Actions
Bug #3967
closedSuricata ASAN issue when detect.profiling.grouping.dump-to-disk=true
Affected Versions:
Effort:
Difficulty:
Label:
Description
Seen on 5.0.2 but also present in master-5.0.x
$ sudo src/suricata -c suricata.yaml -r ~/pcap -l /tmp/ll --set detect.profiling.grouping.dump-to-disk=true
[3855] 3/9/2020 -- 11:41:26 - (suricata.c:1093) <Notice> (LogVersion) -- This is Suricata version 5.0.4-dev running in USER mode
=================================================================
==3855==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffcded61ff0 at pc 0x55b7dbae901c bp 0x7ffcded61e80 sp 0x7ffcded61e70
READ of size 4 at 0x7ffcded61ff0 thread T0 (Suricata-Main)
#0 0x55b7dbae901b in RulesGroupPrintSghStats /home/jlucovsky/src/jal/backports-5.0.x/src/detect-engine-build.c:745
#1 0x55b7dbaea1c1 in RulesDumpGrouping /home/jlucovsky/src/jal/backports-5.0.x/src/detect-engine-build.c:875
#2 0x55b7dbaf1209 in SigAddressPrepareStage4 /home/jlucovsky/src/jal/backports-5.0.x/src/detect-engine-build.c:1808
#3 0x55b7dbaf1fbf in SigGroupBuild /home/jlucovsky/src/jal/backports-5.0.x/src/detect-engine-build.c:1913
#4 0x55b7dbb6eba6 in SigLoadSignatures /home/jlucovsky/src/jal/backports-5.0.x/src/detect-engine-loader.c:368
#5 0x55b7dc345067 in LoadSignatures /home/jlucovsky/src/jal/backports-5.0.x/src/suricata.c:2486
#6 0x55b7dc346839 in PostConfLoadedDetectSetup /home/jlucovsky/src/jal/backports-5.0.x/src/suricata.c:2640
#7 0x55b7dc349f1e in main /home/jlucovsky/src/jal/backports-5.0.x/src/suricata.c:3065
#8 0x7f7a132c6b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
#9 0x55b7db4cd5f9 in _start (/home/jlucovsky/src/jal/master-5.0.x/src/.libs/suricata+0x1f85f9)
Address 0x7ffcded61ff0 is located in stack of thread T0 (Suricata-Main) at offset 144 in frame
#0 0x55b7dbae824d in RulesGroupPrintSghStats /home/jlucovsky/src/jal/backports-5.0.x/src/detect-engine-build.c:622
This frame has 4 object(s):
[32, 144) 'mpm_stats' <== Memory access at offset 144 overflows this variable
[192, 308) 'alstats'
[352, 1164) 'alproto_mpm_bufs'
[1216, 8384) 'mpm_sizes'
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow /home/jlucovsky/src/jal/backports-5.0.x/src/detect-engine-build.c:745 in RulesGroupPrintSghStats
Shadow bytes around the buggy address:
0x10001bda43a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10001bda43b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10001bda43c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10001bda43d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10001bda43e0: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
=>0x10001bda43f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00[f2]f2
0x10001bda4400: f2 f2 f2 f2 00 00 00 00 00 00 00 00 00 00 00 00
0x10001bda4410: 00 00 04 f2 f2 f2 f2 f2 00 00 00 00 00 00 00 00
0x10001bda4420: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10001bda4430: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10001bda4440: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==3855==ABORTING
Updated by Jeff Lucovsky about 5 years ago
- Copied from Bug #3904: Suricata ASAN issue when detect.profiling.grouping.dump-to-disk=true added
Updated by Jeff Lucovsky about 5 years ago
- Status changed from Assigned to In Review
Updated by Victor Julien about 5 years ago
- Status changed from In Review to Closed
Actions