Actions
Bug #1467
closedSpecifying an IPv6 entry before an IPv4 entry in host-os-policy causes ASAN heap-buffer-overflow.
Affected Versions:
Effort:
Difficulty:
Label:
Description
By putting an IPv6 entry in before IPv4 entries in the host-os-policy, ASAN will detect a heap-buffer-overflow.
Example: Moves the solaris entry up above linux:
host-os-policy: windows: [0.0.0.0/0] bsd: [] bsd-right: [] old-linux: [] old-solaris: [] solaris: ["::1"] linux: [10.0.0.0/8, 192.168.1.100, "8762:2352:6241:7245:E000:0000:0000:0000"] hpux10: [] hpux11: [] irix: [] macos: [] vista: [] windows2k3: []
Results in:
==14550==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000027dd4 at pc 0x106286b bp 0x7ffdea1ca050 sp 0x7ffdea1ca040 READ of size 1 at 0x602000027dd4 thread T0 (Suricata-Main) #0 0x106286a in SCRadixAddKey /home/jason/projects/oisf/suricata/src/util-radix-tree.c:578 #1 0x1065b92 in SCRadixAddKeyIPV4Netblock /home/jason/projects/oisf/suricata/src/util-radix-tree.c:897 #2 0xf9a06a in SCHInfoAddHostOSInfo /home/jason/projects/oisf/suricata/src/util-host-os-info.c:198 #3 0xf9b05e in SCHInfoLoadFromConfig /home/jason/projects/oisf/suricata/src/util-host-os-info.c:347 #4 0xef477f in PostConfLoadedSetup /home/jason/projects/oisf/suricata/src/suricata.c:2068 #5 0xef58ad in main /home/jason/projects/oisf/suricata/src/suricata.c:2227 #6 0x7fa990589fdf in __libc_start_main (/lib64/libc.so.6+0x1ffdf) #7 0x407b48 (/home/jason/projects/oisf/bin/suricata+0x407b48) 0x602000027dd4 is located 0 bytes to the right of 4-byte region [0x602000027dd0,0x602000027dd4) allocated by thread T0 (Suricata-Main) here: #0 0x7fa9935277c7 in malloc (/lib64/libasan.so.1+0x577c7) #1 0x105eb0c in SCRadixCreatePrefix /home/jason/projects/oisf/suricata/src/util-radix-tree.c:149 #2 0x1061b8e in SCRadixAddKey /home/jason/projects/oisf/suricata/src/util-radix-tree.c:522 #3 0x1065b92 in SCRadixAddKeyIPV4Netblock /home/jason/projects/oisf/suricata/src/util-radix-tree.c:897 #4 0xf9a06a in SCHInfoAddHostOSInfo /home/jason/projects/oisf/suricata/src/util-host-os-info.c:198 #5 0xf9b05e in SCHInfoLoadFromConfig /home/jason/projects/oisf/suricata/src/util-host-os-info.c:347 #6 0xef477f in PostConfLoadedSetup /home/jason/projects/oisf/suricata/src/suricata.c:2068 #7 0xef58ad in main /home/jason/projects/oisf/suricata/src/suricata.c:2227 #8 0x7fa990589fdf in __libc_start_main (/lib64/libc.so.6+0x1ffdf) SUMMARY: AddressSanitizer: heap-buffer-overflow /home/jason/projects/oisf/suricata/src/util-radix-tree.c:578 SCRadixAddKey Shadow bytes around the buggy address: 0x0c047fffcf60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fffcf70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fffcf80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fffcf90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fffcfa0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x0c047fffcfb0: fa fa fa fa fa fa fa fa fa fa[04]fa fa fa 04 fa 0x0c047fffcfc0: fa fa 00 03 fa fa 04 fa fa fa 01 fa fa fa 00 00 0x0c047fffcfd0: fa fa fd fd fa fa fd fa fa fa 04 fa fa fa fd fa 0x0c047fffcfe0: fa fa 04 fa fa fa fd fa fa fa fd fd fa fa 04 fa 0x0c047fffcff0: fa fa fd fd fa fa 04 fa fa fa 02 fa fa fa fd fa 0x0c047fffd000: fa fa 02 fa fa fa fd fa fa fa fd fa fa fa 00 fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Contiguous container OOB:fc ASan internal: fe ==14550==ABORTING
I have a fix in progress but it will require review.
Updated by Jason Ish about 9 years ago
Yes, here is the PR: https://github.com/inliniac/suricata/pull/1480
Updated by Victor Julien about 9 years ago
- Status changed from Assigned to Closed
Actions