Actions
Bug #1902
closedasan global-buffer-overflow with 3.2dev (rev a194dfb)
Affected Versions:
Effort:
Difficulty:
Label:
Description
AddressSanitizer: global-buffer-overflow on address 0x7fb3a096499c at pc 0x7fb3a06ccbff bp 0x7fb394fec710 sp 0x7fb394fec708 READ of size 4 at 0x7fb3a096499c thread T1 (W#01) #0 0x7fb3a06ccbfe (/opt/suricata-asan/bin/suricata+0x21b0bfe) #1 0x7fb3a039290b (/opt/suricata-asan/bin/suricata+0x1e7690b) #2 0x7fb3a0391f79 (/opt/suricata-asan/bin/suricata+0x1e75f79) #3 0x7fb39ec9d6cd (/opt/suricata-asan/bin/suricata+0x7816cd) #4 0x7fb39ec92a55 (/opt/suricata-asan/bin/suricata+0x776a55) #5 0x7fb39ec8d140 (/opt/suricata-asan/bin/suricata+0x771140) #6 0x7fb39ec885d2 (/opt/suricata-asan/bin/suricata+0x76c5d2) #7 0x7fb39ec44a94 (/opt/suricata-asan/bin/suricata+0x728a94) #8 0x7fb39ec46254 (/opt/suricata-asan/bin/suricata+0x72a254) #9 0x7fb39eb4847c (/opt/suricata-asan/bin/suricata+0x62c47c) #10 0x7fb39e909fca (/opt/suricata-asan/bin/suricata+0x3edfca) #11 0x7fb3a01c2011 (/opt/suricata-asan/bin/suricata+0x1ca6011) #12 0x7fb3a01c96f4 (/opt/suricata-asan/bin/suricata+0x1cad6f4) #13 0x7fb3a01cb90a (/opt/suricata-asan/bin/suricata+0x1caf90a) #14 0x7fb3a017b3ca (/opt/suricata-asan/bin/suricata+0x1c5f3ca) #15 0x7fb3a008fff6 (/opt/suricata-asan/bin/suricata+0x1b73ff6) #16 0x7fb3a0067bcb (/opt/suricata-asan/bin/suricata+0x1b4bbcb) #17 0x7fb3a00d1f0b (/opt/suricata-asan/bin/suricata+0x1bb5f0b) #18 0x7fb39fdc56e8 (/opt/suricata-asan/bin/suricata+0x18a96e8) #19 0x7fb3a02a1ce6 (/opt/suricata-asan/bin/suricata+0x1d85ce6) #20 0x7fb3a00533e6 (/opt/suricata-asan/bin/suricata+0x1b373e6) #21 0x7fb3a0052d50 (/opt/suricata-asan/bin/suricata+0x1b36d50) #22 0x7fb39d5c9b70 (/usr/lib/x86_64-linux-gnu/libpcap.so.0.8+0x1cb70) #23 0x7fb3a004f0cb (/opt/suricata-asan/bin/suricata+0x1b330cb) #24 0x7fb3a02a455f (/opt/suricata-asan/bin/suricata+0x1d8855f) #25 0x7fb39cf72183 (/lib/x86_64-linux-gnu/libpthread.so.0+0x8183) #26 0x7fb39aee937c (/lib/x86_64-linux-gnu/libc.so.6+0xfa37c) 0x7fb3a096499c is located 36 bytes to the left of global variable 'mdays' defined in 'util-time.c:394:22' (0x7fb3a09649c0) of size 48 0x7fb3a096499c is located 18 bytes to the right of global variable '<string literal>' defined in 'util-time.c:373:14' (0x7fb3a0964980) of size 10 '<string literal>' is ascii string '%02d.%06u' SUMMARY: AddressSanitizer: global-buffer-overflow ??:0 ?? Shadow bytes around the buggy address: 0x0ff6f41248e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0ff6f41248f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0ff6f4124900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0ff6f4124910: 00 00 00 00 00 00 00 00 00 00 00 02 f9 f9 f9 f9 0x0ff6f4124920: 00 01 f9 f9 f9 f9 f9 f9 00 00 02 f9 f9 f9 f9 f9 =>0x0ff6f4124930: 00 02 f9[f9]f9 f9 f9 f9 00 00 00 00 00 00 f9 f9 0x0ff6f4124940: f9 f9 f9 f9 00 00 00 02 f9 f9 f9 f9 00 00 00 00 0x0ff6f4124950: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0ff6f4124960: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0ff6f4124970: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0ff6f4124980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc ASan internal: fe Thread T1 (W#01) created by T0 (Suricata-Main) here: #0 0x7fb39e85417f (/opt/suricata-asan/bin/suricata+0x33817f) #1 0x7fb3a02c1101 (/opt/suricata-asan/bin/suricata+0x1da5101) #2 0x7fb39ffd61f7 (/opt/suricata-asan/bin/suricata+0x1aba1f7) #3 0x7fb39fff51fe (/opt/suricata-asan/bin/suricata+0x1ad91fe) #4 0x7fb3a0261bcd (/opt/suricata-asan/bin/suricata+0x1d45bcd) #5 0x7fb39ae10f44 (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)
run command:
LSAN_OPTIONS=suppressions=lsan.suppress /opt/suricata-asan/bin/suricata -c suri.yaml -r /tests/fuzz/ptp/ginfiz/private.pcap -l /tests/fuzz/ptp/ginfiz/ -S /opt/suricata-asan/etc/suricata/rules/decoder-events.rules
Suricata build-info:
This is Suricata version 3.2dev (rev a194dfb) Features: UNITTESTS PCAP_SET_BUFF LIBPCAP_VERSION_MAJOR=1 AF_PACKET HAVE_PACKET_FANOUT LIBCAP_NG LIBNET1.1 HAVE_HTP_URI_NORMALIZE_HOOK PCRE_JIT HAVE_NSS HAVE_LUA HAVE_LUAJIT HAVE_LIBJAN SSON TLS SIMD support: SSE_4_1 SSE_3 Atomic intrisics: 1 2 4 8 16 byte(s) 64-bits, Little-endian architecture GCC version 4.2.1 Compatible Ubuntu Clang 3.5.0 (tags/RELEASE_350/final), C version 199901 compiled with _FORTIFY_SOURCE=0 L1 cache line size (CLS)=64 thread local storage method: __thread compiled with LibHTP v0.5.22, linked against LibHTP v0.5.22 Suricata Configuration: AF_PACKET support: yes PF_RING support: no NFQueue support: no NFLOG support: no IPFW support: no Netmap support: no DAG enabled: no Napatech enabled: no Unix socket enabled: yes Detection enabled: yes libnss support: yes libnspr support: yes libjansson support: yes hiredis support: no Prelude support: no PCRE jit: yes LUA support: yes, through luajit libluajit: yes libgeoip: yes Non-bundled htp: no Old barnyard2 support: no CUDA enabled: no Hyperscan support: no Libnet support: yes Suricatasc install: yes Profiling enabled: no Profiling locks enabled: no Development settings: Coccinelle / spatch: no Unit tests enabled: yes Debug output enabled: no Debug validation enabled: no Generic build parameters: Installation prefix: /opt/suricata-asan Configuration directory: /opt/suricata-asan/etc/suricata/ Log directory: /opt/suricata-asan/var/log/suricata/ --prefix /opt/suricata-asan --sysconfdir /opt/suricata-asan/etc --localstatedir /opt/suricata-asan/var Host: x86_64-unknown-linux-gnu Compiler: clang-3.5 (exec name) / clang (real) GCC Protect enabled: no GCC march native enabled: yes GCC Profile enabled: no Position Independent Executable enabled: yes CFLAGS -ggdb3 -Werror -Wchar-subscripts -fno-strict-aliasing -fstack-protector-all -fsanitize=address -fno-omit-frame-pointer -Wno-unused-parameter - Wno-unused-function -march=native PCAP_CFLAGS -I/usr/include SECCFLAGS
I have a pcap privately available that can reproduce the issue.
Actions