https://redmine.openinfosecfoundation.org/
https://redmine.openinfosecfoundation.org/favicon.ico?1701117002
2021-01-24T09:10:38Z
Open Information Security Foundation
Suricata - Bug #4273: protodetect: SEGV due to NULL ptr deref
https://redmine.openinfosecfoundation.org/issues/4273?journal_id=19088
2021-01-24T09:10:38Z
Peter Manev
petermanev@gmail.com
<ul></ul><p>The issue seems very similar to <a class="external" href="https://redmine.openinfosecfoundation.org/issues/2141">https://redmine.openinfosecfoundation.org/issues/2141</a><br />hs produces <br /><pre>
(util-mpm-hs.c:952) (SCHSSearch) -- [ERRCODE: SC_ERR_FATAL(171)] - Hyperscan returned error -1
</pre></p>
Suricata - Bug #4273: protodetect: SEGV due to NULL ptr deref
https://redmine.openinfosecfoundation.org/issues/4273?journal_id=19204
2021-02-03T17:39:05Z
Peter Manev
petermanev@gmail.com
<ul></ul><p>Other choices of algos segfault/fail in a similar manner - <a class="external" href="https://github.com/StamusNetworks/SELKS/issues/285#issuecomment-771543404">https://github.com/StamusNetworks/SELKS/issues/285#issuecomment-771543404</a></p>
Suricata - Bug #4273: protodetect: SEGV due to NULL ptr deref
https://redmine.openinfosecfoundation.org/issues/4273?journal_id=19205
2021-02-03T17:46:14Z
Victor Julien
victor@inliniac.net
<ul><li><strong>Status</strong> changed from <i>New</i> to <i>Assigned</i></li><li><strong>Assignee</strong> set to <i>Philippe Antoine</i></li><li><strong>Target version</strong> set to <i>7.0.0-beta1</i></li></ul><p>Seems we're passing a NULL ptr from protodetect to pattern matching, which shouldn't happen. Philippe can you have a look and also see if this needs to be fixed in 5 and 6?</p>
Suricata - Bug #4273: protodetect: SEGV due to NULL ptr deref
https://redmine.openinfosecfoundation.org/issues/4273?journal_id=19206
2021-02-03T17:47:44Z
Victor Julien
victor@inliniac.net
<ul><li><strong>Subject</strong> changed from <i>SIGSEV with ac-ks </i> to <i>protodetect: SEGV due to NULL ptr deref</i></li></ul>
Suricata - Bug #4273: protodetect: SEGV due to NULL ptr deref
https://redmine.openinfosecfoundation.org/issues/4273?journal_id=19222
2021-02-07T20:53:58Z
Philippe Antoine
<ul></ul><p>This seems to happen with midstream start having a gap</p>
<p>I am not sure about this condition <br /><code>if (mydata NULL && mydata_len > 0 && CheckGap(ssn, *stream, p)) {</code><br />How can we have <code>mydata NULL && mydata_len > 0</code> and <em>not</em> <code>CheckGap</code> ?</p>
<p>A proposal is in Gtilab for testing</p>
Suricata - Bug #4273: protodetect: SEGV due to NULL ptr deref
https://redmine.openinfosecfoundation.org/issues/4273?journal_id=19223
2021-02-07T20:56:57Z
Philippe Antoine
<ul><li><strong>Status</strong> changed from <i>Assigned</i> to <i>In Review</i></li></ul>
Suricata - Bug #4273: protodetect: SEGV due to NULL ptr deref
https://redmine.openinfosecfoundation.org/issues/4273?journal_id=19746
2021-04-20T20:06:13Z
Philippe Antoine
<ul><li><strong>Blocked by</strong> <i><a class="issue tracker-1 status-5 priority-4 priority-default closed" href="/issues/4171">Bug #4171</a>: Failed assert in TCPProtoDetectCheckBailConditions size_ts > 1000000UL</i> added</li></ul>
Suricata - Bug #4273: protodetect: SEGV due to NULL ptr deref
https://redmine.openinfosecfoundation.org/issues/4273?journal_id=19747
2021-04-20T20:06:40Z
Philippe Antoine
<ul></ul><p><a class="issue tracker-1 status-5 priority-4 priority-default closed" title="Bug: Failed assert in TCPProtoDetectCheckBailConditions size_ts > 1000000UL (Closed)" href="https://redmine.openinfosecfoundation.org/issues/4171">#4171</a> is keeping being triggered by fuzz_sigpcap_ware, preventing from finding new bugs...</p>
Suricata - Bug #4273: protodetect: SEGV due to NULL ptr deref
https://redmine.openinfosecfoundation.org/issues/4273?journal_id=20325
2021-07-12T16:13:47Z
Philippe Antoine
<ul></ul><p>It looks to me that to trigger this bug, we need :<br />- a gat at the stream start<br />- reach the stream depth<br />- and <code>CheckGap</code> has to return false</p>
<p>I do not manage to get these conditions together...</p>
<p>Peter, do you have the core information ? Does the offending flow have alproto* set ?</p>
Suricata - Bug #4273: protodetect: SEGV due to NULL ptr deref
https://redmine.openinfosecfoundation.org/issues/4273?journal_id=20345
2021-07-21T07:50:39Z
Philippe Antoine
<ul></ul><p>Oh, but I see <code>flags=41</code> in the stack trace, that means <code>STREAM_START | STREAM_MIDSTREAM</code> but no <code>STREAM_DEPTH</code></p>
<p>I do not see how we can reach stream-tcp-reassemble.c:1175 with data=0x0, data_len=397, flags=41 ')'<br />As in the same block we have previously in a while loop<br /><pre><code class="c syntaxhl" data-language="c"><span class="k">if</span> <span class="p">(</span><span class="n">mydata</span> <span class="o">==</span> <span class="nb">NULL</span> <span class="o">&&</span> <span class="n">mydata_len</span> <span class="o">></span> <span class="mi">0</span> <span class="o">&&</span> <span class="n">CheckGap</span><span class="p">(</span><span class="n">ssn</span><span class="p">,</span> <span class="o">*</span><span class="n">stream</span><span class="p">,</span> <span class="n">p</span><span class="p">))</span> <span class="p">{</span>
<span class="c1">//somestuff</span>
<span class="k">continue</span><span class="p">;</span> <span class="c1">// or break or return </span>
<span class="p">}</span> <span class="k">else</span> <span class="nf">if</span> <span class="p">(</span><span class="n">flags</span> <span class="o">&</span> <span class="n">STREAM_DEPTH</span><span class="p">)</span> <span class="p">{</span>
<span class="c1">// flags = 41 so we do not get here</span>
<span class="p">}</span> <span class="k">else</span> <span class="nf">if</span> <span class="p">(</span><span class="n">mydata</span> <span class="o">==</span> <span class="nb">NULL</span> <span class="o">||</span> <span class="p">(</span><span class="n">mydata_len</span> <span class="o">==</span> <span class="mi">0</span> <span class="o">&&</span> <span class="p">((</span><span class="n">flags</span> <span class="o">&</span> <span class="n">STREAM_EOF</span><span class="p">)</span> <span class="o">==</span> <span class="mi">0</span><span class="p">)))</span> <span class="p">{</span>
<span class="c1">//somestuff</span>
<span class="k">break</span><span class="p">;</span>
<span class="p">}</span>
<span class="c1">//somestuff</span>
<span class="c1">//line 1175</span>
</code></pre></p>
Suricata - Bug #4273: protodetect: SEGV due to NULL ptr deref
https://redmine.openinfosecfoundation.org/issues/4273?journal_id=20346
2021-07-22T15:49:00Z
Peter Manev
petermanev@gmail.com
<ul></ul><p>Another update, not sure if helpful:<br /><pre>
Will this data be enough?
```
(gdb) bt full
#0 SCACTileSearchTiny32 (ctx=0x55838a3427d0, mpm_thread_ctx=<optimized out>, pmq=0x7f1d5b1bd3b0, buf=0x0, buflen=8) at util-mpm-ac-ks-small.c:46
i = 0
matches = 0
mpm_bitarray = "\000\000"
xlate = 0x55838a3427d8 "\001\002\003\004"
state_table = 0x55838a353a10 "\200\200\200\200\200\201\203\211\217\200\200\200\200\200\200\200\225\200\200\200\242\200\232\236\200"
state = 0 '\000'
c = <optimized out>
#1 0x0000558389776f5f in PMGetProtoInspect (rflow=0x7f1da7a63527, pm_results=0x7f1da7a63440, direction=41 ')', buflen=205, buf=0x0, f=0x7f1d3b771db0, mpm_tctx=<optimized out>,
pm_ctx=0x558389c83fc8 <alpd_ctx+72>, tctx=0x7f1d5b1bd3b0) at app-layer-detect-proto.c:275
pm_matches = 0
searchlen = 8
search_cnt = <optimized out>
pm_results_bf = "\000\000\000"
pm_matches = <optimized out>
searchlen = <optimized out>
search_cnt = <optimized out>
pm_results_bf = <optimized out>
cnt = <optimized out>
s = <optimized out>
proto = <optimized out>
#2 AppLayerProtoDetectPMGetProto (rflow=0x7f1da7a63527, pm_results=0x7f1da7a63440, direction=41 ')', buflen=205, buf=0x0, f=0x7f1d3b771db0, tctx=0x7f1d5b1bd3b0) at app-layer-detect-proto.c:342
pm_ctx = 0x558389c83fc8 <alpd_ctx+72>
mpm_tctx = <optimized out>
m = -1
pm_ctx = <optimized out>
mpm_tctx = <optimized out>
m = <optimized out>
om = <optimized out>
#3 AppLayerProtoDetectGetProto (tctx=0x7f1d5b1bd3b0, f=f@entry=0x7f1d3b771db0, buf=buf@entry=0x0, buflen=buflen@entry=205, ipproto=ipproto@entry=6 '\006', direction=direction@entry=41 ')',
reverse_flow=0x7f1da7a63527) at app-layer-detect-proto.c:1551
pm_results = {0, 15223, 32541, 0, 29408, 56344, 21891, 0, 28928, 53986, 21891, 0, 0, 0, 0, 0, 0, 2, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 2, 0, 0}
pm_matches = <optimized out>
alproto = 0
pm_alproto = 0
#4 0x0000558389774dd4 in TCPProtoDetect (tv=0x5583abfd7e50, ra_ctx=0x7f1d5b1bd360, app_tctx=app_tctx@entry=0x7f1d5b1bd390, p=p@entry=0x7f1d5b160140, f=f@entry=0x7f1d3b771db0,
ssn=ssn@entry=0x7f1d2539f4d0, stream=0x7f1da7a63648, data=0x0, data_len=205, flags=41 ')') at app-layer.c:336
alproto = 0x7f1d3b771e6e
alproto_otherdir = 0x7f1d3b771e6c
direction = 1
reverse_flow = false
#5 0x0000558389775901 in AppLayerHandleTCPData (tv=tv@entry=0x5583abfd7e50, ra_ctx=ra_ctx@entry=0x7f1d5b1bd360, p=p@entry=0x7f1d5b160140, f=0x7f1d3b771db0, ssn=ssn@entry=0x7f1d2539f4d0,
stream=stream@entry=0x7f1da7a63648, data=0x0, data_len=205, flags=41 ')') at app-layer.c:642
app_tctx = <optimized out>
alproto = <optimized out>
r = 0
direction = 1
#6 0x0000558389869e67 in ReassembleUpdateAppLayer (dir=UPDATE_DIR_PACKET, p=0x7f1d5b160140, stream=0x7f1da7a63648, ssn=0x7f1d2539f4d0, ra_ctx=0x7f1d5b1bd360, tv=0x5583abfd7e50)
at stream-tcp-reassemble.c:1174
flags = <optimized out>
check_for_gap_ahead = <optimized out>
new_app_progress = <optimized out>
mydata = 0x0
mydata_len = 205
app_progress = 0
gap_ahead = <optimized out>
last_was_gap = false
app_progress = <optimized out>
--Type <RET> for more, q to quit, c to continue without paging--
mydata = <optimized out>
mydata_len = <optimized out>
gap_ahead = <optimized out>
last_was_gap = <optimized out>
flags = <optimized out>
check_for_gap_ahead = <optimized out>
new_app_progress = <optimized out>
r = <optimized out>
no_progress_update = <optimized out>
#7 StreamTcpReassembleAppLayer (tv=tv@entry=0x5583abfd7e50, ra_ctx=ra_ctx@entry=0x7f1d5b1bd360, ssn=ssn@entry=0x7f1d2539f4d0, stream=<optimized out>, stream@entry=0x7f1d2539f4e0,
p=p@entry=0x7f1d5b160140, dir=dir@entry=UPDATE_DIR_PACKET) at stream-tcp-reassemble.c:1237
No locals.
#8 0x000055838986add3 in StreamTcpReassembleHandleSegment (tv=tv@entry=0x5583abfd7e50, ra_ctx=0x7f1d5b1bd360, ssn=ssn@entry=0x7f1d2539f4d0, stream=0x7f1d2539f4e0, p=p@entry=0x7f1d5b160140,
pq=pq@entry=0x7f1d5b1bd058) at stream-tcp-reassemble.c:1899
opposing_stream = 0x7f1d2539f560
dir = UPDATE_DIR_PACKET
#9 0x000055838985fbee in HandleEstablishedPacketToClient (stt=<optimized out>, pq=<optimized out>, p=<optimized out>, ssn=<optimized out>, tv=<optimized out>) at stream-tcp.c:2318
zerowindowprobe = <optimized out>
zerowindowprobe = <optimized out>
ack_diff = <optimized out>
ack_diff = <optimized out>
ack_diff = <optimized out>
ack_diff = <optimized out>
sacked_size__ = <optimized out>
#10 StreamTcpPacketStateEstablished (tv=0x5583abfd7e50, p=0x7f1d5b160140, stt=stt@entry=0x7f1d5b1bd050, ssn=0x7f1d2539f4d0, pq=0x7f1d5b1bd058) at stream-tcp.c:2702
No locals.
#11 0x0000558389865068 in StreamTcpStateDispatch (tv=0x5583abfd7e50, p=0x7f1d5b160140, stt=0x7f1d5b1bd050, ssn=0x7f1d2539f4d0, pq=0x7f1d5b1bd058, state=<optimized out>) at stream-tcp.c:4703
No locals.
#12 0x0000558389866942 in StreamTcpPacket (tv=0x5583abfd7e50, p=0x7f1d5b160140, stt=0x7f1d5b1bd050, pq=0x7f1d5b19ac20) at stream-tcp.c:4889
ssn = 0x7f1d2539f4d0
#13 0x00005583898670e4 in StreamTcp (tv=tv@entry=0x5583abfd7e50, p=p@entry=0x7f1d5b160140, data=<optimized out>, pq=pq@entry=0x7f1d5b19ac20) at stream-tcp.c:5225
stt = <optimized out>
#14 0x000055838981eccf in FlowWorkerStreamTCPUpdate (detect_thread=0x55841d6e8750, p=0x7f1d5b160140, fw=0x7f1d5b19abf0, tv=0x5583abfd7e50) at flow-worker.c:524
x = <optimized out>
x = <optimized out>
#15 FlowWorker (tv=0x5583abfd7e50, p=0x7f1d5b160140, data=0x7f1d5b19abf0) at flow-worker.c:524
fw = 0x7f1d5b19abf0
detect_thread = 0x55841d6e8750
#16 0x0000558389872262 in TmThreadsSlotVarRun (tv=tv@entry=0x5583abfd7e50, p=p@entry=0x7f1d5b160140, slot=<optimized out>) at tm-threads.c:117
r = <optimized out>
s = 0x55839552eae0
#17 0x00005583898553c2 in TmThreadsSlotProcessPkt (p=0x7f1d5b160140, s=<optimized out>, tv=0x5583abfd7e50) at tm-threads.h:192
r = <optimized out>
r = <optimized out>
#18 AFPReadFromRing (ptv=ptv@entry=0x7f1d5b160b20) at source-af-packet.c:1011
p = 0x7f1d5b160140
h = {h2 = 0x7f1d57fb71a0, h3 = 0x7f1d57fb71a0, raw = 0x7f1d57fb71a0}
emergency_flush = 0 '\000'
read_pkts = 2
loop_start = -1
#19 0x0000558389855989 in ReceiveAFPLoop (tv=0x5583abfd7e50, data=0x7f1d5b160b20, slot=<optimized out>) at source-af-packet.c:1571
ptv = 0x7f1d5b160b20
fds = {fd = 7, events = 1, revents = 1}
r = <optimized out>
s = <optimized out>
last_dump = 1626694085
current_time = <optimized out>
AFPReadFunc = <optimized out>
--Type <RET> for more, q to quit, c to continue without paging--
discarded_pkts = <optimized out>
__FUNCTION__ = "ReceiveAFPLoop"
#20 0x000055838987394c in TmThreadsSlotPktAcqLoop (td=0x5583abfd7e50) at tm-threads.c:312
tv = 0x5583abfd7e50
s = 0x5583b8b042b0
run = 1 '\001'
r = <optimized out>
slot = <optimized out>
__FUNCTION__ = "TmThreadsSlotPktAcqLoop"
#21 0x00007f1daa6e1fa3 in start_thread (arg=<optimized out>) at pthread_create.c:486
ret = <optimized out>
pd = <optimized out>
now = <optimized out>
unwind_buf = {cancel_jmp_buf = {{jmp_buf = {139765343471360, -8490725896049826362, 140730217742686, 140730217742687, 139765343471360, 140730217742960, 8363657869228074438,
8363665083564254662}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}}
not_first_call = <optimized out>
#22 0x00007f1da98634cf in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95
No locals.
```
</pre></p>
Suricata - Bug #4273: protodetect: SEGV due to NULL ptr deref
https://redmine.openinfosecfoundation.org/issues/4273?journal_id=20380
2021-08-10T17:17:48Z
Sergey Svinarev
<ul></ul><p>Hi!<br />I initiated the original bug report on github:<br /><a class="external" href="https://github.com/StamusNetworks/SELKS/issues/285">https://github.com/StamusNetworks/SELKS/issues/285</a></p>
<p>Is there anything else I can help in troubleshooting this issue?<br />The problem is relevant and often reproduced.</p>
Suricata - Bug #4273: protodetect: SEGV due to NULL ptr deref
https://redmine.openinfosecfoundation.org/issues/4273?journal_id=20771
2021-09-29T09:21:51Z
Peter Manev
petermanev@gmail.com
<ul></ul><p>Seems the fix in <br /><a class="external" href="https://github.com/catenacyber/suricata/tree/protodetect-midstream-gap-4273-v2">https://github.com/catenacyber/suricata/tree/protodetect-midstream-gap-4273-v2</a><br />fixes the issues , as reported here <br /><a class="external" href="https://github.com/StamusNetworks/SELKS/issues/285#issuecomment-929975930">https://github.com/StamusNetworks/SELKS/issues/285#issuecomment-929975930</a></p>
Suricata - Bug #4273: protodetect: SEGV due to NULL ptr deref
https://redmine.openinfosecfoundation.org/issues/4273?journal_id=20775
2021-09-29T11:34:04Z
Philippe Antoine
<ul><li><strong>Label</strong> <i>Needs backport, Needs backport to 5.0, Needs backport to 6.0</i> added</li></ul>
Suricata - Bug #4273: protodetect: SEGV due to NULL ptr deref
https://redmine.openinfosecfoundation.org/issues/4273?journal_id=20776
2021-09-29T11:35:53Z
Philippe Antoine
<ul></ul><p><a class="external" href="https://github.com/OISF/suricata/pull/6418">https://github.com/OISF/suricata/pull/6418</a></p>
Suricata - Bug #4273: protodetect: SEGV due to NULL ptr deref
https://redmine.openinfosecfoundation.org/issues/4273?journal_id=20778
2021-09-29T13:00:55Z
Shivani Bhardwaj
<ul><li><strong>Copied to</strong> <i><a class="issue tracker-1 status-5 priority-4 priority-default closed" href="/issues/4717">Bug #4717</a>: protodetect: SEGV due to NULL ptr deref</i> added</li></ul>
Suricata - Bug #4273: protodetect: SEGV due to NULL ptr deref
https://redmine.openinfosecfoundation.org/issues/4273?journal_id=20780
2021-09-29T13:01:44Z
Shivani Bhardwaj
<ul><li><strong>Copied to</strong> <i><a class="issue tracker-1 status-5 priority-4 priority-default closed" href="/issues/4718">Bug #4718</a>: protodetect: SEGV due to NULL ptr deref</i> added</li></ul>
Suricata - Bug #4273: protodetect: SEGV due to NULL ptr deref
https://redmine.openinfosecfoundation.org/issues/4273?journal_id=20798
2021-10-01T13:35:59Z
Philippe Antoine
<ul><li><strong>Status</strong> changed from <i>In Review</i> to <i>Closed</i></li></ul>