StreamingBufferAppend_crash.txt - Suricata - Open Information Security Foundation

Bug #6782 » StreamingBufferAppend_crash.txt

Gianni Tedesco, 04/05/2024 02:41 AM

       =================================================================
       AddressSanitizer: heap-buffer-overflow on address 0x62800429f900 at pc 0x7fe75c0bd9ef bp 0x7fe7557fa670 sp 0x7fe7557f9e30
       WRITE of size 1460 at 0x62800429f900 thread T1 (W#01-eth1)
           #0 0x7fe75c0bd9ee in __interceptor_memcpy (/lib64/libasan.so.8+0x6e9ee) (BuildId: 2b657470ea196ba4342e3bd8a3cc138b1e200599)
           #1 0x7b66ba in StreamingBufferAppend (/usr/sbin/suricata+0x7b66ba) (BuildId: b8959cd17c001b271410f82351cc1f4115f21705)
           #2 0x7f15c6 in HtpBodyAppendChunk (/usr/sbin/suricata+0x7f15c6) (BuildId: b8959cd17c001b271410f82351cc1f4115f21705)
           #3 0x576e5b in HTPCallbackResponseBodyData (/usr/sbin/suricata+0x576e5b) (BuildId: b8959cd17c001b271410f82351cc1f4115f21705)
           #4 0x7fe75c00be43 in htp_hook_run_all (/lib64/libhtp.so.2+0x1ae43) (BuildId: a46e2bce04337936562470fc9167ed844b1dfacd)
           #5 0x7fe75c02623d in htp_tx_res_process_body_data_ex (/lib64/libhtp.so.2+0x3523d) (BuildId: a46e2bce04337936562470fc9167ed844b1dfacd)
           #6 0x7fe75c01a11d in htp_connp_RES_BODY_IDENTITY_CL_KNOWN (/lib64/libhtp.so.2+0x2911d) (BuildId: a46e2bce04337936562470fc9167ed844b1dfacd)
           #7 0x7fe75c01fcb4 in htp_connp_res_data (/lib64/libhtp.so.2+0x2ecb4) (BuildId: a46e2bce04337936562470fc9167ed844b1dfacd)
           #8 0x57d580 in HTPHandleResponseData (/usr/sbin/suricata+0x57d580) (BuildId: b8959cd17c001b271410f82351cc1f4115f21705)
           #9 0x58ac7b in AppLayerParserParse (/usr/sbin/suricata+0x58ac7b) (BuildId: b8959cd17c001b271410f82351cc1f4115f21705)
           #10 0x5622f3 in AppLayerHandleTCPData (/usr/sbin/suricata+0x5622f3) (BuildId: b8959cd17c001b271410f82351cc1f4115f21705)
           #11 0x7685a8 in ReassembleUpdateAppLayer (/usr/sbin/suricata+0x7685a8) (BuildId: b8959cd17c001b271410f82351cc1f4115f21705)
           #12 0x76b81a in StreamTcpReassembleAppLayer (/usr/sbin/suricata+0x76b81a) (BuildId: b8959cd17c001b271410f82351cc1f4115f21705)
           #13 0x76b949 in StreamTcpReassembleHandleSegmentUpdateACK (/usr/sbin/suricata+0x76b949) (BuildId: b8959cd17c001b271410f82351cc1f4115f21705)
           #14 0x76cf43 in StreamTcpReassembleHandleSegment (/usr/sbin/suricata+0x76cf43) (BuildId: b8959cd17c001b271410f82351cc1f4115f21705)
           #15 0x747d91 in HandleEstablishedPacketToServer (/usr/sbin/suricata+0x747d91) (BuildId: b8959cd17c001b271410f82351cc1f4115f21705)
           #16 0x74ad9c in StreamTcpPacketStateEstablished (/usr/sbin/suricata+0x74ad9c) (BuildId: b8959cd17c001b271410f82351cc1f4115f21705)
           #17 0x75c531 in StreamTcpStateDispatch (/usr/sbin/suricata+0x75c531) (BuildId: b8959cd17c001b271410f82351cc1f4115f21705)
           #18 0x75cfb1 in StreamTcpPacket (/usr/sbin/suricata+0x75cfb1) (BuildId: b8959cd17c001b271410f82351cc1f4115f21705)
           #19 0x75d592 in StreamTcp (/usr/sbin/suricata+0x75d592) (BuildId: b8959cd17c001b271410f82351cc1f4115f21705)
           #20 0x6c82e2 in FlowWorkerStreamTCPUpdate (/usr/sbin/suricata+0x6c82e2) (BuildId: b8959cd17c001b271410f82351cc1f4115f21705)
           #21 0x6c98d4 in FlowWorker (/usr/sbin/suricata+0x6c98d4) (BuildId: b8959cd17c001b271410f82351cc1f4115f21705)
           #22 0x5297fa in TmThreadsSlotVarRun (/usr/sbin/suricata+0x5297fa) (BuildId: b8959cd17c001b271410f82351cc1f4115f21705)
           #23 0x71f73c in TmThreadsSlotProcessPkt (/usr/sbin/suricata+0x71f73c) (BuildId: b8959cd17c001b271410f82351cc1f4115f21705)
           #24 0x71fd20 in AFPParsePacketV3 (/usr/sbin/suricata+0x71fd20) (BuildId: b8959cd17c001b271410f82351cc1f4115f21705)
           #25 0x71ff57 in AFPWalkBlock (/usr/sbin/suricata+0x71ff57) (BuildId: b8959cd17c001b271410f82351cc1f4115f21705)
           #26 0x720112 in AFPReadFromRingV3 (/usr/sbin/suricata+0x720112) (BuildId: b8959cd17c001b271410f82351cc1f4115f21705)
           #27 0x72678a in ReceiveAFPLoop (/usr/sbin/suricata+0x72678a) (BuildId: b8959cd17c001b271410f82351cc1f4115f21705)
           #28 0x52c8e6 in TmThreadsSlotPktAcqLoop (/usr/sbin/suricata+0x52c8e6) (BuildId: b8959cd17c001b271410f82351cc1f4115f21705)
           #29 0x7fe75b8f4896 in start_thread (/lib64/libc.so.6+0x8e896) (BuildId: e0b579ca7024cf12a2686b60cf49d1d9e3ff6273)
           #30 0x7fe75b97b8c3 in __clone (/lib64/libc.so.6+0x1158c3) (BuildId: e0b579ca7024cf12a2686b60cf49d1d9e3ff6273)
 x62800429f900 is located 0 bytes after 14336-byte region [0x62800429c100,0x62800429f900)
       allocated by thread T1 (W#01-eth1) here:
           #0 0x7fe75c1271e5 in __interceptor_realloc.part.0 (/lib64/libasan.so.8+0xd81e5) (BuildId: 2b657470ea196ba4342e3bd8a3cc138b1e200599)
           #1 0x54596b in SCReallocFunc (/usr/sbin/suricata+0x54596b) (BuildId: b8959cd17c001b271410f82351cc1f4115f21705)
           #2 0x5809d7 in HTPRealloc (/usr/sbin/suricata+0x5809d7) (BuildId: b8959cd17c001b271410f82351cc1f4115f21705)
           #3 0x7ad9c0 in GrowRegionToSize (/usr/sbin/suricata+0x7ad9c0) (BuildId: b8959cd17c001b271410f82351cc1f4115f21705)
           #4 0x7adb0f in GrowToSize (/usr/sbin/suricata+0x7adb0f) (BuildId: b8959cd17c001b271410f82351cc1f4115f21705)
           #5 0x7b6804 in StreamingBufferAppend (/usr/sbin/suricata+0x7b6804) (BuildId: b8959cd17c001b271410f82351cc1f4115f21705)
           #6 0x7f15c6 in HtpBodyAppendChunk (/usr/sbin/suricata+0x7f15c6) (BuildId: b8959cd17c001b271410f82351cc1f4115f21705)
           #7 0x576e5b in HTPCallbackResponseBodyData (/usr/sbin/suricata+0x576e5b) (BuildId: b8959cd17c001b271410f82351cc1f4115f21705)
           #8 0x7fe75c00be43 in htp_hook_run_all (/lib64/libhtp.so.2+0x1ae43) (BuildId: a46e2bce04337936562470fc9167ed844b1dfacd)
           #9 0x7fe75c02623d in htp_tx_res_process_body_data_ex (/lib64/libhtp.so.2+0x3523d) (BuildId: a46e2bce04337936562470fc9167ed844b1dfacd)
           #10 0x7fe75c01a11d in htp_connp_RES_BODY_IDENTITY_CL_KNOWN (/lib64/libhtp.so.2+0x2911d) (BuildId: a46e2bce04337936562470fc9167ed844b1dfacd)
           #11 0x7fe75c01fcb4 in htp_connp_res_data (/lib64/libhtp.so.2+0x2ecb4) (BuildId: a46e2bce04337936562470fc9167ed844b1dfacd)
           #12 0x57d580 in HTPHandleResponseData (/usr/sbin/suricata+0x57d580) (BuildId: b8959cd17c001b271410f82351cc1f4115f21705)
           #13 0x58ac7b in AppLayerParserParse (/usr/sbin/suricata+0x58ac7b) (BuildId: b8959cd17c001b271410f82351cc1f4115f21705)
           #14 0x5622f3 in AppLayerHandleTCPData (/usr/sbin/suricata+0x5622f3) (BuildId: b8959cd17c001b271410f82351cc1f4115f21705)
           #15 0x7685a8 in ReassembleUpdateAppLayer (/usr/sbin/suricata+0x7685a8) (BuildId: b8959cd17c001b271410f82351cc1f4115f21705)
           #16 0x76b81a in StreamTcpReassembleAppLayer (/usr/sbin/suricata+0x76b81a) (BuildId: b8959cd17c001b271410f82351cc1f4115f21705)
           #17 0x76b949 in StreamTcpReassembleHandleSegmentUpdateACK (/usr/sbin/suricata+0x76b949) (BuildId: b8959cd17c001b271410f82351cc1f4115f21705)
           #18 0x76cf43 in StreamTcpReassembleHandleSegment (/usr/sbin/suricata+0x76cf43) (BuildId: b8959cd17c001b271410f82351cc1f4115f21705)
           #19 0x747d91 in HandleEstablishedPacketToServer (/usr/sbin/suricata+0x747d91) (BuildId: b8959cd17c001b271410f82351cc1f4115f21705)
           #20 0x74ad9c in StreamTcpPacketStateEstablished (/usr/sbin/suricata+0x74ad9c) (BuildId: b8959cd17c001b271410f82351cc1f4115f21705)
           #21 0x75c531 in StreamTcpStateDispatch (/usr/sbin/suricata+0x75c531) (BuildId: b8959cd17c001b271410f82351cc1f4115f21705)
           #22 0x75cfb1 in StreamTcpPacket (/usr/sbin/suricata+0x75cfb1) (BuildId: b8959cd17c001b271410f82351cc1f4115f21705)
           #23 0x75d592 in StreamTcp (/usr/sbin/suricata+0x75d592) (BuildId: b8959cd17c001b271410f82351cc1f4115f21705)
           #24 0x6c82e2 in FlowWorkerStreamTCPUpdate (/usr/sbin/suricata+0x6c82e2) (BuildId: b8959cd17c001b271410f82351cc1f4115f21705)
           #25 0x6c98d4 in FlowWorker (/usr/sbin/suricata+0x6c98d4) (BuildId: b8959cd17c001b271410f82351cc1f4115f21705)
           #26 0x5297fa in TmThreadsSlotVarRun (/usr/sbin/suricata+0x5297fa) (BuildId: b8959cd17c001b271410f82351cc1f4115f21705)
           #27 0x71f73c in TmThreadsSlotProcessPkt (/usr/sbin/suricata+0x71f73c) (BuildId: b8959cd17c001b271410f82351cc1f4115f21705)
           #28 0x71fd20 in AFPParsePacketV3 (/usr/sbin/suricata+0x71fd20) (BuildId: b8959cd17c001b271410f82351cc1f4115f21705)
           #29 0x71ff57 in AFPWalkBlock (/usr/sbin/suricata+0x71ff57) (BuildId: b8959cd17c001b271410f82351cc1f4115f21705)
       Thread T1 (W#01-eth1) created by T0 (Suricata-Main) here:
           #0 0x7fe75c097956 in pthread_create (/lib64/libasan.so.8+0x48956) (BuildId: 2b657470ea196ba4342e3bd8a3cc138b1e200599)
           #1 0x52d621 in TmThreadSpawn (/usr/sbin/suricata+0x52d621) (BuildId: b8959cd17c001b271410f82351cc1f4115f21705)
           #2 0x852ff1 in RunModeSetLiveCaptureWorkersForDevice (/usr/sbin/suricata+0x852ff1) (BuildId: b8959cd17c001b271410f82351cc1f4115f21705)
           #3 0x85410f in RunModeSetLiveCaptureWorkers (/usr/sbin/suricata+0x85410f) (BuildId: b8959cd17c001b271410f82351cc1f4115f21705)
           #4 0x84d235 in RunModeIdsAFPWorkers (/usr/sbin/suricata+0x84d235) (BuildId: b8959cd17c001b271410f82351cc1f4115f21705)
           #5 0x71c2ec in RunModeDispatch (/usr/sbin/suricata+0x71c2ec) (BuildId: b8959cd17c001b271410f82351cc1f4115f21705)
           #6 0x526537 in SuricataMain (/usr/sbin/suricata+0x526537) (BuildId: b8959cd17c001b271410f82351cc1f4115f21705)
           #7 0x51c7e2 in main (/usr/sbin/suricata+0x51c7e2) (BuildId: b8959cd17c001b271410f82351cc1f4115f21705)
           #8 0x7fe75b88e149 in __libc_start_call_main (/lib64/libc.so.6+0x28149) (BuildId: e0b579ca7024cf12a2686b60cf49d1d9e3ff6273)
           #9 0x7fe75b88e20a in __libc_start_main_impl (/lib64/libc.so.6+0x2820a) (BuildId: e0b579ca7024cf12a2686b60cf49d1d9e3ff6273)
           #10 0x51c714 in _start (/usr/sbin/suricata+0x51c714) (BuildId: b8959cd17c001b271410f82351cc1f4115f21705)
       AddressSanitizer: heap-buffer-overflow (/lib64/libasan.so.8+0x6e9ee) (BuildId: 2b657470ea196ba4342e3bd8a3cc138b1e200599) in __interceptor_memcpy
       Shadow bytes around the buggy address:
 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
       =>0x62800429f900:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
       fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
       fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
       fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
       fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
       fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
       Shadow byte legend (one shadow byte represents 8 application bytes):
         Partially addressable: 01 02 03 04 05 06 07
         Heap left redzone:       fa
         Freed heap region:       fd
         Stack left redzone:      f1
         Stack mid redzone:       f2
         Stack right redzone:     f3
         Stack after return:      f5
         Stack use after scope:   f8
         Global redzone:          f9
         Global init order:       f6
         Poisoned by user:        f7
         Container overflow:      fc
         Array cookie:            ac
         Intra object redzone:    bb
         ASan internal:           fe
         Left alloca redzone:     ca
         Right alloca redzone:    cb
       ==61==ABORTING

(3-3/4)

Project

General

Profile

Suricata

Bug #6782 » StreamingBufferAppend_crash.txt