Actions
Bug #1902
closedasan global-buffer-overflow with 3.2dev (rev a194dfb)
Affected Versions:
Effort:
Difficulty:
Label:
Description
AddressSanitizer: global-buffer-overflow on address 0x7fb3a096499c at pc 0x7fb3a06ccbff bp 0x7fb394fec710 sp 0x7fb394fec708
READ of size 4 at 0x7fb3a096499c thread T1 (W#01)
#0 0x7fb3a06ccbfe (/opt/suricata-asan/bin/suricata+0x21b0bfe)
#1 0x7fb3a039290b (/opt/suricata-asan/bin/suricata+0x1e7690b)
#2 0x7fb3a0391f79 (/opt/suricata-asan/bin/suricata+0x1e75f79)
#3 0x7fb39ec9d6cd (/opt/suricata-asan/bin/suricata+0x7816cd)
#4 0x7fb39ec92a55 (/opt/suricata-asan/bin/suricata+0x776a55)
#5 0x7fb39ec8d140 (/opt/suricata-asan/bin/suricata+0x771140)
#6 0x7fb39ec885d2 (/opt/suricata-asan/bin/suricata+0x76c5d2)
#7 0x7fb39ec44a94 (/opt/suricata-asan/bin/suricata+0x728a94)
#8 0x7fb39ec46254 (/opt/suricata-asan/bin/suricata+0x72a254)
#9 0x7fb39eb4847c (/opt/suricata-asan/bin/suricata+0x62c47c)
#10 0x7fb39e909fca (/opt/suricata-asan/bin/suricata+0x3edfca)
#11 0x7fb3a01c2011 (/opt/suricata-asan/bin/suricata+0x1ca6011)
#12 0x7fb3a01c96f4 (/opt/suricata-asan/bin/suricata+0x1cad6f4)
#13 0x7fb3a01cb90a (/opt/suricata-asan/bin/suricata+0x1caf90a)
#14 0x7fb3a017b3ca (/opt/suricata-asan/bin/suricata+0x1c5f3ca)
#15 0x7fb3a008fff6 (/opt/suricata-asan/bin/suricata+0x1b73ff6)
#16 0x7fb3a0067bcb (/opt/suricata-asan/bin/suricata+0x1b4bbcb)
#17 0x7fb3a00d1f0b (/opt/suricata-asan/bin/suricata+0x1bb5f0b)
#18 0x7fb39fdc56e8 (/opt/suricata-asan/bin/suricata+0x18a96e8)
#19 0x7fb3a02a1ce6 (/opt/suricata-asan/bin/suricata+0x1d85ce6)
#20 0x7fb3a00533e6 (/opt/suricata-asan/bin/suricata+0x1b373e6)
#21 0x7fb3a0052d50 (/opt/suricata-asan/bin/suricata+0x1b36d50)
#22 0x7fb39d5c9b70 (/usr/lib/x86_64-linux-gnu/libpcap.so.0.8+0x1cb70)
#23 0x7fb3a004f0cb (/opt/suricata-asan/bin/suricata+0x1b330cb)
#24 0x7fb3a02a455f (/opt/suricata-asan/bin/suricata+0x1d8855f)
#25 0x7fb39cf72183 (/lib/x86_64-linux-gnu/libpthread.so.0+0x8183)
#26 0x7fb39aee937c (/lib/x86_64-linux-gnu/libc.so.6+0xfa37c)
0x7fb3a096499c is located 36 bytes to the left of global variable 'mdays' defined in 'util-time.c:394:22' (0x7fb3a09649c0) of size 48
0x7fb3a096499c is located 18 bytes to the right of global variable '<string literal>' defined in 'util-time.c:373:14' (0x7fb3a0964980) of size 10
'<string literal>' is ascii string '%02d.%06u'
SUMMARY: AddressSanitizer: global-buffer-overflow ??:0 ??
Shadow bytes around the buggy address:
0x0ff6f41248e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff6f41248f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff6f4124900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff6f4124910: 00 00 00 00 00 00 00 00 00 00 00 02 f9 f9 f9 f9
0x0ff6f4124920: 00 01 f9 f9 f9 f9 f9 f9 00 00 02 f9 f9 f9 f9 f9
=>0x0ff6f4124930: 00 02 f9[f9]f9 f9 f9 f9 00 00 00 00 00 00 f9 f9
0x0ff6f4124940: f9 f9 f9 f9 00 00 00 02 f9 f9 f9 f9 00 00 00 00
0x0ff6f4124950: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff6f4124960: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff6f4124970: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff6f4124980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
ASan internal: fe
Thread T1 (W#01) created by T0 (Suricata-Main) here:
#0 0x7fb39e85417f (/opt/suricata-asan/bin/suricata+0x33817f)
#1 0x7fb3a02c1101 (/opt/suricata-asan/bin/suricata+0x1da5101)
#2 0x7fb39ffd61f7 (/opt/suricata-asan/bin/suricata+0x1aba1f7)
#3 0x7fb39fff51fe (/opt/suricata-asan/bin/suricata+0x1ad91fe)
#4 0x7fb3a0261bcd (/opt/suricata-asan/bin/suricata+0x1d45bcd)
#5 0x7fb39ae10f44 (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)
run command:
LSAN_OPTIONS=suppressions=lsan.suppress /opt/suricata-asan/bin/suricata -c suri.yaml -r /tests/fuzz/ptp/ginfiz/private.pcap -l /tests/fuzz/ptp/ginfiz/ -S /opt/suricata-asan/etc/suricata/rules/decoder-events.rules
Suricata build-info:
This is Suricata version 3.2dev (rev a194dfb) Features: UNITTESTS PCAP_SET_BUFF LIBPCAP_VERSION_MAJOR=1 AF_PACKET HAVE_PACKET_FANOUT LIBCAP_NG LIBNET1.1 HAVE_HTP_URI_NORMALIZE_HOOK PCRE_JIT HAVE_NSS HAVE_LUA HAVE_LUAJIT HAVE_LIBJAN SSON TLS SIMD support: SSE_4_1 SSE_3 Atomic intrisics: 1 2 4 8 16 byte(s) 64-bits, Little-endian architecture GCC version 4.2.1 Compatible Ubuntu Clang 3.5.0 (tags/RELEASE_350/final), C version 199901 compiled with _FORTIFY_SOURCE=0 L1 cache line size (CLS)=64 thread local storage method: __thread compiled with LibHTP v0.5.22, linked against LibHTP v0.5.22 Suricata Configuration: AF_PACKET support: yes PF_RING support: no NFQueue support: no NFLOG support: no IPFW support: no Netmap support: no DAG enabled: no Napatech enabled: no Unix socket enabled: yes Detection enabled: yes libnss support: yes libnspr support: yes libjansson support: yes hiredis support: no Prelude support: no PCRE jit: yes LUA support: yes, through luajit libluajit: yes libgeoip: yes Non-bundled htp: no Old barnyard2 support: no CUDA enabled: no Hyperscan support: no Libnet support: yes Suricatasc install: yes Profiling enabled: no Profiling locks enabled: no Development settings: Coccinelle / spatch: no Unit tests enabled: yes Debug output enabled: no Debug validation enabled: no Generic build parameters: Installation prefix: /opt/suricata-asan Configuration directory: /opt/suricata-asan/etc/suricata/ Log directory: /opt/suricata-asan/var/log/suricata/ --prefix /opt/suricata-asan --sysconfdir /opt/suricata-asan/etc --localstatedir /opt/suricata-asan/var Host: x86_64-unknown-linux-gnu Compiler: clang-3.5 (exec name) / clang (real) GCC Protect enabled: no GCC march native enabled: yes GCC Profile enabled: no Position Independent Executable enabled: yes CFLAGS -ggdb3 -Werror -Wchar-subscripts -fno-strict-aliasing -fstack-protector-all -fsanitize=address -fno-omit-frame-pointer -Wno-unused-parameter - Wno-unused-function -march=native PCAP_CFLAGS -I/usr/include SECCFLAGS
I have a pcap privately available that can reproduce the issue.
Updated by Victor Julien over 7 years ago
Can you add the symbolized version of ASAN output?
Updated by Peter Manev over 7 years ago
==27853==ERROR: AddressSanitizer: global-buffer-overflow on address 0x7f09f2abc99c at pc 0x7f09f2824bff bp 0x7f09e6fec710 sp 0x7f09e6fec708
READ of size 4 at 0x7f09f2abc99c thread T1 (W#01)
#0 0x7f09f2824bfe in SCMkTimeUtc /home/pmanev/Work/tests/fuzz/oisf/src/util-time.c:398:5
#1 0x7f09f24ea90b in GentimeToTime /home/pmanev/Work/tests/fuzz/oisf/src/util-decode-der-get.c:90:12
#2 0x7f09f24e9f79 in Asn1DerGetValidity /home/pmanev/Work/tests/fuzz/oisf/src/util-decode-der-get.c:233:22
#3 0x7f09f0df56cd in DecodeTLSHandshakeServerCertificate /home/pmanev/Work/tests/fuzz/oisf/src/app-layer-tls-handshake.c:180:18
#4 0x7f09f0deaa55 in SSLv3ParseHandshakeType /home/pmanev/Work/tests/fuzz/oisf/src/app-layer-ssl.c:464:18
#5 0x7f09f0de5140 in SSLv3ParseHandshakeProtocol /home/pmanev/Work/tests/fuzz/oisf/src/app-layer-ssl.c:609:14
#6 0x7f09f0de05d2 in SSLv3Decode /home/pmanev/Work/tests/fuzz/oisf/src/app-layer-ssl.c:1228:22
#7 0x7f09f0d9ca94 in SSLDecode /home/pmanev/Work/tests/fuzz/oisf/src/app-layer-ssl.c:1392:30
#8 0x7f09f0d9e254 in SSLParseServerRecord /home/pmanev/Work/tests/fuzz/oisf/src/app-layer-ssl.c:1484:12
#9 0x7f09f0ca047c in AppLayerParserParse /home/pmanev/Work/tests/fuzz/oisf/src/app-layer-parser.c:975:13
#10 0x7f09f0a61fca in AppLayerHandleTCPData /home/pmanev/Work/tests/fuzz/oisf/src/app-layer.c:309:17
#11 0x7f09f231a011 in StreamTcpReassembleAppLayer /home/pmanev/Work/tests/fuzz/oisf/src/stream-tcp-reassemble.c:3054:9
#12 0x7f09f23216f4 in StreamTcpReassembleHandleSegmentUpdateACK /home/pmanev/Work/tests/fuzz/oisf/src/stream-tcp-reassemble.c:3405:13
#13 0x7f09f232390a in StreamTcpReassembleHandleSegment /home/pmanev/Work/tests/fuzz/oisf/src/stream-tcp-reassemble.c:3433:9
#14 0x7f09f22d33ca in HandleEstablishedPacketToServer /home/pmanev/Work/tests/fuzz/oisf/src/stream-tcp.c:2067:9
#15 0x7f09f21e7ff6 in StreamTcpPacketStateEstablished /home/pmanev/Work/tests/fuzz/oisf/src/stream-tcp.c:2446:13
#16 0x7f09f21bfbcb in StreamTcpPacket /home/pmanev/Work/tests/fuzz/oisf/src/stream-tcp.c:4539:20
#17 0x7f09f2229f0b in StreamTcp /home/pmanev/Work/tests/fuzz/oisf/src/stream-tcp.c:4884:11
#18 0x7f09f1f1d6e8 in FlowWorker /home/pmanev/Work/tests/fuzz/oisf/src/flow-worker.c:180:9
#19 0x7f09f23f9ce6 in TmThreadsSlotVarRun /home/pmanev/Work/tests/fuzz/oisf/src/tm-threads.c:130:17
#20 0x7f09f21ab3e6 in TmThreadsSlotProcessPkt /home/pmanev/Work/tests/fuzz/oisf/src/./tm-threads.h:149:9
#21 0x7f09f21aad50 in PcapFileCallbackLoop /home/pmanev/Work/tests/fuzz/oisf/src/source-pcap-file.c:178:9
#22 0x7f09ef721b70 (/usr/lib/x86_64-linux-gnu/libpcap.so.0.8+0x1cb70)
#23 0x7f09f21a70cb in ReceivePcapFileLoop /home/pmanev/Work/tests/fuzz/oisf/src/source-pcap-file.c:211:13
#24 0x7f09f23fc55f in TmThreadsSlotPktAcqLoop /home/pmanev/Work/tests/fuzz/oisf/src/tm-threads.c:334:13
#25 0x7f09ef0ca183 in start_thread /build/eglibc-oGUzwX/eglibc-2.19/nptl/pthread_create.c:312
#26 0x7f09ed04137c in clone /build/eglibc-oGUzwX/eglibc-2.19/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:111
0x7f09f2abc99c is located 36 bytes to the left of global variable 'mdays' defined in 'util-time.c:394:22' (0x7f09f2abc9c0) of size 48
0x7f09f2abc99c is located 18 bytes to the right of global variable '<string literal>' defined in 'util-time.c:373:14' (0x7f09f2abc980) of size 10
'<string literal>' is ascii string '%02d.%06u'
SUMMARY: AddressSanitizer: global-buffer-overflow /home/pmanev/Work/tests/fuzz/oisf/src/util-time.c:398 SCMkTimeUtc
Shadow bytes around the buggy address:
0x0fe1be54f8e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fe1be54f8f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fe1be54f900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fe1be54f910: 00 00 00 00 00 00 00 00 00 00 00 02 f9 f9 f9 f9
0x0fe1be54f920: 00 01 f9 f9 f9 f9 f9 f9 00 00 02 f9 f9 f9 f9 f9
=>0x0fe1be54f930: 00 02 f9[f9]f9 f9 f9 f9 00 00 00 00 00 00 f9 f9
0x0fe1be54f940: f9 f9 f9 f9 00 00 00 02 f9 f9 f9 f9 00 00 00 00
0x0fe1be54f950: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fe1be54f960: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fe1be54f970: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fe1be54f980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
ASan internal: fe
Thread T1 (W#01) created by T0 (Suricata-Main) here:
#0 0x7f09f09ac17f in __interceptor_pthread_create (/opt/suricata-asan/bin/suricata+0x33817f)
#1 0x7f09f2419101 in TmThreadSpawn /home/pmanev/Work/tests/fuzz/oisf/src/tm-threads.c:1843:14
#2 0x7f09f212e1f7 in RunModeFilePcapSingle /home/pmanev/Work/tests/fuzz/oisf/src/runmode-pcap-file.c:113:9
#3 0x7f09f214d1fe in RunModeDispatch /home/pmanev/Work/tests/fuzz/oisf/src/runmodes.c:382:5
#4 0x7f09f23b9bcd in main /home/pmanev/Work/tests/fuzz/oisf/src/suricata.c:2537:5
#5 0x7f09ecf68f44 in __libc_start_main /build/eglibc-oGUzwX/eglibc-2.19/csu/libc-start.c:287
==27853==ABORTING
Updated by Victor Julien over 7 years ago
- Status changed from New to Assigned
- Assignee set to Victor Julien
- Target version set to 70
Updated by Victor Julien over 7 years ago
- Status changed from Assigned to Closed
- Target version deleted (
70)
https://github.com/inliniac/suricata/pull/2319
Not setting target version as it was never part of a released version.
Actions