Actions
Bug #3888
closed6.0.0-dev - heap-buffer-overflow /opt/suricata/src/flow-manager.c:472:34 in FlowTimeoutHash with AFPv3
Affected Versions:
Effort:
Difficulty:
Label:
Description
Stable is not affected.
This does not affect stable versions - 5.0.x
Only 6.0.0-dev/git master is affected.
After running for a while the following can be triggered/observed:
================================================================= ==16264==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7f47cc5f0038 at pc 0x00000093f1d1 bp 0x7f47531ffdf0 sp 0x7f47531ffde8 READ of size 4 at 0x7f47cc5f0038 thread T71 (FM#07) [17946] 22/8/2020 -- 23:46:21 - (source-af-packet.c:1784) <Perf> (AFPComputeRingParamsV3) -- AF_PACKET V3 RX Ring params: block_size=1048576 block_nr=1270 frame_size=1664 frame_nr=800100 (mem: 1331691520) #0 0x93f1d0 in FlowTimeoutHash /opt/suricata/src/flow-manager.c:472:34 #1 0x93ffd8 in FlowTimeoutHashInChunks /opt/suricata/src/flow-manager.c:552:26 #2 0x93b84c in FlowManager /opt/suricata/src/flow-manager.c:897:21 #3 0xb7487b in TmThreadsManagement /opt/suricata/src/tm-threads.c:541:9 #4 0x7f47e1228fa2 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7fa2) #5 0x7f47e017c4ce in clone (/lib/x86_64-linux-gnu/libc.so.6+0xf94ce) 0x7f47cc5f0038 is located 56 bytes to the right of 1029670912-byte region [0x7f478eff7800,0x7f47cc5f0000) allocated by thread T0 (Suricata-Main) here: #0 0x556149 in posix_memalign (/usr/local/bin/suricata+0x556149) #1 0xc2add9 in SCMallocAlignedFunc /opt/suricata/src/util-mem.c:116:13 #2 0x921cae in FlowInitConfig /opt/suricata/src/flow.c:606:17 #3 0xb4a432 in PreRunInit /opt/suricata/src/suricata.c:2026:5 #4 0xb4c409 in PostConfLoadedSetup /opt/suricata/src/suricata.c:2625:5 #5 0xb4ec45 in SuricataMain /opt/suricata/src/suricata.c:2782:9 #6 0x58464e in main /opt/suricata/src/main.c:22:12 #7 0x7f47e00a709a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2409a) Thread T71 (FM#07) created by T0 (Suricata-Main) here: #0 0x53dd8d in pthread_create (/usr/local/bin/suricata+0x53dd8d) #1 0xb6dd04 in TmThreadSpawn /opt/suricata/src/tm-threads.c:1721:14 #2 0x938e72 in FlowManagerThreadSpawn /opt/suricata/src/flow-manager.c:1077:13 #3 0xa6b64d in RunModeDispatch /opt/suricata/src/runmodes.c:401:9 #4 0xb4eff1 in SuricataMain /opt/suricata/src/suricata.c:2805:5 #5 0x58464e in main /opt/suricata/src/main.c:22:12 #6 0x7f47e00a709a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2409a) SUMMARY: AddressSanitizer: heap-buffer-overflow /opt/suricata/src/flow-manager.c:472:34 in FlowTimeoutHash Shadow bytes around the buggy address: 0x0fe9798b5fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0fe9798b5fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0fe9798b5fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0fe9798b5fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0fe9798b5ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0fe9798b6000: fa fa fa fa fa fa fa[fa]fa fa fa fa fa fa fa fa 0x0fe9798b6010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0fe9798b6020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0fe9798b6030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0fe9798b6040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0fe9798b6050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==16264==ABORTING
Compile build-info and other extra information can be found in the attached
Files
Updated by Peter Manev over 4 years ago
- File overflow-extrainfo overflow-extrainfo added
Extra info attached.
Seems related to - https://redmine.openinfosecfoundation.org/issues/3885
Updated by Victor Julien over 4 years ago
- Status changed from New to Assigned
- Assignee set to Victor Julien
- Target version set to 6.0.0rc1
Updated by Victor Julien over 4 years ago
- Status changed from Assigned to Closed
- Priority changed from High to Normal
Actions