Actions
Bug #1902
closedasan global-buffer-overflow with 3.2dev (rev a194dfb)
Affected Versions:
Effort:
Difficulty:
Label:
Description
AddressSanitizer: global-buffer-overflow on address 0x7fb3a096499c at pc 0x7fb3a06ccbff bp 0x7fb394fec710 sp 0x7fb394fec708 READ of size 4 at 0x7fb3a096499c thread T1 (W#01) #0 0x7fb3a06ccbfe (/opt/suricata-asan/bin/suricata+0x21b0bfe) #1 0x7fb3a039290b (/opt/suricata-asan/bin/suricata+0x1e7690b) #2 0x7fb3a0391f79 (/opt/suricata-asan/bin/suricata+0x1e75f79) #3 0x7fb39ec9d6cd (/opt/suricata-asan/bin/suricata+0x7816cd) #4 0x7fb39ec92a55 (/opt/suricata-asan/bin/suricata+0x776a55) #5 0x7fb39ec8d140 (/opt/suricata-asan/bin/suricata+0x771140) #6 0x7fb39ec885d2 (/opt/suricata-asan/bin/suricata+0x76c5d2) #7 0x7fb39ec44a94 (/opt/suricata-asan/bin/suricata+0x728a94) #8 0x7fb39ec46254 (/opt/suricata-asan/bin/suricata+0x72a254) #9 0x7fb39eb4847c (/opt/suricata-asan/bin/suricata+0x62c47c) #10 0x7fb39e909fca (/opt/suricata-asan/bin/suricata+0x3edfca) #11 0x7fb3a01c2011 (/opt/suricata-asan/bin/suricata+0x1ca6011) #12 0x7fb3a01c96f4 (/opt/suricata-asan/bin/suricata+0x1cad6f4) #13 0x7fb3a01cb90a (/opt/suricata-asan/bin/suricata+0x1caf90a) #14 0x7fb3a017b3ca (/opt/suricata-asan/bin/suricata+0x1c5f3ca) #15 0x7fb3a008fff6 (/opt/suricata-asan/bin/suricata+0x1b73ff6) #16 0x7fb3a0067bcb (/opt/suricata-asan/bin/suricata+0x1b4bbcb) #17 0x7fb3a00d1f0b (/opt/suricata-asan/bin/suricata+0x1bb5f0b) #18 0x7fb39fdc56e8 (/opt/suricata-asan/bin/suricata+0x18a96e8) #19 0x7fb3a02a1ce6 (/opt/suricata-asan/bin/suricata+0x1d85ce6) #20 0x7fb3a00533e6 (/opt/suricata-asan/bin/suricata+0x1b373e6) #21 0x7fb3a0052d50 (/opt/suricata-asan/bin/suricata+0x1b36d50) #22 0x7fb39d5c9b70 (/usr/lib/x86_64-linux-gnu/libpcap.so.0.8+0x1cb70) #23 0x7fb3a004f0cb (/opt/suricata-asan/bin/suricata+0x1b330cb) #24 0x7fb3a02a455f (/opt/suricata-asan/bin/suricata+0x1d8855f) #25 0x7fb39cf72183 (/lib/x86_64-linux-gnu/libpthread.so.0+0x8183) #26 0x7fb39aee937c (/lib/x86_64-linux-gnu/libc.so.6+0xfa37c) 0x7fb3a096499c is located 36 bytes to the left of global variable 'mdays' defined in 'util-time.c:394:22' (0x7fb3a09649c0) of size 48 0x7fb3a096499c is located 18 bytes to the right of global variable '<string literal>' defined in 'util-time.c:373:14' (0x7fb3a0964980) of size 10 '<string literal>' is ascii string '%02d.%06u' SUMMARY: AddressSanitizer: global-buffer-overflow ??:0 ?? Shadow bytes around the buggy address: 0x0ff6f41248e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0ff6f41248f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0ff6f4124900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0ff6f4124910: 00 00 00 00 00 00 00 00 00 00 00 02 f9 f9 f9 f9 0x0ff6f4124920: 00 01 f9 f9 f9 f9 f9 f9 00 00 02 f9 f9 f9 f9 f9 =>0x0ff6f4124930: 00 02 f9[f9]f9 f9 f9 f9 00 00 00 00 00 00 f9 f9 0x0ff6f4124940: f9 f9 f9 f9 00 00 00 02 f9 f9 f9 f9 00 00 00 00 0x0ff6f4124950: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0ff6f4124960: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0ff6f4124970: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0ff6f4124980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc ASan internal: fe Thread T1 (W#01) created by T0 (Suricata-Main) here: #0 0x7fb39e85417f (/opt/suricata-asan/bin/suricata+0x33817f) #1 0x7fb3a02c1101 (/opt/suricata-asan/bin/suricata+0x1da5101) #2 0x7fb39ffd61f7 (/opt/suricata-asan/bin/suricata+0x1aba1f7) #3 0x7fb39fff51fe (/opt/suricata-asan/bin/suricata+0x1ad91fe) #4 0x7fb3a0261bcd (/opt/suricata-asan/bin/suricata+0x1d45bcd) #5 0x7fb39ae10f44 (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)
run command:
LSAN_OPTIONS=suppressions=lsan.suppress /opt/suricata-asan/bin/suricata -c suri.yaml -r /tests/fuzz/ptp/ginfiz/private.pcap -l /tests/fuzz/ptp/ginfiz/ -S /opt/suricata-asan/etc/suricata/rules/decoder-events.rules
Suricata build-info:
This is Suricata version 3.2dev (rev a194dfb) Features: UNITTESTS PCAP_SET_BUFF LIBPCAP_VERSION_MAJOR=1 AF_PACKET HAVE_PACKET_FANOUT LIBCAP_NG LIBNET1.1 HAVE_HTP_URI_NORMALIZE_HOOK PCRE_JIT HAVE_NSS HAVE_LUA HAVE_LUAJIT HAVE_LIBJAN SSON TLS SIMD support: SSE_4_1 SSE_3 Atomic intrisics: 1 2 4 8 16 byte(s) 64-bits, Little-endian architecture GCC version 4.2.1 Compatible Ubuntu Clang 3.5.0 (tags/RELEASE_350/final), C version 199901 compiled with _FORTIFY_SOURCE=0 L1 cache line size (CLS)=64 thread local storage method: __thread compiled with LibHTP v0.5.22, linked against LibHTP v0.5.22 Suricata Configuration: AF_PACKET support: yes PF_RING support: no NFQueue support: no NFLOG support: no IPFW support: no Netmap support: no DAG enabled: no Napatech enabled: no Unix socket enabled: yes Detection enabled: yes libnss support: yes libnspr support: yes libjansson support: yes hiredis support: no Prelude support: no PCRE jit: yes LUA support: yes, through luajit libluajit: yes libgeoip: yes Non-bundled htp: no Old barnyard2 support: no CUDA enabled: no Hyperscan support: no Libnet support: yes Suricatasc install: yes Profiling enabled: no Profiling locks enabled: no Development settings: Coccinelle / spatch: no Unit tests enabled: yes Debug output enabled: no Debug validation enabled: no Generic build parameters: Installation prefix: /opt/suricata-asan Configuration directory: /opt/suricata-asan/etc/suricata/ Log directory: /opt/suricata-asan/var/log/suricata/ --prefix /opt/suricata-asan --sysconfdir /opt/suricata-asan/etc --localstatedir /opt/suricata-asan/var Host: x86_64-unknown-linux-gnu Compiler: clang-3.5 (exec name) / clang (real) GCC Protect enabled: no GCC march native enabled: yes GCC Profile enabled: no Position Independent Executable enabled: yes CFLAGS -ggdb3 -Werror -Wchar-subscripts -fno-strict-aliasing -fstack-protector-all -fsanitize=address -fno-omit-frame-pointer -Wno-unused-parameter - Wno-unused-function -march=native PCAP_CFLAGS -I/usr/include SECCFLAGS
I have a pcap privately available that can reproduce the issue.
Updated by Victor Julien over 7 years ago
Can you add the symbolized version of ASAN output?
Updated by Peter Manev over 7 years ago
==27853==ERROR: AddressSanitizer: global-buffer-overflow on address 0x7f09f2abc99c at pc 0x7f09f2824bff bp 0x7f09e6fec710 sp 0x7f09e6fec708 READ of size 4 at 0x7f09f2abc99c thread T1 (W#01) #0 0x7f09f2824bfe in SCMkTimeUtc /home/pmanev/Work/tests/fuzz/oisf/src/util-time.c:398:5 #1 0x7f09f24ea90b in GentimeToTime /home/pmanev/Work/tests/fuzz/oisf/src/util-decode-der-get.c:90:12 #2 0x7f09f24e9f79 in Asn1DerGetValidity /home/pmanev/Work/tests/fuzz/oisf/src/util-decode-der-get.c:233:22 #3 0x7f09f0df56cd in DecodeTLSHandshakeServerCertificate /home/pmanev/Work/tests/fuzz/oisf/src/app-layer-tls-handshake.c:180:18 #4 0x7f09f0deaa55 in SSLv3ParseHandshakeType /home/pmanev/Work/tests/fuzz/oisf/src/app-layer-ssl.c:464:18 #5 0x7f09f0de5140 in SSLv3ParseHandshakeProtocol /home/pmanev/Work/tests/fuzz/oisf/src/app-layer-ssl.c:609:14 #6 0x7f09f0de05d2 in SSLv3Decode /home/pmanev/Work/tests/fuzz/oisf/src/app-layer-ssl.c:1228:22 #7 0x7f09f0d9ca94 in SSLDecode /home/pmanev/Work/tests/fuzz/oisf/src/app-layer-ssl.c:1392:30 #8 0x7f09f0d9e254 in SSLParseServerRecord /home/pmanev/Work/tests/fuzz/oisf/src/app-layer-ssl.c:1484:12 #9 0x7f09f0ca047c in AppLayerParserParse /home/pmanev/Work/tests/fuzz/oisf/src/app-layer-parser.c:975:13 #10 0x7f09f0a61fca in AppLayerHandleTCPData /home/pmanev/Work/tests/fuzz/oisf/src/app-layer.c:309:17 #11 0x7f09f231a011 in StreamTcpReassembleAppLayer /home/pmanev/Work/tests/fuzz/oisf/src/stream-tcp-reassemble.c:3054:9 #12 0x7f09f23216f4 in StreamTcpReassembleHandleSegmentUpdateACK /home/pmanev/Work/tests/fuzz/oisf/src/stream-tcp-reassemble.c:3405:13 #13 0x7f09f232390a in StreamTcpReassembleHandleSegment /home/pmanev/Work/tests/fuzz/oisf/src/stream-tcp-reassemble.c:3433:9 #14 0x7f09f22d33ca in HandleEstablishedPacketToServer /home/pmanev/Work/tests/fuzz/oisf/src/stream-tcp.c:2067:9 #15 0x7f09f21e7ff6 in StreamTcpPacketStateEstablished /home/pmanev/Work/tests/fuzz/oisf/src/stream-tcp.c:2446:13 #16 0x7f09f21bfbcb in StreamTcpPacket /home/pmanev/Work/tests/fuzz/oisf/src/stream-tcp.c:4539:20 #17 0x7f09f2229f0b in StreamTcp /home/pmanev/Work/tests/fuzz/oisf/src/stream-tcp.c:4884:11 #18 0x7f09f1f1d6e8 in FlowWorker /home/pmanev/Work/tests/fuzz/oisf/src/flow-worker.c:180:9 #19 0x7f09f23f9ce6 in TmThreadsSlotVarRun /home/pmanev/Work/tests/fuzz/oisf/src/tm-threads.c:130:17 #20 0x7f09f21ab3e6 in TmThreadsSlotProcessPkt /home/pmanev/Work/tests/fuzz/oisf/src/./tm-threads.h:149:9 #21 0x7f09f21aad50 in PcapFileCallbackLoop /home/pmanev/Work/tests/fuzz/oisf/src/source-pcap-file.c:178:9 #22 0x7f09ef721b70 (/usr/lib/x86_64-linux-gnu/libpcap.so.0.8+0x1cb70) #23 0x7f09f21a70cb in ReceivePcapFileLoop /home/pmanev/Work/tests/fuzz/oisf/src/source-pcap-file.c:211:13 #24 0x7f09f23fc55f in TmThreadsSlotPktAcqLoop /home/pmanev/Work/tests/fuzz/oisf/src/tm-threads.c:334:13 #25 0x7f09ef0ca183 in start_thread /build/eglibc-oGUzwX/eglibc-2.19/nptl/pthread_create.c:312 #26 0x7f09ed04137c in clone /build/eglibc-oGUzwX/eglibc-2.19/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:111 0x7f09f2abc99c is located 36 bytes to the left of global variable 'mdays' defined in 'util-time.c:394:22' (0x7f09f2abc9c0) of size 48 0x7f09f2abc99c is located 18 bytes to the right of global variable '<string literal>' defined in 'util-time.c:373:14' (0x7f09f2abc980) of size 10 '<string literal>' is ascii string '%02d.%06u' SUMMARY: AddressSanitizer: global-buffer-overflow /home/pmanev/Work/tests/fuzz/oisf/src/util-time.c:398 SCMkTimeUtc Shadow bytes around the buggy address: 0x0fe1be54f8e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0fe1be54f8f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0fe1be54f900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0fe1be54f910: 00 00 00 00 00 00 00 00 00 00 00 02 f9 f9 f9 f9 0x0fe1be54f920: 00 01 f9 f9 f9 f9 f9 f9 00 00 02 f9 f9 f9 f9 f9 =>0x0fe1be54f930: 00 02 f9[f9]f9 f9 f9 f9 00 00 00 00 00 00 f9 f9 0x0fe1be54f940: f9 f9 f9 f9 00 00 00 02 f9 f9 f9 f9 00 00 00 00 0x0fe1be54f950: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0fe1be54f960: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0fe1be54f970: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0fe1be54f980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc ASan internal: fe Thread T1 (W#01) created by T0 (Suricata-Main) here: #0 0x7f09f09ac17f in __interceptor_pthread_create (/opt/suricata-asan/bin/suricata+0x33817f) #1 0x7f09f2419101 in TmThreadSpawn /home/pmanev/Work/tests/fuzz/oisf/src/tm-threads.c:1843:14 #2 0x7f09f212e1f7 in RunModeFilePcapSingle /home/pmanev/Work/tests/fuzz/oisf/src/runmode-pcap-file.c:113:9 #3 0x7f09f214d1fe in RunModeDispatch /home/pmanev/Work/tests/fuzz/oisf/src/runmodes.c:382:5 #4 0x7f09f23b9bcd in main /home/pmanev/Work/tests/fuzz/oisf/src/suricata.c:2537:5 #5 0x7f09ecf68f44 in __libc_start_main /build/eglibc-oGUzwX/eglibc-2.19/csu/libc-start.c:287 ==27853==ABORTING
Updated by Victor Julien over 7 years ago
- Status changed from New to Assigned
- Assignee set to Victor Julien
- Target version set to 70
Updated by Victor Julien over 7 years ago
- Status changed from Assigned to Closed
- Target version deleted (
70)
https://github.com/inliniac/suricata/pull/2319
Not setting target version as it was never part of a released version.
Actions