Project

General

Profile

Actions
Copy link

Bug #4403

closed
PA VJ

Use after free or read overflow or use of unitized memory in TransformStripWhitespace called by HttpServerBodyXformsGetDataCallback

Bug #4403: Use after free or read overflow or use of unitized memory in TransformStripWhitespace called by HttpServerBodyXformsGetDataCallback

Added by Philippe Antoine about 5 years ago. Updated over 4 years ago.

Status:
Closed
Priority:
High
Assignee:
Victor Julien
Target version:
7.0.0-beta1
Affected Versions:
git main
Effort:
Difficulty:
Label:

Description

Files

lol.py (405 Bytes) lol.py Philippe Antoine, 03/24/2021 08:46 PM

PA Updated by Philippe Antoine about 5 years ago Actions
Copy link
 #1

Generating a lot of signatures with different tranforms (see attached script), I got
5795ERROR: AddressSanitizer: global-buffer-overflow on address 0x00010cca04e2 at pc 0x00010c39e886 bp 0x7ffee397ebb0 sp 0x7ffee397eba8
WRITE of size 1 at 0x00010cca04e2 thread T0
#0 0x10c39e885 in EngineAnalysisRules detect-engine-analyzer.c:1045

VJ Updated by Victor Julien about 5 years ago Actions
Copy link
 #2

  • Status changed from New to Assigned
  • Priority changed from Normal to High

VJ Updated by Victor Julien over 4 years ago Actions
Copy link
 #3

This has been addressed, right?

PA Updated by Philippe Antoine over 4 years ago Actions
Copy link
 #4

No.
It looks like it is still happening unreproducibly...
I thought it was the multibuffer bug but it still happens...
I will dig again into that

PA Updated by Philippe Antoine over 4 years ago Actions
Copy link
 #5

So, I guess the problem is indeed changing int to int16 in
https://github.com/OISF/suricata/pull/5932/commits/975062cf401f79c00abf728d923c65aabd143af2#diff-99eda33658bd0778da7bf89acbb4e7bbdb9ce82b0ab93486e1643691925f4091L600

We have DetectAppLayerMpmRegisterByParentId that will set am->sm_list = id; with id being a parameter of the function set in DetectBufferTypeGetByIdTransforms
by map->id = de_ctx->buffer_type_id++; and buffer_type_id can increase over UINT16_MAX

So, I would suggest first adding some DEBUG_VALIDATE_BUG_ON(id < 0 || id > UINT16_MAX);

PA Updated by Philippe Antoine over 4 years ago Actions
Copy link
 #6

  • Status changed from Assigned to In Review

PA Updated by Philippe Antoine over 4 years ago Actions
Copy link
 #7

  • Status changed from In Review to Closed

Duplicate of #4681 which got put by oss-fuzz tracker

VJ Updated by Victor Julien over 4 years ago Actions
Copy link
 #8

  • Private changed from Yes to No
Actions
Copy link

Also available in: PDF Atom