Project

General

Profile

Actions

Bug #4357

open

Napatech memory corruption

Added by Jeff Lucovsky over 3 years ago. Updated 5 months ago.

Status:
New
Priority:
Normal
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

Observed on a 5.0.4 Suricata system with ASAN enabled:

Feb 23 12:43:47 notice suricata: =================================================================
Feb 23 12:43:47 notice suricata: ==238699==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x628000013a00 at pc 0x55be71f10309 bp 0x7fa09efcd220 sp 0x7fa09efcd210
Feb 23 12:43:47 notice suricata: WRITE of size 8 at 0x628000013a00 thread T71 (CS)
Feb 23 12:43:48 notice suricata:     #0 0x55be71f10308 in StatsOutput /suricata/build/production/src/counters.c:717
Feb 23 12:43:48 notice suricata:     #1 0x55be71f10308 in StatsMgmtThread /suricata/build/production/src/counters.c:418
Feb 23 12:43:48 notice suricata:     #2 0x7fa0d865337d in start_thread /data/home/broala/appliance/pkgs/glibc/build/glibc-2.32/nptl/pthread_create.c:463
Feb 23 12:43:48 notice suricata:     #3 0x7fa0d6ad9c6e in clone (/lib/libc.so.6+0xf9c6e)
Feb 23 12:43:48 notice suricata:
Feb 23 12:43:48 notice suricata: 0x628000013a00 is located 0 bytes to the right of 14592-byte region [0x628000010100,0x628000013a00)
Feb 23 12:43:48 notice suricata: allocated by thread T71 (CS) here:
Feb 23 12:43:48 notice suricata:     #0 0x7fa0da0d6078 in __interceptor_calloc ../../../../gcc-7.3.0/libsanitizer/asan/asan_malloc_linux.cc:70
Feb 23 12:43:48 notice suricata:     #1 0x55be71f0f486 in StatsOutput /suricata/build/production/src/counters.c:647
Feb 23 12:43:48 notice suricata:     #2 0x55be71f0f486 in StatsMgmtThread /suricata/build/production/src/counters.c:418
Feb 23 12:43:48 notice suricata:     #3 0x7fa0d865337d in start_thread /data/home/broala/appliance/pkgs/glibc/build/glibc-2.32/nptl/pthread_create.c:463
Feb 23 12:43:48 notice suricata:
Feb 23 12:43:48 notice suricata: Thread T71 (CS) created by T0 (Suricata-Main) here:
Feb 23 12:43:48 notice suricata:     #0 0x7fa0da02f06f in __interceptor_pthread_create ../../../../gcc-7.3.0/libsanitizer/asan/asan_interceptors.cc:243
Feb 23 12:43:48 notice suricata:     #1 0x55be722894c8 in TmThreadSpawn /suricata/build/production/src/tm-threads.c:1902
Feb 23 12:43:48 notice suricata:     #2 0x55be71f11627 in StatsSpawnThreads /suricata/build/production/src/counters.c:925
Feb 23 12:43:48 notice suricata:     #3 0x55be721e7a22 in RunModeDispatch /suricata/build/production/src/runmodes.c:393
Feb 23 12:43:48 notice suricata:     #4 0x55be71de2727 in main /suricata/build/production/src/suricata.c:3092
Feb 23 12:43:48 notice suricata:     #5 0x7fa0d6a0263c in __libc_start_main ../csu/libc-start.c:314
Feb 23 12:43:48 notice suricata:
Feb 23 12:43:48 notice suricata: SUMMARY: AddressSanitizer: heap-buffer-overflow /data/jal/appliance/pkgs/suricata/build/production/src/counters.c:717 in StatsOutput
Feb 23 12:43:48 notice suricata: Shadow bytes around the buggy address:
Feb 23 12:43:48 notice suricata:   0x0c507fffa6f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Feb 23 12:43:48 notice suricata:   0x0c507fffa700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Feb 23 12:43:48 notice suricata:   0x0c507fffa710: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Feb 23 12:43:48 notice suricata:   0x0c507fffa720: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Feb 23 12:43:48 notice suricata:   0x0c507fffa730: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Feb 23 12:43:48 notice suricata: =>0x0c507fffa740:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Feb 23 12:43:48 notice suricata:   0x0c507fffa750: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Feb 23 12:43:48 notice suricata:   0x0c507fffa760: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Feb 23 12:43:48 notice suricata:   0x0c507fffa770: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Feb 23 12:43:48 notice suricata:   0x0c507fffa780: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Feb 23 12:43:48 notice suricata:   0x0c507fffa790: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Feb 23 12:43:48 notice suricata: Shadow byte legend (one shadow byte represents 8 application bytes):
Feb 23 12:43:48 notice suricata:   Addressable:           00
Feb 23 12:43:48 notice suricata:   Partially addressable: 01 02 03 04 05 06 07
Feb 23 12:43:48 notice suricata:   Heap left redzone:       fa
Feb 23 12:43:48 notice suricata:   Freed heap region:       fd
Feb 23 12:43:48 notice suricata:   Stack left redzone:      f1
Feb 23 12:43:48 notice suricata:   Stack mid redzone:       f2
Feb 23 12:43:48 notice suricata:   Stack right redzone:     f3
Feb 23 12:43:48 notice suricata:   Stack after return:      f5
Feb 23 12:43:48 notice suricata:   Stack use after scope:   f8
Feb 23 12:43:48 notice suricata:   Global redzone:          f9
Feb 23 12:43:48 notice suricata:   Global init order:       f6
Feb 23 12:43:48 notice suricata:   Poisoned by user:        f7
Feb 23 12:43:48 notice suricata:   Container overflow:      fc
Feb 23 12:43:48 notice suricata:   Array cookie:            ac
Feb 23 12:43:48 notice suricata:   Intra object redzone:    bb
Feb 23 12:43:48 notice suricata:   ASan internal:           fe
Feb 23 12:43:48 notice suricata:   Left alloca redzone:     ca
Feb 23 12:43:48 notice suricata:   Right alloca redzone:    cb
Feb 23 12:43:48 notice suricata: ==238699==ABORTING 

Actions #1

Updated by Victor Julien over 3 years ago

  • Affected Versions 5.0.5, 6.0.1, git master added
  • Affected Versions deleted (7.0.0-beta1)
Actions #2

Updated by Victor Julien about 3 years ago

Do we have any more details on this?

Actions #3

Updated by Jeff Lucovsky about 3 years ago

I'm pretty sure this occurs because the napatech source registers additional statistics in the packet loop instead of during thread initialization.

Actions #4

Updated by Jeff Lucovsky over 2 years ago

  • Assignee set to Phil Young

The HBA statistics should be initialized in NapatechStreamThreadInit instead of NapatechPacketLoop

Specifically, this code should be moved to NapatechStreamThreadInit just after ntv->hba is initialized ntv->hba = conf->hba

   if (ntv->hba > 0) {
          char *s_hbad_pkt = SCCalloc(1, 32);
          if (unlikely(s_hbad_pkt == NULL)) {
                      FatalError(SC_ERR_FATAL,
                                 "Failed to allocate memory for NAPATECH stream counter.");
          }
          snprintf(s_hbad_pkt, 32, "nt%d.hba_drop", ntv->stream_id);
          hba_pkt = StatsRegisterCounter(s_hbad_pkt, tv);
          StatsSetupPrivate(tv);
          StatsSetUI64(tv, hba_pkt, 0);
      }

Actions #5

Updated by Victor Julien over 2 years ago

  • Label deleted (Needs backport to 5.0)
Actions #6

Updated by Victor Julien over 2 years ago

  • Target version changed from 7.0.0-beta1 to TBD
Actions #7

Updated by Philippe Antoine 5 months ago

  • Label deleted (Needs backport to 6.0)
Actions #8

Updated by Victor Julien 5 months ago

  • Assignee changed from Phil Young to Community Ticket
Actions

Also available in: Atom PDF