Project

General

Profile

Bug #2762

SSLv3 - AddressSanitizer heap-buffer-overflow

Added by Peter Manev 3 months ago. Updated 23 days ago.

Status:
Closed
Priority:
Normal
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

Compiled with:

git clone https://github.com/OISF/suricata.git \
&& cd suricata && git clone https://github.com/OISF/libhtp.git -b 0.5.x

./autogen.sh &&  ./configure \
--prefix=/opt/suricata-asan/ --sysconfdir=/opt/suricata-asan/etc --localstatedir=/opt/suricata-asan/var   \
--enable-unittests \
CC=clang \
CFLAGS="-ggdb3 -Werror -Wchar-subscripts -fno-strict-aliasing -fstack-protector-all -fsanitize=address -fno-omit-frame-pointer -Wno-unused-parameter -Wno-unused-function"  \
ac_cv_func_malloc_0_nonnull=yes ac_cv_func_realloc_0_nonnull=yes \
--enable-geoip --enable-rust-strict --enable-luajit \
&& make clean &&  make -j4 && make install-full && ldconfig

Run:

LSAN_OPTIONS=suppressions=/home/pmanev/inthetrenches/test/asan-ginfiz-runs/suricata-current/qa/lsan.suppress ASAN_SYMBOLIZER_PATH=/usr/lib/llvm-symbolizer /opt/suricata-asan/bin/suricata -c /home/pmanev/inthetrenches/test/asan-ginfiz-runs/fuzz.suricata.warfare.socket.yaml -r /home/pmanev/inthetrenches/test/asan-ginfiz-runs/logs/sidhere.pcap-fuzz -l tmplog/ -S /dev/null                                                                                                 
[6828] 28/12/2018 -- 04:04:59 - (suricata.c:1085) <Notice> (LogVersion) -- This is Suricata version 4.1.0-dev (rev b51e4a39)               
[6828] 28/12/2018 -- 04:04:59 - (tm-threads.c:2172) <Notice> (TmThreadWaitOnThreadInit) -- all 41 packet processing threads, 2 management threads initialized, engine started.
=================================================================                                                                              
==6828==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60c0000f2041 at pc 0x00000044f4fe bp 0x7fce44edc090 sp 0x7fce44edb840
WRITE of size 2 at 0x60c0000f2041 thread T27 (W#26)                                                                                 
[6828] 28/12/2018 -- 04:05:01 - (suricata.c:2847) <Notice> (SuricataMainLoop) -- Signal Received.  Stopping engine.        
    #0 0x44f4fd in __interceptor_vsnprintf (/opt/suricata-asan/bin/suricata+0x44f4fd)                               
    #1 0x44f836 in snprintf (/opt/suricata-asan/bin/suricata+0x44f836)                                        
    #2 0x19437ca in Ja3BufferAppendBuffer /home/pmanev/inthetrenches/test/asan-ginfiz-runs/suricata/src/util-ja3.c:134:29
    #3 0x8bf827 in TLSDecodeHSHelloExtensions /home/pmanev/inthetrenches/test/asan-ginfiz-runs/suricata/src/app-layer-ssl.c:1260:14
    #4 0x8bb8ec in TLSDecodeHandshakeHello /home/pmanev/inthetrenches/test/asan-ginfiz-runs/suricata/src/app-layer-ssl.c:1336:11
    #5 0x8b7d77 in SSLv3ParseHandshakeType /home/pmanev/inthetrenches/test/asan-ginfiz-runs/suricata/src/app-layer-ssl.c:1370:22
    #6 0x8b692e in SSLv3ParseHandshakeProtocol /home/pmanev/inthetrenches/test/asan-ginfiz-runs/suricata/src/app-layer-ssl.c:1603:14
    #7 0x8b2db2 in SSLv3Decode /home/pmanev/inthetrenches/test/asan-ginfiz-runs/suricata/src/app-layer-ssl.c:2276:22
    #8 0x8af0d2 in SSLDecode /home/pmanev/inthetrenches/test/asan-ginfiz-runs/suricata/src/app-layer-ssl.c:2443:30
    #9 0x881d9d in SSLParseClientRecord /home/pmanev/inthetrenches/test/asan-ginfiz-runs/suricata/src/app-layer-ssl.c:2530:12
    #10 0x7f35ca in AppLayerParserParse /home/pmanev/inthetrenches/test/asan-ginfiz-runs/suricata/src/app-layer-parser.c:1188:13
    #11 0x56fbf1 in TCPProtoDetect /home/pmanev/inthetrenches/test/asan-ginfiz-runs/suricata/src/app-layer.c:431:17
    #12 0x56e5d8 in AppLayerHandleTCPData /home/pmanev/inthetrenches/test/asan-ginfiz-runs/suricata/src/app-layer.c:590:13
    #13 0x17a8330 in ReassembleUpdateAppLayer /home/pmanev/inthetrenches/test/asan-ginfiz-runs/suricata/src/stream-tcp-reassemble.c:1068:13
    #14 0x17a715c in StreamTcpReassembleAppLayer /home/pmanev/inthetrenches/test/asan-ginfiz-runs/suricata/src/stream-tcp-reassemble.c:1138:12
    #15 0x17ae1d7 in StreamTcpReassembleHandleSegmentUpdateACK /home/pmanev/inthetrenches/test/asan-ginfiz-runs/suricata/src/stream-tcp-reassemble.c:1704:9
    #16 0x17ade60 in StreamTcpReassembleHandleSegment /home/pmanev/inthetrenches/test/asan-ginfiz-runs/suricata/src/stream-tcp-reassemble.c:1747:9
    #17 0x174c1a9 in HandleEstablishedPacketToClient /home/pmanev/inthetrenches/test/asan-ginfiz-runs/suricata/src/stream-tcp.c:2371:9
    #18 0x170fa31 in StreamTcpPacketStateEstablished /home/pmanev/inthetrenches/test/asan-ginfiz-runs/suricata/src/stream-tcp.c:2608:13
    #19 0x1681229 in StreamTcpStateDispatch /home/pmanev/inthetrenches/test/asan-ginfiz-runs/suricata/src/stream-tcp.c:4613:17
    #20 0x167848d in StreamTcpPacket /home/pmanev/inthetrenches/test/asan-ginfiz-runs/suricata/src/stream-tcp.c:4790:13
    #21 0x168233c in StreamTcp /home/pmanev/inthetrenches/test/asan-ginfiz-runs/suricata/src/stream-tcp.c:5126:11
    #22 0x1446fff in FlowWorker /home/pmanev/inthetrenches/test/asan-ginfiz-runs/suricata/src/flow-worker.c:216:9
    #23 0x185069e in TmThreadsSlotVarRun /home/pmanev/inthetrenches/test/asan-ginfiz-runs/suricata/src/tm-threads.c:143:17
    #24 0x186258e in TmThreadsSlotVar /home/pmanev/inthetrenches/test/asan-ginfiz-runs/suricata/src/tm-threads.c:598:17
    #25 0x4ef3ce in __asan::AsanThread::ThreadStart(unsigned long, __sanitizer::atomic_uintptr_t*) (/opt/suricata-asan/bin/suricata+0x4ef3ce)
    #26 0x7fce598726da in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76da)
    #27 0x7fce56f7588e in clone /build/glibc-OTsEL5/glibc-2.27/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95

0x60c0000f2041 is located 1 bytes to the right of 128-byte region [0x60c0000f1fc0,0x60c0000f2040)
allocated by thread T27 (W#26) here:
    #0 0x4e17a0 in __interceptor_malloc (/opt/suricata-asan/bin/suricata+0x4e17a0)
    #1 0x1944e93 in Ja3BufferAddValue /home/pmanev/inthetrenches/test/asan-ginfiz-runs/suricata/src/util-ja3.c:181:27
    #2 0x8bcd84 in TLSDecodeHSHelloVersion /home/pmanev/inthetrenches/test/asan-ginfiz-runs/suricata/src/app-layer-ssl.c:678:18
    #3 0x8bb579 in TLSDecodeHandshakeHello /home/pmanev/inthetrenches/test/asan-ginfiz-runs/suricata/src/app-layer-ssl.c:1291:11
    #4 0x8b7d77 in SSLv3ParseHandshakeType /home/pmanev/inthetrenches/test/asan-ginfiz-runs/suricata/src/app-layer-ssl.c:1370:22
    #5 0x8b692e in SSLv3ParseHandshakeProtocol /home/pmanev/inthetrenches/test/asan-ginfiz-runs/suricata/src/app-layer-ssl.c:1603:14
    #6 0x8b2db2 in SSLv3Decode /home/pmanev/inthetrenches/test/asan-ginfiz-runs/suricata/src/app-layer-ssl.c:2276:22
    #7 0x8af0d2 in SSLDecode /home/pmanev/inthetrenches/test/asan-ginfiz-runs/suricata/src/app-layer-ssl.c:2443:30
    #8 0x881d9d in SSLParseClientRecord /home/pmanev/inthetrenches/test/asan-ginfiz-runs/suricata/src/app-layer-ssl.c:2530:12
    #9 0x7f35ca in AppLayerParserParse /home/pmanev/inthetrenches/test/asan-ginfiz-runs/suricata/src/app-layer-parser.c:1188:13
    #10 0x56fbf1 in TCPProtoDetect /home/pmanev/inthetrenches/test/asan-ginfiz-runs/suricata/src/app-layer.c:431:17
    #11 0x56e5d8 in AppLayerHandleTCPData /home/pmanev/inthetrenches/test/asan-ginfiz-runs/suricata/src/app-layer.c:590:13
    #12 0x17a8330 in ReassembleUpdateAppLayer /home/pmanev/inthetrenches/test/asan-ginfiz-runs/suricata/src/stream-tcp-reassemble.c:1068:13
    #13 0x17a715c in StreamTcpReassembleAppLayer /home/pmanev/inthetrenches/test/asan-ginfiz-runs/suricata/src/stream-tcp-reassemble.c:1138:12
    #14 0x17ae1d7 in StreamTcpReassembleHandleSegmentUpdateACK /home/pmanev/inthetrenches/test/asan-ginfiz-runs/suricata/src/stream-tcp-reassemble.c:1704:9
    #15 0x17ade60 in StreamTcpReassembleHandleSegment /home/pmanev/inthetrenches/test/asan-ginfiz-runs/suricata/src/stream-tcp-reassemble.c:1747:9
    #16 0x174c1a9 in HandleEstablishedPacketToClient /home/pmanev/inthetrenches/test/asan-ginfiz-runs/suricata/src/stream-tcp.c:2371:9
    #17 0x170fa31 in StreamTcpPacketStateEstablished /home/pmanev/inthetrenches/test/asan-ginfiz-runs/suricata/src/stream-tcp.c:2608:13
    #18 0x1681229 in StreamTcpStateDispatch /home/pmanev/inthetrenches/test/asan-ginfiz-runs/suricata/src/stream-tcp.c:4613:17
    #19 0x167848d in StreamTcpPacket /home/pmanev/inthetrenches/test/asan-ginfiz-runs/suricata/src/stream-tcp.c:4790:13
    #20 0x168233c in StreamTcp /home/pmanev/inthetrenches/test/asan-ginfiz-runs/suricata/src/stream-tcp.c:5126:11
    #21 0x1446fff in FlowWorker /home/pmanev/inthetrenches/test/asan-ginfiz-runs/suricata/src/flow-worker.c:216:9
    #22 0x185069e in TmThreadsSlotVarRun /home/pmanev/inthetrenches/test/asan-ginfiz-runs/suricata/src/tm-threads.c:143:17
    #23 0x186258e in TmThreadsSlotVar /home/pmanev/inthetrenches/test/asan-ginfiz-runs/suricata/src/tm-threads.c:598:17
    #24 0x4ef3ce in __asan::AsanThread::ThreadStart(unsigned long, __sanitizer::atomic_uintptr_t*) (/opt/suricata-asan/bin/suricata+0x4ef3ce)

Thread T27 (W#26) created by T0 (Suricata-Main) here:
    #0 0x43a970 in pthread_create (/opt/suricata-asan/bin/suricata+0x43a970)
    #1 0x185df13 in TmThreadSpawn /home/pmanev/inthetrenches/test/asan-ginfiz-runs/suricata/src/tm-threads.c:1895:14
    #2 0x15f8a25 in RunModeFilePcapAutoFp /home/pmanev/inthetrenches/test/asan-ginfiz-runs/suricata/src/runmode-pcap-file.c:255:13
    #3 0x160f6a1 in RunModeDispatch /home/pmanev/inthetrenches/test/asan-ginfiz-runs/suricata/src/runmodes.c:384:5
    #4 0x181f8d7 in main /home/pmanev/inthetrenches/test/asan-ginfiz-runs/suricata/src/suricata.c:2999:5
    #5 0x7fce56e75b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310

SUMMARY: AddressSanitizer: heap-buffer-overflow (/opt/suricata-asan/bin/suricata+0x44f4fd) in __interceptor_vsnprintf
Shadow bytes around the buggy address:
  0x0c18800163b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c18800163c0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c18800163d0: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
  0x0c18800163e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c18800163f0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
=>0x0c1880016400: 00 00 00 00 00 00 00 00[fa]fa fa fa fa fa fa fa
  0x0c1880016410: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c1880016420: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1880016430: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1880016440: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1880016450: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==6828==ABORTING

Build-info:

This is Suricata version 4.1.0-dev (rev b51e4a39)
Features: UNITTESTS PCAP_SET_BUFF AF_PACKET HAVE_PACKET_FANOUT LIBCAP_NG LIBNET1.1 HAVE_HTP_URI_NORMALIZE_HOOK PCRE_JIT HAVE_NSS HAVE_LUA HAVE_LUAJIT HAVE_LIBJANSSON TLS MAGIC RUST 
SIMD support: SSE_4_2 SSE_4_1 SSE_3 
Atomic intrisics: 1 2 4 8 16 byte(s)
64-bits, Little-endian architecture
GCC version 4.2.1 Compatible Clang 6.0.0 (tags/RELEASE_600/final), C version 199901
compiled with _FORTIFY_SOURCE=0
L1 cache line size (CLS)=64
thread local storage method: __thread
compiled with LibHTP v0.5.28, linked against LibHTP v0.5.28

Suricata Configuration:
  AF_PACKET support:                       yes
  eBPF support:                            no
  XDP support:                             no
  PF_RING support:                         no
  NFQueue support:                         no
  NFLOG support:                           no
  IPFW support:                            no
  Netmap support:                          no
  DAG enabled:                             no
  Napatech enabled:                        no
  WinDivert enabled:                       no

  Unix socket enabled:                     yes
  Detection enabled:                       yes

  Libmagic support:                        yes
  libnss support:                          yes
  libnspr support:                         yes
  libjansson support:                      yes
  liblzma support:                         yes
  hiredis support:                         no
  hiredis async with libevent:             no
  Prelude support:                         no
  PCRE jit:                                yes
  LUA support:                             yes, through luajit
  libluajit:                               yes
  libgeoip:                                yes
  Non-bundled htp:                         no
  Old barnyard2 support:                   no
  Hyperscan support:                       yes
  Libnet support:                          yes
  liblz4 support:                          yes

  Rust support:                            yes (default)
  Rust strict mode:                        yes
  Rust debug mode:                         no
  Rust compiler:                           rustc 1.30.0
  Rust cargo:                              cargo 1.30.0

  Install suricatasc:                      yes
  Install suricata-update:                 no

  Profiling enabled:                       no
  Profiling locks enabled:                 no

Development settings:
  Coccinelle / spatch:                     yes
  Unit tests enabled:                      yes
  Debug output enabled:                    no
  Debug validation enabled:                no

Generic build parameters:
  Installation prefix:                     /opt/suricata-asan
  Configuration directory:                 /opt/suricata-asan/etc/suricata/
  Log directory:                           /opt/suricata-asan/var/log/suricata/

  --prefix                                 /opt/suricata-asan
  --sysconfdir                             /opt/suricata-asan/etc
  --localstatedir                          /opt/suricata-asan/var
  --datarootdir                            /opt/suricata-asan/share

  Host:                                    x86_64-pc-linux-gnu
  Compiler:                                clang (exec name) / clang (real)
  GCC Protect enabled:                     no
  GCC march native enabled:                yes
  GCC Profile enabled:                     no
  Position Independent Executable enabled: no
  CFLAGS                                   -ggdb3 -Werror -Wchar-subscripts -fno-strict-aliasing -fstack-protector-all -fsanitize=address -fno-omit-frame-pointer -Wno-unused-parameter -Wno-unused-function -march
=native -I${srcdir}/../rust/gen/c-headers
  PCAP_CFLAGS                               -I/usr/include
  SECCFLAGS                                


Related issues

Copied to Bug #2822: SSLv3 - AddressSanitizer heap-buffer-overflow (5.0.x)ClosedActions

History

#1

Updated by Victor Julien 2 months ago

  • Status changed from New to Assigned
  • Assignee set to Mats Klepsland
  • Priority changed from Normal to High
  • Target version set to 4.1.3
#2

Updated by Mats Klepsland 2 months ago

I have confirmed that I can replicate the bug. I'll take a closer look as soon as possible.

#3

Updated by Victor Julien about 1 month ago

  • Priority changed from High to Urgent
#4

Updated by Jason Taylor about 1 month ago

Could a sample pcap be posted? Looking for a sample for the suricata-verify test. Thanks!

#5

Updated by Victor Julien about 1 month ago

  • Copied to Bug #2822: SSLv3 - AddressSanitizer heap-buffer-overflow (5.0.x) added
#6

Updated by Victor Julien 23 days ago

  • Status changed from Assigned to Closed
  • Priority changed from Urgent to Normal

Also available in: Atom PDF