Project

General

Profile

Actions

Bug #4403

closed

Use after free or read overflow or use of unitized memory in TransformStripWhitespace called by HttpServerBodyXformsGetDataCallback

Added by Philippe Antoine over 1 year ago. Updated 10 months ago.

Status:
Closed
Priority:
High
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:


Files

lol.py (405 Bytes) lol.py Philippe Antoine, 03/24/2021 08:46 PM
Actions #1

Updated by Philippe Antoine over 1 year ago

Generating a lot of signatures with different tranforms (see attached script), I got
5795ERROR: AddressSanitizer: global-buffer-overflow on address 0x00010cca04e2 at pc 0x00010c39e886 bp 0x7ffee397ebb0 sp 0x7ffee397eba8
WRITE of size 1 at 0x00010cca04e2 thread T0
#0 0x10c39e885 in EngineAnalysisRules detect-engine-analyzer.c:1045

Actions #2

Updated by Victor Julien over 1 year ago

  • Status changed from New to Assigned
  • Priority changed from Normal to High
Actions #3

Updated by Victor Julien about 1 year ago

This has been addressed, right?

Actions #4

Updated by Philippe Antoine about 1 year ago

No.
It looks like it is still happening unreproducibly...
I thought it was the multibuffer bug but it still happens...
I will dig again into that

Actions #5

Updated by Philippe Antoine about 1 year ago

So, I guess the problem is indeed changing int to int16 in
https://github.com/OISF/suricata/pull/5932/commits/975062cf401f79c00abf728d923c65aabd143af2#diff-99eda33658bd0778da7bf89acbb4e7bbdb9ce82b0ab93486e1643691925f4091L600

We have DetectAppLayerMpmRegisterByParentId that will set am->sm_list = id; with id being a parameter of the function set in DetectBufferTypeGetByIdTransforms
by map->id = de_ctx->buffer_type_id++; and buffer_type_id can increase over UINT16_MAX

So, I would suggest first adding some DEBUG_VALIDATE_BUG_ON(id < 0 || id > UINT16_MAX);

Actions #6

Updated by Philippe Antoine about 1 year ago

  • Status changed from Assigned to In Review
Actions #7

Updated by Philippe Antoine about 1 year ago

  • Status changed from In Review to Closed

Duplicate of #4681 which got put by oss-fuzz tracker

Actions #8

Updated by Victor Julien 10 months ago

  • Private changed from Yes to No
Actions

Also available in: Atom PDF