Actions
Bug #4524
closedAssertionError in SSLv3ParseHandshakeType
Status:
Rejected
Priority:
Normal
Assignee:
-
Target version:
-
Affected Versions:
Effort:
Difficulty:
Label:
Description
This bug was found by afl-fuzz in applayer parser, can be reproduced with libfuzzer binary too.
[root@fuzzing:~/suri-fuzz> /root/suricata-6.0.1/src/fuzz_applayerparserparse out/default/crashes/id:000002,sig:06,src:010870,time:813836698,op:havoc,rep:4 INFO: Seed: 2048919946 INFO: Loaded 1 modules (50731 inline 8-bit counters): 50731 [0x555555f9908a, 0x555555fa56b5), INFO: Loaded 1 PC tables (50731 PCs): 50731 [0x555555fa56b8,0x55555606b968), /root/suricata-6.0.1/src/fuzz_applayerparserparse: Running 1 inputs 1 time(s) each. Running: out/default/crashes/id:000002,sig:06,src:010870,time:813836698,op:havoc,rep:4 fuzz_applayerparserparse: app-layer-ssl.c:1637: int SSLv3ParseHandshakeType(SSLState *, const uint8_t *, uint32_t, uint8_t): Assertion `!((ssl_state->curr_connp->message_start + ssl_state->curr_connp->message_length < ssl_state->curr_connp->bytes_processed))' failed. ==114131== ERROR: libFuzzer: deadly signal #0 0x55555586681a in __sanitizer_print_stack_trace /root/sources/llvm-project-10.0.0/compiler-rt/lib/ubsan/ubsan_diag_standalone.cpp:33:3 #1 0x555555809298 in fuzzer::PrintStackTrace() /root/sources/llvm-project-10.0.0/compiler-rt/lib/fuzzer/FuzzerUtil.cpp:205:38 #2 0x5555557e6136 in fuzzer::Fuzzer::CrashCallback() (.part.0) /root/sources/llvm-project-10.0.0/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:232:18 #3 0x5555557e61f9 in fuzzer::Fuzzer::CrashCallback() /root/sources/llvm-project-10.0.0/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:204:1 #4 0x5555557e61f9 in fuzzer::Fuzzer::StaticCrashSignalCallback() /root/sources/llvm-project-10.0.0/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:203:19 #5 0x7ffff79f07ff (/usr/lib/libpthread.so.0+0x147ff) #6 0x7ffff74fece4 in raise (/usr/lib/libc.so.6+0x3bce4) #7 0x7ffff74e8856 in abort (/usr/lib/libc.so.6+0x25856) #8 0x7ffff74e8726 in __assert_fail_base.cold (/usr/lib/libc.so.6+0x25726) #9 0x7ffff74f7425 in __assert_fail (/usr/lib/libc.so.6+0x34425) #10 0x5555558ec471 in SSLv3ParseHandshakeType /root/suricata-6.0.1/src/app-layer-ssl.c:1635:9 #11 0x5555558eb5f0 in SSLv3ParseHandshakeProtocol /root/suricata-6.0.1/src/app-layer-ssl.c:1710:18 #12 0x5555558e9e57 in SSLv3Decode /root/suricata-6.0.1/src/app-layer-ssl.c:2391:26 #13 0x5555558e7f5e in SSLDecode /root/suricata-6.0.1/src/app-layer-ssl.c:2579:26 #14 0x5555558e6731 in SSLParseClientRecord /root/suricata-6.0.1/src/app-layer-ssl.c:2623:12 #15 0x5555558d3b59 in AppLayerParserParse /root/suricata-6.0.1/src/app-layer-parser.c:1258:30 #16 0x55555586878a in LLVMFuzzerTestOneInput /root/suricata-6.0.1/src/tests/fuzz/fuzz_applayerparserparse.c:134:20 #17 0x5555557e6b16 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /root/sources/llvm-project-10.0.0/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:556:17 #18 0x5555557ce378 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /root/sources/llvm-project-10.0.0/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:293:21 #19 0x5555557d6785 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /root/sources/llvm-project-10.0.0/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:779:19 #20 0x5555557a3d42 in main /root/sources/llvm-project-10.0.0/compiler-rt/lib/fuzzer/FuzzerMain.cpp:19:30 #21 0x7ffff74ea022 in __libc_start_main (/usr/lib/libc.so.6+0x27022) #22 0x5555557a3d9d in _start (/root/suricata-6.0.1/src/fuzz_applayerparserparse+0x24fd9d) NOTE: libFuzzer has rudimentary signal handlers. Combine libFuzzer with AddressSanitizer or similar for better crash reports. SUMMARY: libFuzzer: deadly signal
Build script for libfuzzer:
#!/bin/bash -ex make clean export ac_cv_func_realloc_0_nonnull=yes export ac_cv_func_malloc_0_nonnull=yes export CC=/usr/bin/clang export CXX=/usr/bin/clang++ export CFLAGS="-fsanitize=fuzzer-no-link -fno-omit-frame-pointer -g -O0" export CXXFLAGS="-fsanitize=fuzzer-no-link -fno-omit-frame-pointer -g -O0" ./configure --enable-fuzztargets --disable-gccmarch-native --enable-debug-validation --enable-pie --disable-shared --with-libhtp-includes=/root/suricata-6.0.1/libhtp --with-libhtp-libraries=/root/suricata-6.0.1/libhtp/htp/.libs/libhtp.so export LDFLAGS="-fsanitize=fuzzer -lFuzzer" make -j7
Fuzzer found 3 more samples that trigger this behavior, I can upload them too if needed.
Files
Updated by Philippe Antoine over 3 years ago
Thanks Elena for running the fuzzers
Bug is not reproduced on master at commit fdab22d924702168e3b7d07d061009ebdcfa9aa9
neither on master-6.0.x commit dda131a0591ff6ab76e330a87c8e738fe57a3956
Was fixed by commit 8826a1aec546beb4999029370746b8e76d6bff60 in branch master-6.0.x commit
Updated by Philippe Antoine over 3 years ago
- Is duplicate of Bug #4233: ssl : Integer underflow in ssl parsing SSLV3_HANDSHAKE_PROTOCOL added
Updated by Victor Julien about 2 years ago
- Status changed from Closed to Rejected
Duplicate of #4298
Actions