Actions
Bug #3904
closedSuricata ASAN issue when detect.profiling.grouping.dump-to-disk=true
Affected Versions:
Effort:
Difficulty:
Label:
Needs backport to 4.1, Needs backport to 5.0
Description
Seen on 5.0.2 but also present in master-5.0.x
$ sudo src/suricata -c suricata.yaml -r ~/pcap -l /tmp/ll --set detect.profiling.grouping.dump-to-disk=true [3855] 3/9/2020 -- 11:41:26 - (suricata.c:1093) <Notice> (LogVersion) -- This is Suricata version 5.0.4-dev running in USER mode ================================================================= ==3855==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffcded61ff0 at pc 0x55b7dbae901c bp 0x7ffcded61e80 sp 0x7ffcded61e70 READ of size 4 at 0x7ffcded61ff0 thread T0 (Suricata-Main) #0 0x55b7dbae901b in RulesGroupPrintSghStats /home/jlucovsky/src/jal/backports-5.0.x/src/detect-engine-build.c:745 #1 0x55b7dbaea1c1 in RulesDumpGrouping /home/jlucovsky/src/jal/backports-5.0.x/src/detect-engine-build.c:875 #2 0x55b7dbaf1209 in SigAddressPrepareStage4 /home/jlucovsky/src/jal/backports-5.0.x/src/detect-engine-build.c:1808 #3 0x55b7dbaf1fbf in SigGroupBuild /home/jlucovsky/src/jal/backports-5.0.x/src/detect-engine-build.c:1913 #4 0x55b7dbb6eba6 in SigLoadSignatures /home/jlucovsky/src/jal/backports-5.0.x/src/detect-engine-loader.c:368 #5 0x55b7dc345067 in LoadSignatures /home/jlucovsky/src/jal/backports-5.0.x/src/suricata.c:2486 #6 0x55b7dc346839 in PostConfLoadedDetectSetup /home/jlucovsky/src/jal/backports-5.0.x/src/suricata.c:2640 #7 0x55b7dc349f1e in main /home/jlucovsky/src/jal/backports-5.0.x/src/suricata.c:3065 #8 0x7f7a132c6b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96) #9 0x55b7db4cd5f9 in _start (/home/jlucovsky/src/jal/master-5.0.x/src/.libs/suricata+0x1f85f9) Address 0x7ffcded61ff0 is located in stack of thread T0 (Suricata-Main) at offset 144 in frame #0 0x55b7dbae824d in RulesGroupPrintSghStats /home/jlucovsky/src/jal/backports-5.0.x/src/detect-engine-build.c:622 This frame has 4 object(s): [32, 144) 'mpm_stats' <== Memory access at offset 144 overflows this variable [192, 308) 'alstats' [352, 1164) 'alproto_mpm_bufs' [1216, 8384) 'mpm_sizes' HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext (longjmp and C++ exceptions *are* supported) SUMMARY: AddressSanitizer: stack-buffer-overflow /home/jlucovsky/src/jal/backports-5.0.x/src/detect-engine-build.c:745 in RulesGroupPrintSghStats Shadow bytes around the buggy address: 0x10001bda43a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10001bda43b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10001bda43c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10001bda43d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10001bda43e0: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 =>0x10001bda43f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00[f2]f2 0x10001bda4400: f2 f2 f2 f2 00 00 00 00 00 00 00 00 00 00 00 00 0x10001bda4410: 00 00 04 f2 f2 f2 f2 f2 00 00 00 00 00 00 00 00 0x10001bda4420: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10001bda4430: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10001bda4440: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==3855==ABORTING
Updated by Jeff Lucovsky over 4 years ago
Confirmed to exist in master, master-5.0.x, master-4.1.x
Updated by Victor Julien over 4 years ago
- Status changed from New to Assigned
- Assignee set to Jeff Lucovsky
- Target version set to 6.0.0
- Label Needs backport to 4.1, Needs backport to 5.0 added
Updated by Jeff Lucovsky about 4 years ago
- Status changed from Assigned to In Review
Updated by Jeff Lucovsky about 4 years ago
- Copied to Bug #3966: Suricata ASAN issue when detect.profiling.grouping.dump-to-disk=true added
Updated by Jeff Lucovsky about 4 years ago
- Copied to Bug #3967: Suricata ASAN issue when detect.profiling.grouping.dump-to-disk=true added
Updated by Victor Julien about 4 years ago
- Status changed from In Review to Closed
Actions