Nmap service detection Segmentation fault (core dumped)

Question

The Problem

When I use nmap with the service detection flag(-sV) I get a Segmentation fault at the end of the scan. It doesn't matter which IP Address or domain, as long as it can scan it. I am using Ubuntu 22.04 with nmap Version 7.91+dfsg1+really7.80+dfsg1-2build1, but running nmap --version gives:

Nmap version 7.80 ( https://nmap.org )
Platform: x86_64-pc-linux-gnu
Compiled with: liblua-5.3.6 openssl-3.0.0 nmap-libssh2-1.8.2 libz-1.2.11 libpcre-8.39 libpcap-1.10.1 nmap-libdnet-1.12 ipv6
Compiled without:
Available nsock engines: epoll poll select

Sample Output:

Starting Nmap 7.80 ( https://nmap.org ) at 2022-12-30 17:05 CET
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00027s latency).
rDNS record for 127.0.0.1: rez-latitude
Not shown: 995 closed ports
PORT    STATE SERVICE      VERSION
25/tcp  open  smtp         Postfix smtpd
80/tcp  open  http         Apache httpd 2.4.54 ((Ubuntu))
443/tcp open  ssl/https    Apache/2.4.54 (Ubuntu)
631/tcp open  ipp          CUPS 2.4
783/tcp open  spamassassin SpamAssassin spamd
Service Info: Host:  rez-latitude.lan

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 18.60 seconds
Segmentation fault (core dumped)

So is there any way so fix the segmentation fault??

Research

When debugging with gdb(Gnu Debugger) by running gdb nmap, I installed some debug symbols packages as @Bram suggested, I used the find-dbgsym-packages command from the debian-goodies package to find the necessarily packages to get the full trace of the crash, here is the output:

GNU gdb (Ubuntu 12.1-0ubuntu1~22.04) 12.1
Copyright (C) 2022 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<https://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
    <http://www.gnu.org/software/gdb/documentation/>.

For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from nmap...
Reading symbols from /usr/lib/debug/.build-id/ab/eaeb9c57cd40a2fca33be55267d325a72233b7.debug...
(gdb) run -sV localhost
Starting program: /usr/bin/nmap -sV localhost
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
[New Thread 0x7ffff4881640 (LWP 1231874)]
[New Thread 0x7ffff4080640 (LWP 1231875)]
[New Thread 0x7fffeb87f640 (LWP 1231876)]
Starting Nmap 7.80 ( https://nmap.org ) at 2023-01-06 09:59 CET
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00024s latency).
rDNS record for 127.0.0.1: rez-latitude
Not shown: 994 closed ports
PORT    STATE SERVICE      VERSION
22/tcp  open  ssh          OpenSSH 6.0p1 Debian 4+deb7u2 (protocol 2.0)
25/tcp  open  smtp         Postfix smtpd
80/tcp  open  http         Apache httpd 2.4.54 ((Ubuntu))
443/tcp open  ssl/https    Apache/2.4.54 (Ubuntu)
631/tcp open  ipp          CUPS 2.4
783/tcp open  spamassassin SpamAssassin spamd
Service Info: Host:  rez-latitude.lan; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 18.72 seconds

Thread 1 "nmap" received signal SIGSEGV, Segmentation fault.
___pthread_rwlock_rdlock (rwlock=0x0) at ./nptl/pthread_rwlock_rdlock.c:26
26  ./nptl/pthread_rwlock_rdlock.c: No such file or directory.
(gdb) where
#0  ___pthread_rwlock_rdlock (rwlock=0x0) at ./nptl/pthread_rwlock_rdlock.c:26
#1  0x00007ffff7ba740d in CRYPTO_THREAD_read_lock (lock=<optimized out>)
    at ../crypto/threads_pthread.c:85
#2  0x00007ffff7b9a726 in ossl_lib_ctx_get_data (
    ctx=0x7ffff7e234e0 <default_context_int.lto_priv>, index=1, 
    meth=0x7ffff7dda7e0 <provider_store_method.lto_priv>) at ../crypto/context.c:362
#3  0x00007ffff7bae8ca in get_provider_store (libctx=<optimized out>)
    at ../crypto/provider_core.c:334
#4  ossl_provider_deregister_child_cb (handle=0x555555dc7520)
    at ../crypto/provider_core.c:1755
#5  0x00007ffff7b9ac6f in ossl_provider_deinit_child (ctx=0x555555dce0b0)
    at ../crypto/provider_child.c:279
#6  OSSL_LIB_CTX_free (ctx=0x555555dce0b0) at ../crypto/context.c:247
#7  OSSL_LIB_CTX_free (ctx=0x555555dce0b0) at ../crypto/context.c:240
#8  0x00007fffdada98f6 in legacy_teardown (provctx=0x555555dc77e0)
    at ../providers/legacyprov.c:168
#9  0x00007ffff7baed3b in ossl_provider_teardown (prov=0x555555dc7520)
    at ../crypto/provider_core.c:1480
#10 ossl_provider_free (prov=0x555555dc7520) at ../crypto/provider_core.c:686
#11 0x00007ffff7b79736 in ossl_provider_free (prov=<optimized out>)
    at ../crypto/provider_core.c:671
#12 evp_cipher_free_int (cipher=0x555555e4b420) at ../crypto/evp/evp_enc.c:1635
#13 EVP_CIPHER_free (cipher=0x555555e4b420) at ../crypto/evp/evp_enc.c:1650
#14 0x00007ffff7e609cd in ssl_evp_cipher_free (cipher=0x555555e4b420)
    at ../ssl/ssl_lib.c:5951
#15 ssl_evp_cipher_free (cipher=0x555555e4b420) at ../ssl/ssl_lib.c:5941
#16 SSL_CTX_free (a=0x555555dccd70) at ../ssl/ssl_lib.c:3477
--Type <RET> for more, q to quit, c to continue without paging--RET
#17 SSL_CTX_free (a=0x555555dccd70) at ../ssl/ssl_lib.c:3414
#18 0x0000555555624d33 in nsock_pool_delete (ms_pool=0x555555da4c60)
    at nsock/src/nsock_pool.c:290
#19 0x000055555560b2bf in gc_pool (L=<optimized out>)
    at /build/nmap-gXJEwe/nmap-7.91+dfsg1+really7.80+dfsg1/nse_nsock.cc:77
#20 0x00007ffff797aad6 in luaD_precall (L=L@entry=0x555555da1708, func=0x5555568f7ae0, 
    nresults=nresults@entry=0) at /build/lua5.3-5AFsFS/lua5.3-5.3.6/src/ldo.c:434
#21 0x00007ffff797b2d9 in luaD_call (nResults=0, func=<optimized out>, L=0x555555da1708)
    at /build/lua5.3-5AFsFS/lua5.3-5.3.6/src/ldo.c:498
#22 luaD_callnoyield (nResults=0, func=<optimized out>, L=0x555555da1708)
    at /build/lua5.3-5AFsFS/lua5.3-5.3.6/src/ldo.c:509
#23 dothecall (L=L@entry=0x555555da1708, ud=ud@entry=0x0)
    at /build/lua5.3-5AFsFS/lua5.3-5.3.6/src/lgc.c:803
#24 0x00007ffff7973747 in luaD_rawrunprotected (L=L@entry=0x555555da1708, 
    f=f@entry=0x7ffff797b2a0 <dothecall>, ud=ud@entry=0x0)
    at /build/lua5.3-5AFsFS/lua5.3-5.3.6/src/ldo.c:142
#25 0x00007ffff7975fdb in luaD_pcall (L=L@entry=0x555555da1708, 
    func=func@entry=0x7ffff797b2a0 <dothecall>, u=u@entry=0x0, old_top=16, ef=ef@entry=0)
    at /build/lua5.3-5AFsFS/lua5.3-5.3.6/src/ldo.c:729
#26 0x00007ffff7974861 in GCTM (L=0x555555da1708, propagateerrors=0)
    at /build/lua5.3-5AFsFS/lua5.3-5.3.6/src/lgc.c:823
#27 0x00007ffff797ceba in callallpendingfinalizers (L=<optimized out>)
    at /build/lua5.3-5AFsFS/lua5.3-5.3.6/src/lgc.c:862
#28 luaC_freeallobjects (L=0x555555da1708)
    at /build/lua5.3-5AFsFS/lua5.3-5.3.6/src/lgc.c:971
#29 close_state (L=0x555555da1708) at /build/lua5.3-5AFsFS/lua5.3-5.3.6/src/lstate.c:245
#30 0x00005555555b6919 in close_nse ()
--Type <RET> for more, q to quit, c to continue without paging--RET
    at /build/nmap-gXJEwe/nmap-7.91+dfsg1+really7.80+dfsg1/nse_main.cc:836
#31 NmapOps::~NmapOps (this=<optimized out>, this=<optimized out>)
    at /build/nmap-gXJEwe/nmap-7.91+dfsg1+really7.80+dfsg1/NmapOps.cc:199
#32 0x00007ffff7455495 in __run_exit_handlers (status=0, 
    listp=0x7ffff7629838 <__exit_funcs>, run_list_atexit=run_list_atexit@entry=true, 
    run_dtors=run_dtors@entry=true) at ./stdlib/exit.c:113
#33 0x00007ffff7455610 in __GI_exit (status=<optimized out>) at ./stdlib/exit.c:143
#34 0x00007ffff7439d97 in __libc_start_call_main (
    main=main@entry=0x55555558b9c0 <main(int, char**)>, argc=argc@entry=3, 
    argv=argv@entry=0x7fffffffdf58) at ../sysdeps/nptl/libc_start_call_main.h:74
#35 0x00007ffff7439e40 in __libc_start_main_impl (
    main=0x55555558b9c0 <main(int, char**)>, argc=3, argv=0x7fffffffdf58, 
    init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, 
    stack_end=0x7fffffffdf48) at ../csu/libc-start.c:392
#36 0x000055555558c1b5 in _start ()
(gdb) list
21  in ./nptl/pthread_rwlock_rdlock.c
(gdb) quit
A debugging session is active.

    Inferior 1 [process 1231857] will be killed.

Quit anyway? (y or n) y

When using valgrind with the --track-origins=yes flag to debug the crash I got:

==1377174== Memcheck, a memory error detector
==1377174== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==1377174== Using Valgrind-3.18.1 and LibVEX; rerun with -h for copyright info
==1377174== Command: /usr/bin/nmap -sV localhost
==1377174== 
Starting Nmap 7.80 ( https://nmap.org ) at 2023-01-06 21:17 CET
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00051s latency).
rDNS record for 127.0.0.1: rez-latitude
Not shown: 994 closed ports
PORT    STATE SERVICE      VERSION
22/tcp  open  ssh          OpenSSH 6.0p1 Debian 4+deb7u2 (protocol 2.0)
25/tcp  open  smtp         Postfix smtpd
80/tcp  open  http         Apache httpd 2.4.54 ((Ubuntu))
443/tcp open  ssl/https    Apache/2.4.54 (Ubuntu)
631/tcp open  ipp          CUPS 2.4
783/tcp open  spamassassin SpamAssassin spamd
Service Info: Host:  rez-latitude.lan; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 45.65 seconds
==1377174== Invalid read of size 4
==1377174==    at 0x527B6CC: __pthread_rwlock_rdlock_full64 (pthread_rwlock_common.c:298)
==1377174==    by 0x527B6CC: pthread_rwlock_rdlock@@GLIBC_2.34 (pthread_rwlock_rdlock.c:26)
==1377174==    by 0x4BB240C: CRYPTO_THREAD_read_lock (threads_pthread.c:85)
==1377174==    by 0x4BA5725: ossl_lib_ctx_get_data (context.c:362)
==1377174==    by 0x4BB98C9: UnknownInlinedFun (provider_core.c:334)
==1377174==    by 0x4BB98C9: ossl_provider_deregister_child_cb (provider_core.c:1755)
==1377174==    by 0x4BA5C6E: UnknownInlinedFun (provider_child.c:279)
==1377174==    by 0x4BA5C6E: UnknownInlinedFun (context.c:247)
==1377174==    by 0x4BA5C6E: OSSL_LIB_CTX_free (context.c:240)
==1377174==    by 0x48638F5: legacy_teardown (legacyprov.c:168)
==1377174==    by 0x4BB9D3A: UnknownInlinedFun (provider_core.c:1480)
==1377174==    by 0x4BB9D3A: ossl_provider_free.part.0 (provider_core.c:686)
==1377174==    by 0x4B84735: UnknownInlinedFun (provider_core.c:671)
==1377174==    by 0x4B84735: UnknownInlinedFun (evp_enc.c:1635)
==1377174==    by 0x4B84735: EVP_CIPHER_free (evp_enc.c:1650)
==1377174==    by 0x49859CC: UnknownInlinedFun (ssl_lib.c:5951)
==1377174==    by 0x49859CC: UnknownInlinedFun (ssl_lib.c:5941)
==1377174==    by 0x49859CC: UnknownInlinedFun (ssl_lib.c:3477)
==1377174==    by 0x49859CC: SSL_CTX_free (ssl_lib.c:3414)
==1377174==    by 0x1D8D32: nsock_pool_delete (nsock_pool.c:290)
==1377174==    by 0x1BF2BE: gc_pool(lua_State*) (nse_nsock.cc:77)
==1377174==    by 0x4E82AD5: luaD_precall (ldo.c:434)
==1377174==  Address 0x18 is not stack'd, malloc'd or (recently) free'd
==1377174== 
==1377174== 
==1377174== Process terminating with default action of signal 11 (SIGSEGV)
==1377174==  Access not within mapped region at address 0x18
==1377174==    at 0x527B6CC: __pthread_rwlock_rdlock_full64 (pthread_rwlock_common.c:298)
==1377174==    by 0x527B6CC: pthread_rwlock_rdlock@@GLIBC_2.34 (pthread_rwlock_rdlock.c:26)
==1377174==    by 0x4BB240C: CRYPTO_THREAD_read_lock (threads_pthread.c:85)
==1377174==    by 0x4BA5725: ossl_lib_ctx_get_data (context.c:362)
==1377174==    by 0x4BB98C9: UnknownInlinedFun (provider_core.c:334)
==1377174==    by 0x4BB98C9: ossl_provider_deregister_child_cb (provider_core.c:1755)
==1377174==    by 0x4BA5C6E: UnknownInlinedFun (provider_child.c:279)
==1377174==    by 0x4BA5C6E: UnknownInlinedFun (context.c:247)
==1377174==    by 0x4BA5C6E: OSSL_LIB_CTX_free (context.c:240)
==1377174==    by 0x48638F5: legacy_teardown (legacyprov.c:168)
==1377174==    by 0x4BB9D3A: UnknownInlinedFun (provider_core.c:1480)
==1377174==    by 0x4BB9D3A: ossl_provider_free.part.0 (provider_core.c:686)
==1377174==    by 0x4B84735: UnknownInlinedFun (provider_core.c:671)
==1377174==    by 0x4B84735: UnknownInlinedFun (evp_enc.c:1635)
==1377174==    by 0x4B84735: EVP_CIPHER_free (evp_enc.c:1650)
==1377174==    by 0x49859CC: UnknownInlinedFun (ssl_lib.c:5951)
==1377174==    by 0x49859CC: UnknownInlinedFun (ssl_lib.c:5941)
==1377174==    by 0x49859CC: UnknownInlinedFun (ssl_lib.c:3477)
==1377174==    by 0x49859CC: SSL_CTX_free (ssl_lib.c:3414)
==1377174==    by 0x1D8D32: nsock_pool_delete (nsock_pool.c:290)
==1377174==    by 0x1BF2BE: gc_pool(lua_State*) (nse_nsock.cc:77)
==1377174==    by 0x4E82AD5: luaD_precall (ldo.c:434)
==1377174==  If you believe this happened as a result of a stack
==1377174==  overflow in your program's main thread (unlikely but
==1377174==  possible), you can try to increase the size of the
==1377174==  main thread stack using the --main-stacksize= flag.
==1377174==  The main thread stack size used in this run was 8388608.
==1377174== 
==1377174== HEAP SUMMARY:
==1377174==     in use at exit: 20,463,686 bytes in 197,745 blocks
==1377174==   total heap usage: 807,909 allocs, 610,164 frees, 221,766,054 bytes allocated
==1377174== 
==1377174== LEAK SUMMARY:
==1377174==    definitely lost: 0 bytes in 0 blocks
==1377174==    indirectly lost: 0 bytes in 0 blocks
==1377174==      possibly lost: 139,052 bytes in 10 blocks
==1377174==    still reachable: 20,324,634 bytes in 197,735 blocks
==1377174==         suppressed: 0 bytes in 0 blocks
==1377174== Rerun with --leak-check=full to see details of leaked memory
==1377174== 
==1377174== For lists of detected and suppressed errors, rerun with: -s
==1377174== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
Segmentation fault (core dumped)

Searching it on the web and I found out that ./nptl/pthread_rwlock_rdlock.c seems to be from glibc(source) but I can't find posts having anything related to my problem. nptl seems to be something called Native POSIX Threads Library

By searching the file pthread_rwlock_rdlock.c with apt-file find(https://wiki.debian.org/apt-file) I only found:

emscripten: /usr/share/emscripten/system/lib/libc/musl/src/thread/pthread_rwlock_rdlock.c

apt-cache show libc6 shows:

Package: libc6
Architecture: amd64
Version: 2.35-0ubuntu3.1
Multi-Arch: same
Priority: required
Section: libs
Source: glibc
Origin: Ubuntu
Maintainer: Ubuntu Developers <[email protected]>
Original-Maintainer: GNU Libc Maintainers <[email protected]>
Bugs: https://bugs.launchpad.net/ubuntu/+filebug
Installed-Size: 13592
Depends: libgcc-s1, libcrypt1 (>= 1:4.4.10-10ubuntu4)
Recommends: libidn2-0 (>= 2.0.5~), libnss-nis, libnss-nisplus
Suggests: glibc-doc, debconf | debconf-2.0, locales
Breaks: busybox (<< 1.30.1-6), fakeroot (<< 1.25.3-1.1ubuntu2~), hurd (<< 1:0.9.git20170910-1), ioquake3 (<< 1.36+u20200211.f2c61c1~dfsg-2~), iraf-fitsutil (<< 2018.07.06-4), libgegl-0.4-0 (<< 0.4.18), libtirpc1 (<< 0.2.3), locales (<< 2.35), locales-all (<< 2.35), macs (<< 2.2.7.1-3~), nocache (<< 1.1-1~), nscd (<< 2.35), openarena (<< 0.8.8+dfsg-4~), openssh-server (<< 1:8.2p1-4), r-cran-later (<< 0.7.5+dfsg-2), wcc (<< 0.0.2+dfsg-3)
Replaces: libc6-amd64
Filename: pool/main/g/glibc/libc6_2.35-0ubuntu3.1_amd64.deb
Size: 3235278
MD5sum: fd3eab380955d1e259e9994d2b403f64
SHA1: 44792f0e04d468c6440ac00cb98a7c1ad740bdbf
SHA256: f84e4f7896002f01c8e36fc3aed6f9c450974164078a87d051c2582da8634bcb
SHA512: 7225eb92b276153d0fff9184776a8ac75d9358401b0b92afd9af8321f51972cf79677df19ca693210f4cea396ce570ee6a121e215c10ac6d727ad2c1daa8783b
Homepage: https://www.gnu.org/software/libc/libc.html
Description-en: GNU C Library: Shared libraries
 Contains the standard libraries that are used by nearly all programs on
 the system. This package includes shared versions of the standard C library
 and the standard math library, as well as many others.
Description-md5: fc3001b0b90a1c8e6690b283a619d57f
Task: minimal, server-minimal
Original-Vcs-Browser: https://salsa.debian.org/glibc-team/glibc
Original-Vcs-Git: https://salsa.debian.org/glibc-team/glibc.git

Package: libc6
Architecture: amd64
Version: 2.35-0ubuntu3
Multi-Arch: same
Priority: required
Section: libs
Source: glibc
Origin: Ubuntu
Maintainer: Ubuntu Developers <[email protected]>
Original-Maintainer: GNU Libc Maintainers <[email protected]>
Bugs: https://bugs.launchpad.net/ubuntu/+filebug
Installed-Size: 13592
Depends: libgcc-s1, libcrypt1 (>= 1:4.4.10-10ubuntu4)
Recommends: libidn2-0 (>= 2.0.5~), libnss-nis, libnss-nisplus
Suggests: glibc-doc, debconf | debconf-2.0, locales
Breaks: busybox (<< 1.30.1-6), fakeroot (<< 1.25.3-1.1ubuntu2~), hurd (<< 1:0.9.git20170910-1), ioquake3 (<< 1.36+u20200211.f2c61c1~dfsg-2~), iraf-fitsutil (<< 2018.07.06-4), libgegl-0.4-0 (<< 0.4.18), libtirpc1 (<< 0.2.3), locales (<< 2.35), locales-all (<< 2.35), macs (<< 2.2.7.1-3~), nocache (<< 1.1-1~), nscd (<< 2.35), openarena (<< 0.8.8+dfsg-4~), openssh-server (<< 1:8.2p1-4), r-cran-later (<< 0.7.5+dfsg-2), wcc (<< 0.0.2+dfsg-3)
Replaces: libc6-amd64
Filename: pool/main/g/glibc/libc6_2.35-0ubuntu3_amd64.deb
Size: 3235142
MD5sum: a5195b20efd4841287f8c6c955af72ca
SHA1: acb061472bf9d12b2ebb1237ace2bc28843e33c9
SHA256: ea9a27e0ebdd0cfc9c750d94f8074f3a35d1f97dcc77ae04c370fb498a6b6db2
SHA512: 7f129f7f0bf22e542e47e125b1b1b852c9078e2e5f151210e307ac53b96b2c7708178ee6bdce3494bc39de2269949773e71cd7dd61f67bb3dc3c0d372e56ffae
Homepage: https://www.gnu.org/software/libc/libc.html
Description-en: GNU C Library: Shared libraries
 Contains the standard libraries that are used by nearly all programs on
 the system. This package includes shared versions of the standard C library
 and the standard math library, as well as many others.
Description-md5: fc3001b0b90a1c8e6690b283a619d57f
Task: minimal, server-minimal
Original-Vcs-Browser: https://salsa.debian.org/glibc-team/glibc
Original-Vcs-Git: https://salsa.debian.org/glibc-team/glibc.git

Check first which nmap binary you are running: $ which nmap because the version mismatch is suspect. If it indeed uses /usr/bin/map then I advise you to install its debug symbols with: $ sudo apt install nmap-dbgsym and redo the gdb session. Also type where in the gdb prompt after the crash. — Bram, Commented Jan 4, 2023 at 20:49
@Bram, which nmap generates /usr/bin/nmap and when I run dpkg -S /usr/bin/nmap gives nmap: /usr/bin/nmap which means that the binary file does belong to nmap deb package and there doesn't seem to be a package named nmap-dbgsym — MandiYang, Commented Jan 5, 2023 at 9:02
Wow, that's quite a deep callstack. It crashes during lua garbage collection. So, what would really help is tracking what out-of-bounds memory-accesses are performed. The tool to use this for is valgrind. See my updated answer. — Bram, Commented Jan 6, 2023 at 20:04
Maybe it has to do something with the libthread_db.so.1 installed by the libc6 package? — starkus, Commented Jan 8, 2023 at 13:10

Bram · Accepted Answer · 2023-01-06 20:08:49Z

Sanity Check

As a sanity check, do which nmap and if it is indeed /usr/bin/nmap then also try a reinstall first, in case the file was damaged (from running out of diskspace, or something.)

$ sudo dpkg --purge nmap
$ sudo apt install nmap

And see if it still crashes.

Debuging

To debug crashes in Ubuntu, you need debug symbols.

By default, debug symbols are not included in the Ubuntu OS.

You have to enable them as follows:

$ echo "deb http://ddebs.ubuntu.com $(lsb_release -cs) main restricted universe multiverse
deb http://ddebs.ubuntu.com $(lsb_release -cs)-updates main restricted universe multiverse
deb http://ddebs.ubuntu.com $(lsb_release -cs)-proposed main restricted universe multiverse" | \
sudo tee -a /etc/apt/sources.list.d/ddebs.list

Get the signing key:

$ sudo apt install ubuntu-dbgsym-keyring

Get the dbgsym package for nmap

$ sudo apt update
$ sudo apt install nmap-dbgsym

When you catch the crash in gdb, type where and it should list line numbers.

NOTE: Sometimes you need to add more dbgsym package for dependencies, to see further into the callstack. E.g. if nmap depends on libssl3 and crashes in ssl code, then do sudo apt install libssl3-dbgsym as well. Repeat until all functions in the callstack have line numbers for them. This provides you with a full trace of where the crash occurred and should help you find the bug.

Run-time bounds-checking

Another debugging tool that is helpful in this case, is valgrind.

It will let you track if and when the code tries to use freed memory, or access memory out of bounds.

$ sudo apt install valgrind
$ valgrind --track-origins=yes /usr/bin/nmap -sV

From what I can gather, I think it is likely that you found a bug in nmap. It could make sense to try a newer version of nmap, and even build it from source, if you have to.

I actually tried a newer version of nmap(7.93) installed from rpm by using alien and the problem doesn't appear anymore. But is the ubuntu package the problem or nmap itself? — MandiYang, Commented Jan 6, 2023 at 20:39
The version in Ubuntu could be running an old nmap with an old bug, yes. What version of Ubuntu do you run? cat /etc/issue — Bram, Commented Jan 6, 2023 at 21:29

Stack Exchange Network

Nmap service detection Segmentation fault (core dumped)

The Problem

Research

1 Answer 1

Sanity Check

Debuging

Run-time bounds-checking

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged
segmentation-fault
glibc
nmap
.

Hot Network Questions

Nmap service detection Segmentation fault (core dumped)

The Problem

Research

1 Answer 1

Sanity Check

Debuging

Run-time bounds-checking

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged segmentation-faultglibcnmap.

Related

Hot Network Questions

Not the answer you're looking for? Browse other questions tagged
segmentation-fault
glibc
nmap
.