Project

General

Profile

Actions
Copy link

Bug #4403

closed

Use after free or read overflow or use of unitized memory in TransformStripWhitespace called by HttpServerBodyXformsGetDataCallback

Added by Philippe Antoine about 3 years ago. Updated over 2 years ago.

Status:
Closed
Priority:
High
Assignee:
Victor Julien
Target version:
7.0.0-beta1
Affected Versions:
git master
Effort:
Difficulty:
Label:

Description

Found by oss-fuzz
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=31987

The issue was created a day after this hit master https://github.com/OISF/suricata/pull/5932

The bug may be changing int to int16 in
https://github.com/OISF/suricata/pull/5932/commits/975062cf401f79c00abf728d923c65aabd143af2#diff-99eda33658bd0778da7bf89acbb4e7bbdb9ce82b0ab93486e1643691925f4091L600

Files

lol.py (405 Bytes) lol.py Philippe Antoine, 03/24/2021 08:46 PM
Actions
Copy link
 #1

Updated by Philippe Antoine about 3 years ago

Generating a lot of signatures with different tranforms (see attached script), I got
5795ERROR: AddressSanitizer: global-buffer-overflow on address 0x00010cca04e2 at pc 0x00010c39e886 bp 0x7ffee397ebb0 sp 0x7ffee397eba8
WRITE of size 1 at 0x00010cca04e2 thread T0
#0 0x10c39e885 in EngineAnalysisRules detect-engine-analyzer.c:1045

Actions
Copy link
 #2

Updated by Victor Julien about 3 years ago

  • Status changed from New to Assigned
  • Priority changed from Normal to High
Actions
Copy link
 #3

Updated by Victor Julien over 2 years ago

This has been addressed, right?

Actions
Copy link
 #4

Updated by Philippe Antoine over 2 years ago

No.
It looks like it is still happening unreproducibly...
I thought it was the multibuffer bug but it still happens...
I will dig again into that

Actions
Copy link
 #5

Updated by Philippe Antoine over 2 years ago

So, I guess the problem is indeed changing int to int16 in
https://github.com/OISF/suricata/pull/5932/commits/975062cf401f79c00abf728d923c65aabd143af2#diff-99eda33658bd0778da7bf89acbb4e7bbdb9ce82b0ab93486e1643691925f4091L600

We have DetectAppLayerMpmRegisterByParentId that will set am->sm_list = id; with id being a parameter of the function set in DetectBufferTypeGetByIdTransforms
by map->id = de_ctx->buffer_type_id++; and buffer_type_id can increase over UINT16_MAX

So, I would suggest first adding some DEBUG_VALIDATE_BUG_ON(id < 0 || id > UINT16_MAX);

Actions
Copy link
 #6

Updated by Philippe Antoine over 2 years ago

  • Status changed from Assigned to In Review
Actions
Copy link
 #7

Updated by Philippe Antoine over 2 years ago

  • Status changed from In Review to Closed

Duplicate of #4681 which got put by oss-fuzz tracker

Actions
Copy link
 #8

Updated by Victor Julien over 2 years ago

  • Private changed from Yes to No
Actions
Copy link

Also available in: Atom PDF