2025-09-14 21:52:36 +00:00
# M22: Signature中引用不合法的LUA脚本执行报错时导致工作线程严重锁冲突
| ID | Creation Date | Assignee | Status |
|----|----------------|----------|--------|
| OMPUB-1256 | 2024-04-23T17:29:38.000+0800 | 杨威 | 已关闭 |
---
* M22: Signature中引用不合法的LUA脚本执行报错时导致工作线程严重锁冲突
** lua脚本见附件
** 栈信息:
** *
{code:java}
< optimized out > , offset=< optimized out > )
*
**
** *
{code:java}
(gdb) thr 196
[Switching to thread 196 (Thread 0x7ffa4abff700 (LWP 306))]
#0
(gdb) bt
#0
#1
#2
#3
#4
#5
#6
#7
#8
#9
#10 0x00007ffe34a63cfc in lj_err_optype () from /opt/tsg/framework/lib/libelua.so
#11 0x00007ffe34a84f86 in lj_meta_tget () from /opt/tsg/framework/lib/libelua.so
#12 0x00007ffe34a7f79b in lj_vmeta_tgetv () from /opt/tsg/framework/lib/libelua.so
#13 0x00007ffe34a6d32c in lua_pcall () from /opt/tsg/framework/lib/libelua.so
#14 0x00007ffe34a62699 in elua_execute_script(elua_script*, char const*, unsigned long, void*, elua_context*, elua_data*) () from /opt/tsg/framework/lib/libelua.so
#15 0x00007ffe34ce1acd in app_sketch_call_lua_script(session*, elua_vm*, lua_rt_info*, char*, unsigned long, lua_extract_attribute*, int) () from ./stellar_plugin/context_based_detector.so
#16 0x00007ffe34cdf690 in session_lua_script_exec(session*, lua_runtime_context const*, int) () from ./stellar_plugin/context_based_detector.so
#17 0x00007ffe34cded94 in context_based_detector_session_entry(session*, int, packet const*, void*) () from ./stellar_plugin/context_based_detector.so
#18 0x00007ffe383f5b42 in session_dispatch () from ./plug/stellar_on_sapp/stellar_on_sapp.so
#19 0x00007ffe383f4394 in adapter_session_state_update () from ./plug/stellar_on_sapp/stellar_on_sapp.so
#20 0x00007ffe383f3433 in loader_transfer_stream_entry.constprop () from ./plug/stellar_on_sapp/stellar_on_sapp.so
#21 0x0000000000436915 in plugin_call_streamentry (type=type@entry=2, pFunInfo=pFunInfo@entry=0x7ff9619929e4, a_stream=a_stream@entry=0x7fff40e9839c, transport_hdr=transport_hdr@entry=0x0,
@entry =0x5002f4a60d80) at /home/yangwei/platform/sapp/src/dealpkt/callapp.c:300
#22 0x0000000000436cf5 in call_streamentry (a_stream=a_stream@entry=0x7fff40e9839c, this_iphdr=this_iphdr@entry=0x5002f4a60d80, transport_hdr=transport_hdr@entry=0x5002f4a60d94,
@entry =0x7ffa4abfe1c0, pFunInfo=pFunInfo@entry =0x7ff9619929e4) at /home/yangwei/platform/sapp/src/dealpkt/callapp.c:519
#23 0x0000000000437442 in stream_state_data_process (funnum=<optimized out>, pfunAarry=0x9a7ba0 <g_StreamTcpAllFun>, smart_offload_flag=2 '\002',
< incomplete sequence \345 > , apme=0x7ff961992694, raw_pkt=0x7ffa4abfe1c0, transport_hdr=0x5002f4a60d94, this_iphdr=0x5002f4a60d80,
#24 stream_process (a_stream=a_stream@entry=0x7fff40e9839c, this_iphdr=this_iphdr@entry=0x5002f4a60d80, transport_hdr=transport_hdr@entry=0x5002f4a60d94, raw_pkt=raw_pkt@entry=0x7ffa4abfe1c0,
< optimized out > , pfunAarry=pfunAarry@entry =0x9a7ba0 < g_StreamTcpAllFun > , apme=0x7ff961992694, opstate=0x7fff40e983b9 "\003\001\001", < incomplete sequence \345 > ,
#25 0x00000000004379a7 in stream_process_tcp_allpkt (a_tcp=a_tcp@entry=0x7fff40e9839c, this_iphdr=this_iphdr@entry=0x5002f4a60d80, transport_hdr=transport_hdr@entry=0x5002f4a60d94,
@entry =0x7ffa4abfe1c0, apme=apme@entry =0x7ff961992694, popstate=popstate@entry =0x7fff40e983b9 "\003\001\001", < incomplete sequence \345 > )
#26 0x000000000043dfaa in deal_tcp_stream (pindex=pindex@entry=0x5002f4a60d28, this_iphdr=this_iphdr@entry=0x5002f4a60d80, this_tcphdr=0x5002f4a60d94, tcplen=1412,
@entry =0x7ffa4abfe1c0, offset_to_raw_pkt_hdr=< optimized out > ) at /home/yangwei/platform/sapp/src/dealpkt/deal_tcp.c:3180
#27 0x000000000043efa4 in dealtcppkt (offset_to_raw_pkt_hdr=<optimized out>, raw_packet=0x7ffa4abfe1c0, tcpdatalen=<optimized out>, routedir=1 '\001', thread_num=<optimized out>,
< optimized out > , this_iphdr=0x5002f4a60d80, pfindex=0x5002f4a60d28) at /home/yangwei/platform/sapp/src/dealpkt/deal_tcp.c:3262
#28 dealipv4tcppkt (pfindex=pfindex@entry=0x5002f4a60d28, this_iphdr=this_iphdr@entry=0x5002f4a60d80, thread_num=<optimized out>, routedir=routedir@entry=1 '\001',
@entry =0x7ffa4abfe1c0, offset_to_raw_pkt_hdr=< optimized out > ) at /home/yangwei/platform/sapp/src/dealpkt/deal_tcp.c:3314
#29 0x0000000000446f0c in process_ipv4_pkt (pfindex=0x5002f4a60d28, pfindex@entry=0x7ffa4abfd4b0, a_packet=a_packet@entry=0x5002f4a60d80, thread_num=thread_num@entry=23,
@entry =1 '\001', raw_pkt=raw_pkt@entry =0x7ffa4abfe1c0, offset_to_raw_pkt_hdr=1, offset_to_raw_pkt_hdr@entry =14) at /home/yangwei/platform/sapp/src/dealpkt/deal_udp.c:1140
#30 0x000000000043885b in ipv4_entry (pfstream_pr=<optimized out>, this_layer_data=this_layer_data@entry=0x5002f4a60d80, thread_num=thread_num@entry=23, routedir=routedir@entry=1 '\001',
@entry =0x7ffa4abfe1c0, offset_to_raw_pkt_hdr=< optimized out > ) at /home/yangwei/platform/sapp/src/dealpkt/deal_ipv4.c:785
#31 0x0000000000444a44 in eth_entry (fstream_pr=fstream_pr@entry=0x0, this_layer_hdr=0x5002f4a60d72, thread_num=thread_num@entry=23, dir=<optimized out>, raw_pkt=raw_pkt@entry=0x7ffa4abfe1c0,
@entry =0) at /home/yangwei/platform/sapp/src/dealpkt/deal_ethernet.c:177
#32 0x000000000042fdf2 in mesa_default_pkt_cb (p_raw_pkt=0x7ffa4abfe1c0, dir=<optimized out>, thread_num=<optimized out>) at /home/yangwei/platform/sapp/src/packet_io/packet_io.c:652
#33 0x0000000000513c07 in marsio4_pkt_hand (dir=0 '\000', raw_pkt=0x7ffa4abfe1c0, rx_buff=0x5002f4a60bc0, tid=23) at /home/yangwei/platform/sapp/src/packet_io/packet_io_marsio.c:797
#34 marsio4_process_packet (tid=tid@entry=23, raw_pkt=raw_pkt@entry=0x7ffa4abfe1c0) at /home/yangwei/platform/sapp/src/packet_io/packet_io_marsio.c:841
#35 0x0000000000514311 in marsio4_worker (arg=<optimized out>) at /home/yangwei/platform/sapp/src/packet_io/packet_io_marsio.c:999
#36 0x00007ffff67e21ca in start_thread () from /lib64/libpthread.so.0
#37 0x00007ffff56d0e73 in clone () from /lib64/libc.so.6 {code}
*
**
** *
{code:java}
(gdb) thr 197
[Switching to thread 197 (Thread 0x7ffa49dff700 (LWP 307))]
#0
(gdb) bt
#0
#1
#2
#3
#4
#5
#6
#7
#8
#9
#10 0x00007ffe34a63cfc in lj_err_optype () from /opt/tsg/framework/lib/libelua.so
#11 0x00007ffe34a84f86 in lj_meta_tget () from /opt/tsg/framework/lib/libelua.so
#12 0x00007ffe34a7f79b in lj_vmeta_tgetv () from /opt/tsg/framework/lib/libelua.so
#13 0x00007ffe34a6d32c in lua_pcall () from /opt/tsg/framework/lib/libelua.so
#14 0x00007ffe34a62699 in elua_execute_script(elua_script*, char const*, unsigned long, void*, elua_context*, elua_data*) () from /opt/tsg/framework/lib/libelua.so
#15 0x00007ffe34ce1acd in app_sketch_call_lua_script(session*, elua_vm*, lua_rt_info*, char*, unsigned long, lua_extract_attribute*, int) () from ./stellar_plugin/context_based_detector.so
#16 0x00007ffe34cdf690 in session_lua_script_exec(session*, lua_runtime_context const*, int) () from ./stellar_plugin/context_based_detector.so
#17 0x00007ffe34cded94 in context_based_detector_session_entry(session*, int, packet const*, void*) () from ./stellar_plugin/context_based_detector.so
#18 0x00007ffe383f5b42 in session_dispatch () from ./plug/stellar_on_sapp/stellar_on_sapp.so
#19 0x00007ffe383f4394 in adapter_session_state_update () from ./plug/stellar_on_sapp/stellar_on_sapp.so
#20 0x00007ffe383f3433 in loader_transfer_stream_entry.constprop () from ./plug/stellar_on_sapp/stellar_on_sapp.so
#21 0x0000000000436915 in plugin_call_streamentry (type=type@entry=2, pFunInfo=pFunInfo@entry=0x7ff8f12df624, a_stream=a_stream@entry=0x7fff436afadc, transport_hdr=transport_hdr@entry=0x0,
@entry =0x50040d289c04) at /home/yangwei/platform/sapp/src/dealpkt/callapp.c:300
#22 0x0000000000436cf5 in call_streamentry (a_stream=a_stream@entry=0x7fff436afadc, this_iphdr=this_iphdr@entry=0x50040d289c04, transport_hdr=transport_hdr@entry=0x50040d289c18,
@entry =0x7ffa49dfe1c0, pFunInfo=pFunInfo@entry =0x7ff8f12df624) at /home/yangwei/platform/sapp/src/dealpkt/callapp.c:519
#23 0x0000000000437442 in stream_state_data_process (funnum=<optimized out>, pfunAarry=0x9a7ba0 <g_StreamTcpAllFun>, smart_offload_flag=2 '\002', opstate=0x7fff436afaf9 "\003\001\001?",
#24 stream_process (a_stream=a_stream@entry=0x7fff436afadc, this_iphdr=this_iphdr@entry=0x50040d289c04, transport_hdr=transport_hdr@entry=0x50040d289c18, raw_pkt=raw_pkt@entry=0x7ffa49dfe1c0,
< optimized out > , pfunAarry=pfunAarry@entry =0x9a7ba0 < g_StreamTcpAllFun > , apme=0x7ff8f12df2d4, opstate=0x7fff436afaf9 "\003\001\001?", smart_offload_flag=2 '\002')
#25 0x00000000004379a7 in stream_process_tcp_allpkt (a_tcp=a_tcp@entry=0x7fff436afadc, this_iphdr=this_iphdr@entry=0x50040d289c04, transport_hdr=transport_hdr@entry=0x50040d289c18,
@entry =0x7ffa49dfe1c0, apme=apme@entry =0x7ff8f12df2d4, popstate=popstate@entry =0x7fff436afaf9 "\003\001\001?") at /home/yangwei/platform/sapp/src/dealpkt/callapp.c:1167
#26 0x000000000043dfaa in deal_tcp_stream (pindex=pindex@entry=0x50040d289bac, this_iphdr=this_iphdr@entry=0x50040d289c04, this_tcphdr=0x50040d289c18, tcplen=1400,
@entry =0x7ffa49dfe1c0, offset_to_raw_pkt_hdr=< optimized out > ) at /home/yangwei/platform/sapp/src/dealpkt/deal_tcp.c:3180
#27 0x000000000043efa4 in dealtcppkt (offset_to_raw_pkt_hdr=<optimized out>, raw_packet=0x7ffa49dfe1c0, tcpdatalen=<optimized out>, routedir=1 '\001', thread_num=<optimized out>,
< optimized out > , this_iphdr=0x50040d289c04, pfindex=0x50040d289bac) at /home/yangwei/platform/sapp/src/dealpkt/deal_tcp.c:3262
#28 dealipv4tcppkt (pfindex=pfindex@entry=0x50040d289bac, this_iphdr=this_iphdr@entry=0x50040d289c04, thread_num=<optimized out>, routedir=routedir@entry=1 '\001',
@entry =0x7ffa49dfe1c0, offset_to_raw_pkt_hdr=< optimized out > ) at /home/yangwei/platform/sapp/src/dealpkt/deal_tcp.c:3314
#29 0x0000000000446f0c in process_ipv4_pkt (pfindex=0x50040d289bac, pfindex@entry=0x7ffa49dfd2f0, a_packet=a_packet@entry=0x50040d289c04, thread_num=thread_num@entry=24,
@entry =1 '\001', raw_pkt=raw_pkt@entry =0x7ffa49dfe1c0, offset_to_raw_pkt_hdr=1, offset_to_raw_pkt_hdr@entry =18) at /home/yangwei/platform/sapp/src/dealpkt/deal_udp.c:1140
#30 0x000000000043885b in ipv4_entry (pfstream_pr=pfstream_pr@entry=0x7ffa49dfd508, this_layer_data=this_layer_data@entry=0x50040d289c04, thread_num=thread_num@entry=24,
@entry =1 '\001', raw_pkt=raw_pkt@entry =0x7ffa49dfe1c0, offset_to_raw_pkt_hdr=< optimized out > ) at /home/yangwei/platform/sapp/src/dealpkt/deal_ipv4.c:785
#31 0x0000000000439d11 in mpls_uc_entry (pfstream_pr=<optimized out>, this_layer_data=this_layer_data@entry=0x50040d289c00, thread_num=thread_num@entry=24, routedir=routedir@entry=1 '\001',
@entry =0x7ffa49dfe1c0, offset_to_raw_pkt_hdr=14) at /home/yangwei/platform/sapp/src/dealpkt/deal_mpls.c:201
#32 0x0000000000444a80 in eth_entry (fstream_pr=fstream_pr@entry=0x0, this_layer_hdr=0x50040d289bf2, thread_num=thread_num@entry=24, dir=<optimized out>, raw_pkt=raw_pkt@entry=0x7ffa49dfe1c0,
@entry =0) at /home/yangwei/platform/sapp/src/dealpkt/deal_ethernet.c:203
#33 0x000000000042fdf2 in mesa_default_pkt_cb (p_raw_pkt=0x7ffa49dfe1c0, dir=<optimized out>, thread_num=<optimized out>) at /home/yangwei/platform/sapp/src/packet_io/packet_io.c:652
#34 0x0000000000513c07 in marsio4_pkt_hand (dir=0 '\000', raw_pkt=0x7ffa49dfe1c0, rx_buff=0x50040d289a40, tid=24) at /home/yangwei/platform/sapp/src/packet_io/packet_io_marsio.c:797
#35 marsio4_process_packet (tid=tid@entry=24, raw_pkt=raw_pkt@entry=0x7ffa49dfe1c0) at /home/yangwei/platform/sapp/src/packet_io/packet_io_marsio.c:841
#36 0x0000000000514311 in marsio4_worker (arg=<optimized out>) at /home/yangwei/platform/sapp/src/packet_io/packet_io_marsio.c:999
#37 0x00007ffff67e21ca in start_thread () from /lib64/libpthread.so.0
#38 0x00007ffff56d0e73 in clone () from /lib64/libc.so.6
(gdb) quit
{code}**gitlab** commented on *2024-04-24T11:25:18.872+0800* :
[冯伟浩|https://git.mesalab.cn/fengweihao] mentioned this issue in [a commit|https://git.mesalab.cn/appsketch/context_based_detector/-/commit/7934935e8446baa7cf727c56646fa006ee2f0e71] of [AppSketch / context_based_detector|https://git.mesalab.cn/appsketch/context_based_detector] on branch [develop-version|https://git.mesalab.cn/appsketch/context_based_detector/-/tree/develop-version]:{quote}OMPUB-1256: context_based_detector加载APP_SIG_LUA_SCRIPTS回调表过程中,
---
**yangwei** commented on *2024-04-24T15:57:27.640+0800* :
UI需要增加对用户导入的APP Lua脚本校验, , ,
[~fengweihao] 参考TSG Proxy Script,
---
**yangwei** commented on *2024-04-24T15:59:33.884+0800* :
功能端每个工作线程开启一个lua虚拟机, , ,
---
**fengweihao** commented on *2024-04-24T16:47:07.818+0800* :
luac-tool工具介绍如下:
关于Proxy:
* luac-tool增加context_based_detector中lua注册函数, ,
详情如下:
*
{code:java}
./luac-tool
luac-tool: ./luac-tool
usage: luac-tool [options] [filenames]
Available options are:
检查工具:
* -p 指定输入的lua脚本路径
* -t ( : )
* -m 指定当前检测的模块名,
* -r
样例如下:
*
{code:java}
检测tfe下的lua脚本:
# ./luac-tool -p run_script_hijack.lua -t 1000000 -m app -r string
message
返回值检测:
return_string_normal.lua 脚本内容如下
local str = "lua"
local payload=APP.data
openvpn_id ="openvpn"APP.context.c2s_count=1
APP.log_debug("LUA-String-704:", str)
APP.append_extra_info("openvpn_s2c_id", "str")
return string.len(str), str
脚本检测:
失败:
# ./luac-tool -p return_string_normal.lua -t 100000 -m app -r numeric
message
成功
# ./luac-tool -p return_string_normal.lua -t 100000 -m app -r string
正常APP_SIG_LUA_SCRIPTS脚本检测
./luac-tool -p OPENVPN_application.lua -t 100000 -m app -r bool{code}
检查工具:
* [^luac-tool]
---
2025-09-14 22:26:17 +00:00
# Attachments
2025-09-14 21:52:36 +00:00
2025-09-14 22:26:17 +00:00
Attachment: luac-tool
2025-09-14 22:27:11 +00:00
2025-09-14 22:26:17 +00:00
[luac-tool ](https://gfwleak.exec.li/admin/geedge-jira/raw/branch/master/attachment/56178/luac-tool )
2025-09-14 21:52:36 +00:00
2025-09-14 22:26:17 +00:00
Attachment: run_script_hijack.lua
2025-09-14 22:27:11 +00:00
2025-09-14 22:26:17 +00:00
[run_script_hijack.lua ](https://gfwleak.exec.li/admin/geedge-jira/raw/branch/master/attachment/56059/run_script_hijack.lua )
2025-09-14 21:52:36 +00:00
2025-09-14 22:26:17 +00:00
Attachment: run_script_insert.lua
2025-09-14 22:27:11 +00:00
2025-09-14 22:26:17 +00:00
[run_script_insert.lua ](https://gfwleak.exec.li/admin/geedge-jira/raw/branch/master/attachment/56060/run_script_insert.lua )
2025-09-14 21:52:36 +00:00
2025-09-14 22:26:17 +00:00
Attachment: run_script_log_error_replace_req_head.lua
2025-09-14 22:27:11 +00:00
2025-09-14 22:26:17 +00:00
[run_script_log_error_replace_req_head.lua ](https://gfwleak.exec.li/admin/geedge-jira/raw/branch/master/attachment/56061/run_script_log_error_replace_req_head.lua )
2025-09-14 21:52:36 +00:00
2025-09-14 22:26:17 +00:00
Attachment: run_script_log_error_replace_resbody.lua
2025-09-14 22:27:11 +00:00
2025-09-14 22:26:17 +00:00
[run_script_log_error_replace_resbody.lua ](https://gfwleak.exec.li/admin/geedge-jira/raw/branch/master/attachment/56062/run_script_log_error_replace_resbody.lua )
2025-09-14 21:52:36 +00:00
2025-09-14 22:26:17 +00:00
Attachment: run_script_redirect_uri.lua
2025-09-14 22:27:11 +00:00
2025-09-14 22:26:17 +00:00
[run_script_redirect_uri.lua ](https://gfwleak.exec.li/admin/geedge-jira/raw/branch/master/attachment/56065/run_script_redirect_uri.lua )
Attachment: run_script_redirect_uri+(1).lua
2025-09-14 22:27:11 +00:00
2025-09-14 22:26:17 +00:00
[run_script_redirect_uri+(1).lua ](https://gfwleak.exec.li/admin/geedge-jira/raw/branch/master/attachment/56064/run_script_redirect_uri+(1 ).lua)
Attachment: run_script_redirect_uri+(1)+(1).lua
2025-09-14 22:27:11 +00:00
2025-09-14 22:26:17 +00:00
[run_script_redirect_uri+(1)+(1).lua ](https://gfwleak.exec.li/admin/geedge-jira/raw/branch/master/attachment/56063/run_script_redirect_uri+(1 )+(1).lua)
2025-09-14 21:52:36 +00:00
