Bug #4524: AssertionError in SSLv3ParseHandshakeType - Suricata - Open Information Security Foundation

Actions

Copy link

Bug #4524

closed

AssertionError in SSLv3ParseHandshakeType

Added by Elena B almost 3 years ago. Updated over 1 year ago.

Status:

Rejected

Priority:

Normal

Assignee:

Target version:

Affected Versions:

6.0.1

Effort:

Difficulty:

Label:

Description

This bug was found by afl-fuzz in applayer parser, can be reproduced with libfuzzer binary too.

[root@fuzzing:~/suri-fuzz> /root/suricata-6.0.1/src/fuzz_applayerparserparse out/default/crashes/id:000002,sig:06,src:010870,time:813836698,op:havoc,rep:4        
INFO: Seed: 2048919946
INFO: Loaded 1 modules   (50731 inline 8-bit counters): 50731 [0x555555f9908a, 0x555555fa56b5), 
INFO: Loaded 1 PC tables (50731 PCs): 50731 [0x555555fa56b8,0x55555606b968), 
/root/suricata-6.0.1/src/fuzz_applayerparserparse: Running 1 inputs 1 time(s) each.
Running: out/default/crashes/id:000002,sig:06,src:010870,time:813836698,op:havoc,rep:4
fuzz_applayerparserparse: app-layer-ssl.c:1637: int SSLv3ParseHandshakeType(SSLState *, const uint8_t *, uint32_t, uint8_t): Assertion `!((ssl_state->curr_connp->message_start + ssl_state->curr_connp->message_length < ssl_state->curr_connp->bytes_processed))' failed.
==114131== ERROR: libFuzzer: deadly signal
    #0 0x55555586681a in __sanitizer_print_stack_trace /root/sources/llvm-project-10.0.0/compiler-rt/lib/ubsan/ubsan_diag_standalone.cpp:33:3
    #1 0x555555809298 in fuzzer::PrintStackTrace() /root/sources/llvm-project-10.0.0/compiler-rt/lib/fuzzer/FuzzerUtil.cpp:205:38
    #2 0x5555557e6136 in fuzzer::Fuzzer::CrashCallback() (.part.0) /root/sources/llvm-project-10.0.0/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:232:18
    #3 0x5555557e61f9 in fuzzer::Fuzzer::CrashCallback() /root/sources/llvm-project-10.0.0/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:204:1
    #4 0x5555557e61f9 in fuzzer::Fuzzer::StaticCrashSignalCallback() /root/sources/llvm-project-10.0.0/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:203:19
    #5 0x7ffff79f07ff  (/usr/lib/libpthread.so.0+0x147ff)
    #6 0x7ffff74fece4 in raise (/usr/lib/libc.so.6+0x3bce4)
    #7 0x7ffff74e8856 in abort (/usr/lib/libc.so.6+0x25856)
    #8 0x7ffff74e8726 in __assert_fail_base.cold (/usr/lib/libc.so.6+0x25726)
    #9 0x7ffff74f7425 in __assert_fail (/usr/lib/libc.so.6+0x34425)
    #10 0x5555558ec471 in SSLv3ParseHandshakeType /root/suricata-6.0.1/src/app-layer-ssl.c:1635:9
    #11 0x5555558eb5f0 in SSLv3ParseHandshakeProtocol /root/suricata-6.0.1/src/app-layer-ssl.c:1710:18
    #12 0x5555558e9e57 in SSLv3Decode /root/suricata-6.0.1/src/app-layer-ssl.c:2391:26
    #13 0x5555558e7f5e in SSLDecode /root/suricata-6.0.1/src/app-layer-ssl.c:2579:26
    #14 0x5555558e6731 in SSLParseClientRecord /root/suricata-6.0.1/src/app-layer-ssl.c:2623:12
    #15 0x5555558d3b59 in AppLayerParserParse /root/suricata-6.0.1/src/app-layer-parser.c:1258:30
    #16 0x55555586878a in LLVMFuzzerTestOneInput /root/suricata-6.0.1/src/tests/fuzz/fuzz_applayerparserparse.c:134:20
    #17 0x5555557e6b16 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /root/sources/llvm-project-10.0.0/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:556:17
    #18 0x5555557ce378 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /root/sources/llvm-project-10.0.0/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:293:21
    #19 0x5555557d6785 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /root/sources/llvm-project-10.0.0/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:779:19
    #20 0x5555557a3d42 in main /root/sources/llvm-project-10.0.0/compiler-rt/lib/fuzzer/FuzzerMain.cpp:19:30
    #21 0x7ffff74ea022 in __libc_start_main (/usr/lib/libc.so.6+0x27022)
    #22 0x5555557a3d9d in _start (/root/suricata-6.0.1/src/fuzz_applayerparserparse+0x24fd9d)

NOTE: libFuzzer has rudimentary signal handlers.
      Combine libFuzzer with AddressSanitizer or similar for better crash reports.
SUMMARY: libFuzzer: deadly signal

Build script for libfuzzer:

#!/bin/bash -ex
make clean
export ac_cv_func_realloc_0_nonnull=yes
export ac_cv_func_malloc_0_nonnull=yes
export CC=/usr/bin/clang
export CXX=/usr/bin/clang++
export CFLAGS="-fsanitize=fuzzer-no-link -fno-omit-frame-pointer -g -O0" 
export CXXFLAGS="-fsanitize=fuzzer-no-link -fno-omit-frame-pointer -g -O0" 
./configure --enable-fuzztargets --disable-gccmarch-native --enable-debug-validation --enable-pie --disable-shared --with-libhtp-includes=/root/suricata-6.0.1/libhtp --with-libhtp-libraries=/root/suricata-6.0.1/libhtp/htp/.libs/libhtp.so
export LDFLAGS="-fsanitize=fuzzer -lFuzzer" 
make -j7

Fuzzer found 3 more samples that trigger this behavior, I can upload them too if needed.

Files

id_000002,sig_06,src_010870,time_813836698,op_havoc,rep_4 (1.55 KB) id_000002,sig_06,src_010870,time_813836698,op_havoc,rep_4

Elena B, 06/09/2021 06:31 PM

Related issues 1 (0 open — 1 closed)

Actions

Copy link

Updated by Jason Ish almost 3 years ago

Private changed from No to Yes

Actions

Copy link

Updated by Philippe Antoine almost 3 years ago

Thanks Elena for running the fuzzers

Bug is not reproduced on master at commit fdab22d924702168e3b7d07d061009ebdcfa9aa9
neither on master-6.0.x commit dda131a0591ff6ab76e330a87c8e738fe57a3956
Was fixed by commit 8826a1aec546beb4999029370746b8e76d6bff60 in branch master-6.0.x commit

Actions

Copy link