.c
index d58a49637d6..9228c88490c 100644
--- src/flow-manager.c
+++ src/flow-manager.c
@@ -333,9 +333,9 @@ static uint32_t ProcessAsideQueue(FlowManagerTimeoutThread *td, FlowTimeoutCount
                 FlowForceReassemblyNeedReassembly(f) == 1)
         {
             FlowForceReassemblyForFlow(f);
+            FLOWLOCK_UNLOCK(f);
             /* flow ownership is passed to the worker thread */
 
-            /* flow remains locked */
             counters->flows_aside_needs_work++;
             continue;
         }
diff --git a/src/flow-timeout.c b/src/flow-timeout.c
index 972b35076bd..d6cca490087 100644
--- src/flow-timeout.c
+++ src/flow-timeout.c
@@ -401,6 +401,7 @@ static inline void FlowForceReassemblyForHash(void)
                 RemoveFromHash(f, prev_f);
                 f->flow_end_flags |= FLOW_END_FLAG_SHUTDOWN;
                 FlowForceReassemblyForFlow(f);
+                FLOWLOCK_UNLOCK(f);
                 f = next_f;
                 continue;
             }
diff --git a/src/flow-worker.c b/src/flow-worker.c
index 69dbb6ac575..dccf3581dd5 100644
--- src/flow-worker.c
+++ src/flow-worker.c
@@ -168,6 +168,7 @@ static void CheckWorkQueue(ThreadVars *tv, FlowWorkerThreadData *fw,
 {
     Flow *f;
     while ((f = FlowQueuePrivateGetFromTop(fq)) != NULL) {
+        FLOWLOCK_WRLOCK(f);
         f->flow_end_flags |= FLOW_END_FLAG_TIMEOUT; //TODO emerg
 
         const FlowStateType state = f->flow_state;




--- rust/vendor/libc/src/unix/bsd/freebsdlike/freebsd/mod.rs.orig	2020-03-17 20:35:43 UTC
+++ rust/vendor/libc/src/unix/bsd/freebsdlike/freebsd/mod.rs
@@ -1486,6 +1486,9 @@ cfg_if! {
     } else if #[cfg(target_arch = "powerpc64")] {
         mod powerpc64;
         pub use self::powerpc64::*;
+    } else if #[cfg(target_arch = "powerpc")] {
+        mod powerpc;
+        pub use self::powerpc::*;
     } else {
         // Unknown target_arch
     }
--- rust/vendor/libc/src/unix/bsd/freebsdlike/freebsd/powerpc.rs.orig	2021-06-23 22:40:24 UTC
+++ rust/vendor/libc/src/unix/bsd/freebsdlike/freebsd/powerpc.rs
@@ -0,0 +1,47 @@
+pub type c_char = u8;
+pub type c_long = i32;
+pub type c_ulong = u32;
+pub type wchar_t = i32;
+pub type time_t = i64;
+pub type suseconds_t = i32;
+pub type register_t = i32;
+
+s! {
+    pub struct stat {
+        pub st_dev: ::dev_t,
+        pub st_ino: ::ino_t,
+        pub st_mode: ::mode_t,
+        pub st_nlink: ::nlink_t,
+        pub st_uid: ::uid_t,
+        pub st_gid: ::gid_t,
+        pub st_rdev: ::dev_t,
+        pub st_atime: ::time_t,
+        pub st_atime_nsec: ::c_long,
+        pub st_mtime: ::time_t,
+        pub st_mtime_nsec: ::c_long,
+        pub st_ctime: ::time_t,
+        pub st_ctime_nsec: ::c_long,
+        pub st_size: ::off_t,
+        pub st_blocks: ::blkcnt_t,
+        pub st_blksize: ::blksize_t,
+        pub st_flags: ::fflags_t,
+        pub st_gen: u32,
+        pub st_lspare: i32,
+        pub st_birthtime: ::time_t,
+        pub st_birthtime_nsec: ::c_long,
+    }
+}
+
+// should be pub(crate), but that requires Rust 1.18.0
+cfg_if! {
+    if #[cfg(libc_const_size_of)] {
+        #[doc(hidden)]
+        pub const _ALIGNBYTES: usize = ::mem::size_of::<::c_int>() - 1;
+    } else {
+        #[doc(hidden)]
+        pub const _ALIGNBYTES: usize = 4 - 1;
+    }
+}
+
+pub const MAP_32BIT: ::c_int = 0x00080000;
+pub const MINSIGSTKSZ: ::size_t = 2048; // 512 * 4




%%PYTHON%%%%PYTHON_SITELIBDIR%%/suricata/update/util.pyc
%%PYTHON%%%%PYTHON_SITELIBDIR%%/suricata/update/version.py
%%PYTHON%%%%PYTHON_SITELIBDIR%%/suricata/update/version.pyc
%%PYTHON%%%%PYTHON_SITELIBDIR%%/suricata_update-1.2.3-py%%PYTHON_VER%%.egg-info
%%PYTHON%%%%PYTHON_SITELIBDIR%%/suricatasc/__init__.py
%%PYTHON%%%%PYTHON_SITELIBDIR%%/suricatasc/__init__.pyc
%%DATADIR%%/rules/app-layer-events.rules

%%DATADIR%%/rules/dns-events.rules
%%DATADIR%%/rules/files.rules
%%DATADIR%%/rules/http-events.rules
%%DATADIR%%/rules/http2-events.rules
%%DATADIR%%/rules/ipsec-events.rules
%%DATADIR%%/rules/kerberos-events.rules
%%DATADIR%%/rules/modbus-events.rules
%%DATADIR%%/rules/mqtt-events.rules
%%DATADIR%%/rules/nfs-events.rules
%%DATADIR%%/rules/ntp-events.rules
%%DATADIR%%/rules/smb-events.rules

Return to bug 260250

Removed Link Here

(-)a/security/suricata/files/patch-3c53a1601 (-78 lines)
1	From 3c53a1601b6f861f8b7f0cd0984b18e78291fe85 Mon Sep 17 00:00:00 2001
2	From: Victor Julien <victor@inliniac.net>
3	Date: Wed, 18 Aug 2021 20:14:48 +0200
4	Subject: [PATCH] threading: don't pass locked flow between threads
5
6	Previously the flow manager would share evicted flows with the workers
7	while keeping the flows mutex locked. This reduced the number of unlock/
8	lock cycles while there was guaranteed to be no contention.
9
10	This turns out to be undefined behavior. A lock is supposed to be locked
11	and unlocked from the same thread. It appears that FreeBSD is stricter on
12	this than Linux.
13
14	This patch addresses the issue by unlocking before handing a flow off
15	to another thread, and locking again from the new thread.
16
17	Issue was reported and largely analyzed by Bill Meeks.
18
19	Bug: #4478
20	(cherry picked from commit 9551cd05357925e8bec8e0030d5f98fd07f17839)
21	---
22	src/flow-hash.c \| 1 +
23	src/flow-manager.c \| 2 +-
24	src/flow-timeout.c \| 1 +
25	src/flow-worker.c \| 1 +
26	4 files changed, 4 insertions(+), 1 deletion(-)
27
28	diff --git a/src/flow-hash.c b/src/flow-hash.c
29	index ebbd836e81a..760bc53e0a8 100644
30	--- src/flow-hash.c
31	+++ src/flow-hash.c
32	@@ -669,6 +669,7 @@ static inline void MoveToWorkQueue(ThreadVars tv, FlowLookupStruct fls,
33	f->fb = NULL;
34	f->next = NULL;
35	FlowQueuePrivateAppendFlow(&fls->work_queue, f);
36	+ FLOWLOCK_UNLOCK(f);
37	} else {
38	/* implied: TCP but our thread does not own it. So set it
39	* aside for the Flow Manager to pick it up. */
40	diff --git a/src/flow-manager.c b/src/flow-manager.c
41	index d58a49637d6..9228c88490c 100644
42	--- src/flow-manager.c
43	+++ src/flow-manager.c
44	@@ -333,9 +333,9 @@ static uint32_t ProcessAsideQueue(FlowManagerTimeoutThread *td, FlowTimeoutCount
45	FlowForceReassemblyNeedReassembly(f) == 1)
46	{
47	FlowForceReassemblyForFlow(f);
48	+ FLOWLOCK_UNLOCK(f);
49	/* flow ownership is passed to the worker thread */
50
51	- /* flow remains locked */
52	counters->flows_aside_needs_work++;
53	continue;
54	}
55	diff --git a/src/flow-timeout.c b/src/flow-timeout.c
56	index 972b35076bd..d6cca490087 100644
57	--- src/flow-timeout.c
58	+++ src/flow-timeout.c
59	@@ -401,6 +401,7 @@ static inline void FlowForceReassemblyForHash(void)
60	RemoveFromHash(f, prev_f);
61	f->flow_end_flags \|= FLOW_END_FLAG_SHUTDOWN;
62	FlowForceReassemblyForFlow(f);
63	+ FLOWLOCK_UNLOCK(f);
64	f = next_f;
65	continue;
66	}
67	diff --git a/src/flow-worker.c b/src/flow-worker.c
68	index 69dbb6ac575..dccf3581dd5 100644
69	--- src/flow-worker.c
70	+++ src/flow-worker.c
71	@@ -168,6 +168,7 @@ static void CheckWorkQueue(ThreadVars tv, FlowWorkerThreadData fw,
72	{
73	Flow *f;
74	while ((f = FlowQueuePrivateGetFromTop(fq)) != NULL) {
75	+ FLOWLOCK_WRLOCK(f);
76	f->flow_end_flags \|= FLOW_END_FLAG_TIMEOUT; //TODO emerg
77
78	const FlowStateType state = f->flow_state;

Removed Link Here

(-)a/security/suricata/files/patch-powerpc (-62 lines)
1	--- rust/vendor/libc/src/unix/bsd/freebsdlike/freebsd/mod.rs.orig 2020-03-17 20:35:43 UTC
2	+++ rust/vendor/libc/src/unix/bsd/freebsdlike/freebsd/mod.rs
3	@@ -1486,6 +1486,9 @@ cfg_if! {
4	} else if #[cfg(target_arch = "powerpc64")] {
5	mod powerpc64;
6	pub use self::powerpc64::*;
7	+ } else if #[cfg(target_arch = "powerpc")] {
8	+ mod powerpc;
9	+ pub use self::powerpc::*;
10	} else {
11	// Unknown target_arch
12	}
13	--- rust/vendor/libc/src/unix/bsd/freebsdlike/freebsd/powerpc.rs.orig 2021-06-23 22:40:24 UTC
14	+++ rust/vendor/libc/src/unix/bsd/freebsdlike/freebsd/powerpc.rs
15	@@ -0,0 +1,47 @@
16	+pub type c_char = u8;
17	+pub type c_long = i32;
18	+pub type c_ulong = u32;
19	+pub type wchar_t = i32;
20	+pub type time_t = i64;
21	+pub type suseconds_t = i32;
22	+pub type register_t = i32;
23	+
24	+s! {
25	+ pub struct stat {
26	+ pub st_dev: ::dev_t,
27	+ pub st_ino: ::ino_t,
28	+ pub st_mode: ::mode_t,
29	+ pub st_nlink: ::nlink_t,
30	+ pub st_uid: ::uid_t,
31	+ pub st_gid: ::gid_t,
32	+ pub st_rdev: ::dev_t,
33	+ pub st_atime: ::time_t,
34	+ pub st_atime_nsec: ::c_long,
35	+ pub st_mtime: ::time_t,
36	+ pub st_mtime_nsec: ::c_long,
37	+ pub st_ctime: ::time_t,
38	+ pub st_ctime_nsec: ::c_long,
39	+ pub st_size: ::off_t,
40	+ pub st_blocks: ::blkcnt_t,
41	+ pub st_blksize: ::blksize_t,
42	+ pub st_flags: ::fflags_t,
43	+ pub st_gen: u32,
44	+ pub st_lspare: i32,
45	+ pub st_birthtime: ::time_t,
46	+ pub st_birthtime_nsec: ::c_long,
47	+ }
48	+}
49	+
50	+// should be pub(crate), but that requires Rust 1.18.0
51	+cfg_if! {
52	+ if #[cfg(libc_const_size_of)] {
53	+ #[doc(hidden)]
54	+ pub const _ALIGNBYTES: usize = ::mem::size_of::<::c_int>() - 1;
55	+ } else {
56	+ #[doc(hidden)]
57	+ pub const _ALIGNBYTES: usize = 4 - 1;
58	+ }
59	+}
60	+
61	+pub const MAP_32BIT: ::c_int = 0x00080000;
62	+pub const MINSIGSTKSZ: ::size_t = 2048; // 512 * 4

Lines 136-142 man/man1/suricata.1.gz Link Here

(-)b/security/suricata/pkg-plist (-1 / +3 lines)
136	%%PYTHON%%%%PYTHON_SITELIBDIR%%/suricata/update/util.pyc	136	%%PYTHON%%%%PYTHON_SITELIBDIR%%/suricata/update/util.pyc
137	%%PYTHON%%%%PYTHON_SITELIBDIR%%/suricata/update/version.py	137	%%PYTHON%%%%PYTHON_SITELIBDIR%%/suricata/update/version.py
138	%%PYTHON%%%%PYTHON_SITELIBDIR%%/suricata/update/version.pyc	138	%%PYTHON%%%%PYTHON_SITELIBDIR%%/suricata/update/version.pyc
139	%%PYTHON%%%%PYTHON_SITELIBDIR%%/suricata_update-1.2.2-py%%PYTHON_VER%%.egg-info	139	%%PYTHON%%%%PYTHON_SITELIBDIR%%/suricata_update-1.2.3-py%%PYTHON_VER%%.egg-info
140	%%PYTHON%%%%PYTHON_SITELIBDIR%%/suricatasc/__init__.py	140	%%PYTHON%%%%PYTHON_SITELIBDIR%%/suricatasc/__init__.py
141	%%PYTHON%%%%PYTHON_SITELIBDIR%%/suricatasc/__init__.pyc	141	%%PYTHON%%%%PYTHON_SITELIBDIR%%/suricatasc/__init__.pyc
142	%%DATADIR%%/rules/app-layer-events.rules	142	%%DATADIR%%/rules/app-layer-events.rules
Lines 146-154 man/man1/suricata.1.gz Link Here
146	%%DATADIR%%/rules/dns-events.rules	146	%%DATADIR%%/rules/dns-events.rules
147	%%DATADIR%%/rules/files.rules	147	%%DATADIR%%/rules/files.rules
148	%%DATADIR%%/rules/http-events.rules	148	%%DATADIR%%/rules/http-events.rules
		149	%%DATADIR%%/rules/http2-events.rules
149	%%DATADIR%%/rules/ipsec-events.rules	150	%%DATADIR%%/rules/ipsec-events.rules
150	%%DATADIR%%/rules/kerberos-events.rules	151	%%DATADIR%%/rules/kerberos-events.rules
151	%%DATADIR%%/rules/modbus-events.rules	152	%%DATADIR%%/rules/modbus-events.rules
		153	%%DATADIR%%/rules/mqtt-events.rules
152	%%DATADIR%%/rules/nfs-events.rules	154	%%DATADIR%%/rules/nfs-events.rules
153	%%DATADIR%%/rules/ntp-events.rules	155	%%DATADIR%%/rules/ntp-events.rules
154	%%DATADIR%%/rules/smb-events.rules	156	%%DATADIR%%/rules/smb-events.rules