Bug #2154: Dynamic stack overflow in payload printable output - Suricata - Open Information Security Foundation

Actions

Copy link

Bug #2154

closed

Dynamic stack overflow in payload printable output

Added by Eric Leblond almost 7 years ago. Updated almost 7 years ago.

Status:

Closed

Priority:

Normal

Assignee:

Eric Leblond

Target version:

4.0rc1

Affected Versions:

Effort:

Difficulty:

Label:

Description

When running Suricata with ASAN build against a pcap, with payload-printable activated in alert output, I got the following crash

ASAN_SYMBOLIZER_PATH=/usr/lib/llvm-3.8/bin/llvm-symbolizer ~/builds/suricata/bin/suricata -r qa/docker/pcaps/sandnet.pcap -l /tmp/ -c ~/builds/suricata/etc/suricata/suricata.yaml 
[1174] 22/6/2017 -- 12:14:08 - (suricata.c:1109) <Notice> (LogVersion) -- This is Suricata version 4.0.0-dev (rev 3.2.1-SN)
[1174] 22/6/2017 -- 12:14:15 - (util-file.c:165) <Warning> (FileForceHashParseCfg) -- [ERRCODE: SC_ERR_DEPRECATED_CONF(274)] - deprecated 'force-md5' option found. Please use 'force-hash: [md5]' instead
[1174] 22/6/2017 -- 12:14:15 - (tm-threads.c:2178) <Notice> (TmThreadWaitOnThreadInit) -- all 13 packet processing threads, 4 management threads initialized, engine started.
=================================================================
==1174==ERROR: AddressSanitizer: dynamic-stack-buffer-overflow on address 0x7f46518ab341 at pc 0x00000043e083 bp 0x7f46518ab300 sp 0x7f46518aaab0
READ of size 7 at 0x7f46518ab341 thread T11 (W#10)
    #0 0x43e082 in __interceptor_strlen.part.45 (/home/eric/builds/suricata/bin/suricata+0x43e082)
    #1 0x7f4670a4d14d in json_string (/usr/lib/x86_64-linux-gnu/libjansson.so.4+0x814d)
    #2 0xa0bdf1 in AlertJson /home/eric/git/oisf/src/output-json-alert.c:460:41
    #3 0xa0750f in JsonAlertLogger /home/eric/git/oisf/src/output-json-alert.c:617:16
    #4 0xa768ed in OutputPacketLog /home/eric/git/oisf/src/output-packet.c:115:13
    #5 0x9f9bcd in OutputLoggerLog /home/eric/git/oisf/src/output.c:914:13
    #6 0x96f212 in FlowWorker /home/eric/git/oisf/src/flow-worker.c:262:5
    #7 0xbaf6a2 in TmThreadsSlotVarRun /home/eric/git/oisf/src/tm-threads.c:128:17
    #8 0xbbf0f8 in TmThreadsSlotVar /home/eric/git/oisf/src/tm-threads.c:585:17
    #9 0x7f467082f493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)
    #10 0x7f466ee88a8e in clone (/lib/x86_64-linux-gnu/libc.so.6+0xe8a8e)

Address 0x7f46518ab341 is located in stack of thread T11 (W#10)
SUMMARY: AddressSanitizer: dynamic-stack-buffer-overflow (/home/eric/builds/suricata/bin/suricata+0x43e082) in __interceptor_strlen.part.45
Shadow bytes around the buggy address:
  0x0fe94a30d610: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe94a30d620: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe94a30d630: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe94a30d640: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe94a30d650: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0fe94a30d660: 00 00 00 00 ca ca ca ca[01]cb cb cb cb cb cb cb
  0x0fe94a30d670: f1 f1 f1 f1 00 f2 f2 f2 04 f2 00 f2 f2 f2 04 f2
  0x0fe94a30d680: 00 00 00 00 00 06 f3 f3 f3 f3 f3 f3 00 00 00 00
  0x0fe94a30d690: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe94a30d6a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe94a30d6b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
Thread T11 (W#10) created by T0 (Suricata-Main) here:
    #0 0x432de9 in __interceptor_pthread_create (/home/eric/builds/suricata/bin/suricata+0x432de9)
    #1 0xbbb4e5 in TmThreadSpawn /home/eric/git/oisf/src/tm-threads.c:1903:14
    #2 0xab3e98 in RunModeFilePcapAutoFp /home/eric/git/oisf/src/runmode-pcap-file.c:253:13
    #3 0xac3b5c in RunModeDispatch /home/eric/git/oisf/src/runmodes.c:384:5
    #4 0xb87e51 in main /home/eric/git/oisf/src/suricata.c:2882:5
    #5 0x7f466edc02b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)

==1174==ABORTING

Actions

Copy link

Updated by Victor Julien almost 7 years ago

Status changed from New to Closed
Assignee set to Eric Leblond
Target version set to 4.0rc1

https://github.com/inliniac/suricata/pull/2800

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

Suricata

Custom queries

Bug #2154

Dynamic stack overflow in payload printable output

Updated by Victor Julien almost 7 years ago