Project

General

Profile

Actions

Bug #3226

closed

ftp: ASAN error

Added by Victor Julien over 2 years ago. Updated over 2 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

AddressSanitizer:DEADLYSIGNAL
=================================================================
==13109==ERROR: AddressSanitizer: SEGV on unknown address 0x60210149c62f (pc 0x000000631fc6 bp 0x7fe6582825f0 sp 0x7fe6582820e0 T56)
==13109==The signal is caused by a WRITE memory access.
    #0 0x631fc5 in FTPParseRequest /home/victor/dev/suricata/src/app-layer-ftp.c
    #1 0x676f2b in AppLayerParserParse /home/victor/dev/suricata/src/app-layer-parser.c:1225:13
    #2 0x531993 in AppLayerHandleTCPData /home/victor/dev/suricata/src/app-layer.c:660:17
    #3 0xd18545 in ReassembleUpdateAppLayer /home/victor/dev/suricata/src/stream-tcp-reassemble.c:1066:11
    #4 0xd17140 in StreamTcpReassembleAppLayer /home/victor/dev/suricata/src/stream-tcp-reassemble.c:1123:12
    #5 0xd1df1a in StreamTcpReassembleHandleSegmentUpdateACK /home/victor/dev/suricata/src/stream-tcp-reassemble.c:1689:9
    #6 0xd1dbd7 in StreamTcpReassembleHandleSegment /home/victor/dev/suricata/src/stream-tcp-reassemble.c:1732:9
    #7 0xcf3970 in HandleEstablishedPacketToClient /home/victor/dev/suricata/src/stream-tcp.c:2408:9
    #8 0xcb5bb2 in StreamTcpPacketStateEstablished /home/victor/dev/suricata/src/stream-tcp.c:2645:13
    #9 0xc9396c in StreamTcpStateDispatch /home/victor/dev/suricata/src/stream-tcp.c:4650:17
    #10 0xc8a300 in StreamTcpPacket /home/victor/dev/suricata/src/stream-tcp.c:4838:13
    #11 0xc94a09 in StreamTcp /home/victor/dev/suricata/src/stream-tcp.c:5174:11
    #12 0xa7e0de in FlowWorker /home/victor/dev/suricata/src/flow-worker.c:233:9
    #13 0xd5ef38 in TmThreadsSlotVarRun /home/victor/dev/suricata/src/tm-threads.c:128:17
    #14 0xd70548 in TmThreadsSlotVar /home/victor/dev/suricata/src/tm-threads.c:585:17
    #15 0x7fe68ad446da in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76da)
AddressSanitizer:DEADLYSIGNAL
    #16 0x7fe68886988e in clone /build/glibc-OTsEL5/glibc-2.27/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/victor/dev/suricata/src/app-layer-ftp.c in FTPParseRequest
Thread T56 (W#55) created by T0 (Suricata-Main) here:
    #0 0x4b3f9d in pthread_create (/home/victor/dev/suricata/src/suricata+0x4b3f9d)
    #1 0xd6c1b2 in TmThreadSpawn /home/victor/dev/suricata/src/tm-threads.c:1868:14
    #2 0xc0d989 in RunModeFilePcapAutoFp /home/victor/dev/suricata/src/runmode-pcap-file.c:252:13
    #3 0xc243eb in RunModeDispatch /home/victor/dev/suricata/src/runmodes.c:377:5
    #4 0xd2e861 in main /home/victor/dev/suricata/src/suricata.c:3034:5
    #5 0x7fe688769b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310

==13109==ABORTING

This is with a very large pcap, so will see if I can somehow isolate it. Please see if you can find an issue based on the above bt.

Related issues

Copied to Bug #3272: ftp: ASAN error (4.1.x)RejectedActions
Actions #1

Updated by Victor Julien over 2 years ago

Possibly related: disk was full when this happened.

Actions #2

Updated by Victor Julien over 2 years ago

Thread 14 "W#12" received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7fffdb757700 (LWP 31841)]
0x0000000000631fc6 in FTPParseRequest (f=0x6130042cc940, ftp_state=0x60c00278ddc0, pstate=0x604001d9be90, input=0x61d00300b728 "RETR\r\n", input_len=6, local_data=0x6020007a7b10, flags=4 '\004')
    at app-layer-ftp.c:641
641                         data->file_name[state->current_line_len - 5] = 0;
(gdb) bt
#0  0x0000000000631fc6 in FTPParseRequest (f=0x6130042cc940, ftp_state=0x60c00278ddc0, pstate=0x604001d9be90, input=0x61d00300b728 "RETR\r\n", input_len=6, local_data=0x6020007a7b10, 
    flags=4 '\004') at app-layer-ftp.c:641
#1  0x0000000000676f2c in AppLayerParserParse (tv=0x612000da4040, alp_tctx=0x61a000fb6a80, f=0x6130042cc940, alproto=2, flags=4 '\004', input=0x61d00300b728 "RETR\r\n", input_len=6)
    at app-layer-parser.c:1225
#2  0x0000000000531994 in AppLayerHandleTCPData (tv=0x612000da4040, ra_ctx=0x6030026d5350, p=0x61e01a08ec80, f=0x6130042cc940, ssn=0x612001360840, stream=0x7fffdb753e60, 
    data=0x61d00300b728 "RETR\r\n", data_len=6, flags=4 '\004') at app-layer.c:660
#3  0x0000000000d18546 in ReassembleUpdateAppLayer (tv=0x612000da4040, ra_ctx=0x6030026d5350, ssn=0x612001360840, stream=0x7fffdb753e60, p=0x61e01a08ec80, dir=UPDATE_DIR_OPPOSING)
    at stream-tcp-reassemble.c:1066
#4  0x0000000000d17141 in StreamTcpReassembleAppLayer (tv=0x612000da4040, ra_ctx=0x6030026d5350, ssn=0x612001360840, stream=0x6120013608d0, p=0x61e01a08ec80, dir=UPDATE_DIR_OPPOSING)
    at stream-tcp-reassemble.c:1123
#5  0x0000000000d1df1b in StreamTcpReassembleHandleSegmentUpdateACK (tv=0x612000da4040, ra_ctx=0x6030026d5350, ssn=0x612001360840, stream=0x6120013608d0, p=0x61e01a08ec80)
    at stream-tcp-reassemble.c:1689
#6  0x0000000000d1dbd8 in StreamTcpReassembleHandleSegment (tv=0x612000da4040, ra_ctx=0x6030026d5350, ssn=0x612001360840, stream=0x612001360850, p=0x61e01a08ec80, pq=0x60e0017d2fc8)
    at stream-tcp-reassemble.c:1732
#7  0x0000000000cf3971 in HandleEstablishedPacketToClient (tv=0x612000da4040, ssn=0x612001360840, p=0x61e01a08ec80, stt=0x60e0017d2fc0, pq=0x60e0017d2fc8) at stream-tcp.c:2408
#8  0x0000000000cb5bb3 in StreamTcpPacketStateEstablished (tv=0x612000da4040, p=0x61e01a08ec80, stt=0x60e0017d2fc0, ssn=0x612001360840, pq=0x60e0017d2fc8) at stream-tcp.c:2645
#9  0x0000000000c9396d in StreamTcpStateDispatch (tv=0x612000da4040, p=0x61e01a08ec80, stt=0x60e0017d2fc0, ssn=0x612001360840, pq=0x60e0017d2fc8, state=4 '\004') at stream-tcp.c:4650
#10 0x0000000000c8a301 in StreamTcpPacket (tv=0x612000da4040, p=0x61e01a08ec80, stt=0x60e0017d2fc0, pq=0x60e0016fc668) at stream-tcp.c:4838
#11 0x0000000000c94a0a in StreamTcp (tv=0x612000da4040, p=0x61e01a08ec80, data=0x60e0017d2fc0, pq=0x60e0016fc668, postpq=0x0) at stream-tcp.c:5174
#12 0x0000000000a7e0df in FlowWorker (tv=0x612000da4040, p=0x61e01a08ec80, data=0x60e0016fc640, preq=0x612001017980, unused=0x6120010179f0) at flow-worker.c:233
#13 0x0000000000d5ef39 in TmThreadsSlotVarRun (tv=0x612000da4040, p=0x61e01a08ec80, slot=0x612001017940) at tm-threads.c:128
#14 0x0000000000d70549 in TmThreadsSlotVar (td=0x612000da4040) at tm-threads.c:585
#15 0x00007ffff69836db in start_thread (arg=0x7fffdb757700) at pthread_create.c:463
#16 0x00007ffff44a888f in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95
(gdb) print data->file_name
$1 = (uint8_t *) 0x602001205170 "\247\002" 
(gdb) print state->current_line_len 
$2 = 4
(gdb)
Actions #3

Updated by Jeff Lucovsky over 2 years ago

This also occurred while fuzzing:

11ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000150 (pc 0x00000056158f bp 0x7fff505a1260 sp 0x7fff505a1210 T11)
11The signal is caused by a READ memory access.
11Hint: address points to the zero page.
#0 0x56158e in FTPDataParse /src/suricata/src/app-layer-ftp.c
#1 0x59426b in AppLayerParserParse /src/suricata/src/app-layer-parser.c:1225:13
#2 0x4c7632 in LLVMFuzzerTestOneInput /src/suricata/src/tests/fuzz/fuzz_applayerparserparse.c:122:16
#3 0x456561 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm/projects/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:556:15
#4 0x455c85 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool*) /src/llvm/projects/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:470:3
#5 0x458027 in fuzzer::Fuzzer::MutateAndTestOne() /src/llvm/projects/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:698:19
#6 0x458db5 in fuzzer::Fuzzer::Loop(std::Fuzzer::vector<fuzzer::SizedFile, fuzzer::fuzzer_allocator<fuzzer::SizedFile> >&) /src/llvm/projects/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:830:5
#7 0x446f38 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm/projects/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:824:6
#8 0x470fb2 in main /src/llvm/projects/compiler-rt/lib/fuzzer/FuzzerMain.cpp:19:10
#9 0x7f625460582f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#10 0x41a538 in _start (/out/fuzz_applayerparserparse+0x41a538)
Actions #4

Updated by Jeff Lucovsky over 2 years ago

This is occurs because the code presumes there are at least 6 characters in

state->current_line
(exclusive of the trailing
\r\n

https://github.com/OISF/suricata/blob/master/src/app-layer-ftp.c#L641:L642

Actions #5

Updated by Victor Julien over 2 years ago

  • Status changed from Assigned to Closed
  • Priority changed from High to Normal
Actions #6

Updated by Victor Julien over 2 years ago

  • Copied to Bug #3272: ftp: ASAN error (4.1.x) added
Actions

Also available in: Atom PDF