Project

General

Profile

Actions

Bug #3904

closed

Suricata ASAN issue when detect.profiling.grouping.dump-to-disk=true

Added by Jeff Lucovsky over 4 years ago. Updated about 4 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:
Needs backport to 4.1, Needs backport to 5.0

Description

Seen on 5.0.2 but also present in master-5.0.x

$ sudo src/suricata -c suricata.yaml -r ~/pcap -l /tmp/ll --set detect.profiling.grouping.dump-to-disk=true
[3855] 3/9/2020 -- 11:41:26 - (suricata.c:1093) <Notice> (LogVersion) -- This is Suricata version 5.0.4-dev running in USER mode
=================================================================
==3855==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffcded61ff0 at pc 0x55b7dbae901c bp 0x7ffcded61e80 sp 0x7ffcded61e70
READ of size 4 at 0x7ffcded61ff0 thread T0 (Suricata-Main)
    #0 0x55b7dbae901b in RulesGroupPrintSghStats /home/jlucovsky/src/jal/backports-5.0.x/src/detect-engine-build.c:745
    #1 0x55b7dbaea1c1 in RulesDumpGrouping /home/jlucovsky/src/jal/backports-5.0.x/src/detect-engine-build.c:875
    #2 0x55b7dbaf1209 in SigAddressPrepareStage4 /home/jlucovsky/src/jal/backports-5.0.x/src/detect-engine-build.c:1808
    #3 0x55b7dbaf1fbf in SigGroupBuild /home/jlucovsky/src/jal/backports-5.0.x/src/detect-engine-build.c:1913
    #4 0x55b7dbb6eba6 in SigLoadSignatures /home/jlucovsky/src/jal/backports-5.0.x/src/detect-engine-loader.c:368
    #5 0x55b7dc345067 in LoadSignatures /home/jlucovsky/src/jal/backports-5.0.x/src/suricata.c:2486
    #6 0x55b7dc346839 in PostConfLoadedDetectSetup /home/jlucovsky/src/jal/backports-5.0.x/src/suricata.c:2640
    #7 0x55b7dc349f1e in main /home/jlucovsky/src/jal/backports-5.0.x/src/suricata.c:3065
    #8 0x7f7a132c6b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
    #9 0x55b7db4cd5f9 in _start (/home/jlucovsky/src/jal/master-5.0.x/src/.libs/suricata+0x1f85f9)

Address 0x7ffcded61ff0 is located in stack of thread T0 (Suricata-Main) at offset 144 in frame
    #0 0x55b7dbae824d in RulesGroupPrintSghStats /home/jlucovsky/src/jal/backports-5.0.x/src/detect-engine-build.c:622

  This frame has 4 object(s):
    [32, 144) 'mpm_stats' <== Memory access at offset 144 overflows this variable
    [192, 308) 'alstats'
    [352, 1164) 'alproto_mpm_bufs'
    [1216, 8384) 'mpm_sizes'
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow /home/jlucovsky/src/jal/backports-5.0.x/src/detect-engine-build.c:745 in RulesGroupPrintSghStats
Shadow bytes around the buggy address:
  0x10001bda43a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10001bda43b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10001bda43c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10001bda43d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10001bda43e0: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
=>0x10001bda43f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00[f2]f2
  0x10001bda4400: f2 f2 f2 f2 00 00 00 00 00 00 00 00 00 00 00 00
  0x10001bda4410: 00 00 04 f2 f2 f2 f2 f2 00 00 00 00 00 00 00 00
  0x10001bda4420: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10001bda4430: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10001bda4440: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==3855==ABORTING

Related issues 2 (0 open2 closed)

Copied to Suricata - Bug #3966: Suricata ASAN issue when detect.profiling.grouping.dump-to-disk=trueClosedShivani BhardwajActions
Copied to Suricata - Bug #3967: Suricata ASAN issue when detect.profiling.grouping.dump-to-disk=trueClosedJeff LucovskyActions
Actions #1

Updated by Jeff Lucovsky over 4 years ago

  • Affected Versions 6.0.0beta1 added
Actions #2

Updated by Jeff Lucovsky over 4 years ago

  • Affected Versions 4.1.8 added
Actions #3

Updated by Jeff Lucovsky over 4 years ago

Confirmed to exist in master, master-5.0.x, master-4.1.x

Actions #4

Updated by Victor Julien over 4 years ago

  • Status changed from New to Assigned
  • Assignee set to Jeff Lucovsky
  • Target version set to 6.0.0
  • Label Needs backport to 4.1, Needs backport to 5.0 added
Actions #5

Updated by Jeff Lucovsky about 4 years ago

  • Status changed from Assigned to In Review
Actions #6

Updated by Jeff Lucovsky about 4 years ago

  • Copied to Bug #3966: Suricata ASAN issue when detect.profiling.grouping.dump-to-disk=true added
Actions #7

Updated by Jeff Lucovsky about 4 years ago

  • Copied to Bug #3967: Suricata ASAN issue when detect.profiling.grouping.dump-to-disk=true added
Actions #8

Updated by Victor Julien about 4 years ago

  • Status changed from In Review to Closed
Actions

Also available in: Atom PDF