Project

General

Profile

Actions

Bug #2737

closed

Invalid memory read on malformed rule with Lua script

Added by Joe Johnson about 6 years ago. Updated over 4 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:
Needs backport to 4.1, Needs backport to 5.0

Description

When a trailing semicolon is omitted from a rule with a lua script, Suricata still tries to load a lua script from the wrong memory location in the process. On 4.0 and earlier, this location is semi-random and doesn't always repro. On 4.1, the location seems consistent, but it still incorrect. On 4.0 and earlier, this can lead to segmentation faults if the memory is not a valid location.

Sample rule:
alert http any any -> any any (msg:"Test Lua on Load Failure"; content:"|00 00 00 00|"; lua:lua/test.lua; rev:1)

Sample Error Output:
[56494] 11/12/2018 -- 21:56:15 - (detect-lua.c:623) <Error> (DetectLuaThreadInit) -- [ERRCODE: SC_ERR_LUA_ERROR(212)] - couldn't load file: cannot open n/hta
: No such file or directory


Related issues 3 (0 open3 closed)

Has duplicate Suricata - Bug #3273: asan: heap-use-after-fee in DetectLuaThreadInitClosedActions
Copied to Suricata - Bug #3644: Invalid memory read on malformed rule with Lua scriptClosedJeff LucovskyActions
Copied to Suricata - Bug #3645: Invalid memory read on malformed rule with Lua scriptClosedShivani BhardwajActions
Actions #1

Updated by Victor Julien about 6 years ago

  • Status changed from New to Assigned
  • Assignee set to Victor Julien

Thanks Joe, bug confirmed.

Actions #2

Updated by Andreas Herz over 5 years ago

  • Target version set to TBD
Actions #3

Updated by Victor Julien about 5 years ago

  • Target version changed from TBD to 6.0.0beta1
Actions #4

Updated by Victor Julien about 5 years ago

  • Has duplicate Bug #3273: asan: heap-use-after-fee in DetectLuaThreadInit added
Actions #5

Updated by Victor Julien over 4 years ago

  • Status changed from Assigned to In Review
  • Assignee changed from Victor Julien to Jeff Lucovsky
  • Affected Versions 4.1.7, 5.0.2 added
  • Label Needs backport to 4.1, Needs backport to 5.0 added
Actions #6

Updated by Jeff Lucovsky over 4 years ago

  • Copied to Bug #3644: Invalid memory read on malformed rule with Lua script added
Actions #7

Updated by Jeff Lucovsky over 4 years ago

  • Copied to Bug #3645: Invalid memory read on malformed rule with Lua script added
Actions #8

Updated by Jeff Lucovsky over 4 years ago

  • Status changed from In Review to Closed
Actions

Also available in: Atom PDF