Project

General

Profile

Actions

Bug #4720

closed

pcre2: ASAN heap-buffer-overflow

Added by Victor Julien about 1 year ago. Updated about 1 year ago.

Status:
Closed
Priority:
Normal
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

Sep 29 21:00:15 c2758 suricata[30905]: =================================================================                                                                                                  [50/1904]
Sep 29 21:00:15 c2758 suricata[30905]: ==30905==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x608003f725f2 at pc 0x7fb957a9d733 bp 0x7fb9407f0d20 sp 0x7fb9407f04c8
Sep 29 21:00:15 c2758 suricata[30905]: READ of size 18 at 0x608003f725f2 thread T2 (W#01)
Sep 29 21:00:15 c2758 suricata[30905]:     #0 0x7fb957a9d732  (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x79732)
Sep 29 21:00:15 c2758 suricata[30905]:     #1 0x7fb955b2c7fe in pcre2_substring_get_bynumber_8 (/usr/lib/x86_64-linux-gnu/libpcre2-8.so.0+0x5d7fe)
Sep 29 21:00:15 c2758 suricata[30905]:     #2 0x5563267c3153 in DetectPcrePayloadMatch /home/victor/dev/suricata/src/detect-pcre.c:230
Sep 29 21:00:15 c2758 suricata[30905]:     #3 0x55632670fd06 in DetectEngineContentInspection /home/victor/dev/suricata/src/detect-engine-content-inspection.c:426
Sep 29 21:00:15 c2758 suricata[30905]:     #4 0x55632670f6f4 in DetectEngineContentInspection /home/victor/dev/suricata/src/detect-engine-content-inspection.c:343
Sep 29 21:00:15 c2758 suricata[30905]:     #5 0x556326700bd1 in DetectEngineInspectBufferGeneric /home/victor/dev/suricata/src/detect-engine.c:1660
Sep 29 21:00:15 c2758 suricata[30905]:     #6 0x556326a3cd6a in DetectRunTxInspectRule /home/victor/dev/suricata/src/detect.c:1121
Sep 29 21:00:15 c2758 suricata[30905]:     #7 0x556326a3ef51 in DetectRunTx /home/victor/dev/suricata/src/detect.c:1464
Sep 29 21:00:15 c2758 suricata[30905]:     #8 0x556326a37c4a in DetectRun /home/victor/dev/suricata/src/detect.c:140
Sep 29 21:00:15 c2758 suricata[30905]:     #9 0x556326a3f672 in DetectFlow /home/victor/dev/suricata/src/detect.c:1559
Sep 29 21:00:15 c2758 suricata[30905]:     #10 0x556326a3fe82 in Detect /home/victor/dev/suricata/src/detect.c:1631
Sep 29 21:00:15 c2758 suricata[30905]:     #11 0x55632682c7cf in FlowWorker /home/victor/dev/suricata/src/flow-worker.c:551
Sep 29 21:00:15 c2758 suricata[30905]:     #12 0x5563265da05a in TmThreadsSlotVarRun /home/victor/dev/suricata/src/tm-threads.c:117
Sep 29 21:00:15 c2758 suricata[30905]:     #13 0x5563265dc101 in TmThreadsSlotVar /home/victor/dev/suricata/src/tm-threads.c:452
Sep 29 21:00:15 c2758 suricata[30905]:     #14 0x7fb955f766da in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76da)
Sep 29 21:00:15 c2758 suricata[30905]:     #15 0x7fb9545cc71e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x12171e)
Sep 29 21:00:15 c2758 suricata[30905]: 0x608003f725f2 is located 0 bytes to the right of 82-byte region [0x608003f725a0,0x608003f725f2)
Sep 29 21:00:15 c2758 suricata[30905]: allocated by thread T4 (W#03) here:
Sep 29 21:00:15 c2758 suricata[30905]:     #0 0x7fb957b02f30 in realloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdef30)
Sep 29 21:00:15 c2758 suricata[30905]:     #1 0x556326e3cfcf in alloc::alloc::realloc::h8691e247515c87e4 /build/rustc-h1hlaa/rustc-1.51.0+dfsg1+llvm/library/alloc/src/alloc.rs:122
Sep 29 21:00:15 c2758 suricata[30905]:     #2 0x556326e3cfcf in alloc::alloc::Global::grow_impl::h6d1f61707b0c55ad /build/rustc-h1hlaa/rustc-1.51.0+dfsg1+llvm/library/alloc/src/alloc.rs:198
Sep 29 21:00:15 c2758 suricata[30905]:     #3 0x556326e3cfcf in _$LT$alloc..alloc..Global$u20$as$u20$core..alloc..Allocator$GT$::grow::h0c29610751de81d4 /build/rustc-h1hlaa/rustc-1.51.0+dfsg1+llvm/library/alloc/src/alloc.rs:251
Sep 29 21:00:15 c2758 suricata[30905]:     #4 0x556326e3cfcf in alloc::raw_vec::finish_grow::h03a2f4074daa10b8 /build/rustc-h1hlaa/rustc-1.51.0+dfsg1+llvm/library/alloc/src/raw_vec.rs:486
Sep 29 21:00:15 c2758 suricata[30905]:     #5 0x55632668a736 in SSLv3ParseHandshakeTypeCertificate /home/victor/dev/suricata/src/app-layer-ssl.c:1524
Sep 29 21:00:15 c2758 suricata[30905]:     #6 0x55632668ae45 in SSLv3ParseHandshakeType /home/victor/dev/suricata/src/app-layer-ssl.c:1598
Sep 29 21:00:15 c2758 suricata[30905]:     #7 0x55632668bc8c in SSLv3ParseHandshakeProtocol /home/victor/dev/suricata/src/app-layer-ssl.c:1704
Sep 29 21:00:15 c2758 suricata[30905]:     #8 0x55632668fb34 in SSLv3Decode /home/victor/dev/suricata/src/app-layer-ssl.c:2387
Sep 29 21:00:15 c2758 suricata[30905]:     #9 0x556326690c51 in SSLDecode /home/victor/dev/suricata/src/app-layer-ssl.c:2575
Sep 29 21:00:15 c2758 suricata[30905]:     #10 0x5563266912dd in SSLParseServerRecord /home/victor/dev/suricata/src/app-layer-ssl.c:2626
Sep 29 21:00:15 c2758 suricata[30905]:     #11 0x556326676620 in AppLayerParserParse /home/victor/dev/suricata/src/app-layer-parser.c:1266
Sep 29 21:00:15 c2758 suricata[30905]:     #12 0x55632663fae3 in AppLayerHandleTCPData /home/victor/dev/suricata/src/app-layer.c:699
Sep 29 21:00:15 c2758 suricata[30905]:     #13 0x556326934f6a in ReassembleUpdateAppLayer /home/victor/dev/suricata/src/stream-tcp-reassemble.c:1187
Sep 29 21:00:15 c2758 suricata[30905]:     #14 0x55632693552e in StreamTcpReassembleAppLayer /home/victor/dev/suricata/src/stream-tcp-reassemble.c:1250
Sep 29 21:00:15 c2758 suricata[30905]:     #15 0x55632693919e in StreamTcpReassembleHandleSegment /home/victor/dev/suricata/src/stream-tcp-reassemble.c:1920
Sep 29 21:00:15 c2758 suricata[30905]:     #16 0x5563268f9016 in HandleEstablishedPacketToClient /home/victor/dev/suricata/src/stream-tcp.c:2472
Sep 29 21:00:15 c2758 suricata[30905]:     #17 0x5563268fc088 in StreamTcpPacketStateEstablished /home/victor/dev/suricata/src/stream-tcp.c:2765
Sep 29 21:00:15 c2758 suricata[30905]:     #18 0x556326918643 in StreamTcpStateDispatch /home/victor/dev/suricata/src/stream-tcp.c:4777
Sep 29 21:00:15 c2758 suricata[30905]:     #19 0x556326919c62 in StreamTcpPacket /home/victor/dev/suricata/src/stream-tcp.c:4966
Sep 29 21:00:15 c2758 suricata[30905]:     #20 0x55632691b6f7 in StreamTcp /home/victor/dev/suricata/src/stream-tcp.c:5304
Sep 29 21:00:15 c2758 suricata[30905]:     #21 0x55632682b555 in FlowWorkerStreamTCPUpdate /home/victor/dev/suricata/src/flow-worker.c:369
Sep 29 21:00:15 c2758 suricata[30905]:     #22 0x55632682c631 in FlowWorker /home/victor/dev/suricata/src/flow-worker.c:535
Sep 29 21:00:15 c2758 suricata[30905]:     #23 0x5563265da05a in TmThreadsSlotVarRun /home/victor/dev/suricata/src/tm-threads.c:117
Sep 29 21:00:15 c2758 suricata[30905]:     #24 0x5563265dc101 in TmThreadsSlotVar /home/victor/dev/suricata/src/tm-threads.c:452
Sep 29 21:00:15 c2758 suricata[30905]:     #25 0x7fb955f766da in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76da)
Sep 29 21:00:15 c2758 suricata[30905]: Thread T2 (W#01) created by T0 (Suricata-Main) here:
Sep 29 21:00:15 c2758 suricata[30905]:     #0 0x7fb957a5bd2f in __interceptor_pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x37d2f)
Sep 29 21:00:15 c2758 suricata[30905]:     #1 0x5563265e1a98 in TmThreadSpawn /home/victor/dev/suricata/src/tm-threads.c:1721
Sep 29 21:00:15 c2758 suricata[30905]:     #2 0x5563269bcd4f in RunModeSetIPSAutoFp /home/victor/dev/suricata/src/util-runmodes.c:480
Sep 29 21:00:15 c2758 suricata[30905]:     #3 0x556326a97096 in RunModeIpsNFQAutoFp /home/victor/dev/suricata/src/runmode-nfq.c:71
Sep 29 21:00:15 c2758 suricata[30905]:     #4 0x5563268a958e in RunModeDispatch /home/victor/dev/suricata/src/runmodes.c:390
Sep 29 21:00:15 c2758 suricata[30905]:     #5 0x5563265d37f0 in SuricataMain /home/victor/dev/suricata/src/suricata.c:2799
Sep 29 21:00:15 c2758 suricata[30905]:     #6 0x5563265c6029 in main /home/victor/dev/suricata/src/main.c:22
Sep 29 21:00:15 c2758 suricata[30905]:     #7 0x7fb9544ccbf6 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21bf6)
Sep 29 21:00:15 c2758 suricata[30905]: Thread T4 (W#03) created by T0 (Suricata-Main) here:
Sep 29 21:00:15 c2758 suricata[30905]:     #0 0x7fb957a5bd2f in __interceptor_pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x37d2f)
Sep 29 21:00:15 c2758 suricata[30905]:     #1 0x5563265e1a98 in TmThreadSpawn /home/victor/dev/suricata/src/tm-threads.c:1721
Sep 29 21:00:15 c2758 suricata[30905]:     #2 0x5563269bcd4f in RunModeSetIPSAutoFp /home/victor/dev/suricata/src/util-runmodes.c:480
Sep 29 21:00:15 c2758 suricata[30905]:     #3 0x556326a97096 in RunModeIpsNFQAutoFp /home/victor/dev/suricata/src/runmode-nfq.c:71
Sep 29 21:00:15 c2758 suricata[30905]:     #4 0x5563268a958e in RunModeDispatch /home/victor/dev/suricata/src/runmodes.c:390
Sep 29 21:00:15 c2758 suricata[30905]:     #5 0x5563265d37f0 in SuricataMain /home/victor/dev/suricata/src/suricata.c:2799
Sep 29 21:00:15 c2758 suricata[30905]:     #6 0x5563265c6029 in main /home/victor/dev/suricata/src/main.c:22
Sep 29 21:00:15 c2758 suricata[30905]:     #7 0x7fb9544ccbf6 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21bf6)
Sep 29 21:00:15 c2758 suricata[30905]: SUMMARY: AddressSanitizer: heap-buffer-overflow (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x79732)
Sep 29 21:00:15 c2758 suricata[30905]: Shadow bytes around the buggy address:
Sep 29 21:00:15 c2758 suricata[30905]:   0x0c10807e6460: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Sep 29 21:00:15 c2758 suricata[30905]:   0x0c10807e6470: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Sep 29 21:00:15 c2758 suricata[30905]:   0x0c10807e6480: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Sep 29 21:00:15 c2758 suricata[30905]:   0x0c10807e6490: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Sep 29 21:00:15 c2758 suricata[30905]:   0x0c10807e64a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Sep 29 21:00:15 c2758 suricata[30905]: =>0x0c10807e64b0: fa fa fa fa 00 00 00 00 00 00 00 00 00 00[02]fa
Sep 29 21:00:15 c2758 suricata[30905]:   0x0c10807e64c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Sep 29 21:00:15 c2758 suricata[30905]:   0x0c10807e64d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Sep 29 21:00:15 c2758 suricata[30905]:   0x0c10807e64e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Sep 29 21:00:15 c2758 suricata[30905]:   0x0c10807e64f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Sep 29 21:00:15 c2758 suricata[30905]:   0x0c10807e6500: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Sep 29 21:00:15 c2758 suricata[30905]: Shadow byte legend (one shadow byte represents 8 application bytes):
Sep 29 21:00:15 c2758 suricata[30905]:   Addressable:           00
Sep 29 21:00:15 c2758 suricata[30905]:   Partially addressable: 01 02 03 04 05 06 07
Sep 29 21:00:15 c2758 suricata[30905]:   Heap left redzone:       fa
Sep 29 21:00:15 c2758 suricata[30905]:   Freed heap region:       fd
Sep 29 21:00:15 c2758 suricata[30905]:   Stack left redzone:      f1
Sep 29 21:00:15 c2758 suricata[30905]:   Stack mid redzone:       f2
Sep 29 21:00:15 c2758 suricata[30905]:   Stack right redzone:     f3
Sep 29 21:00:15 c2758 suricata[30905]:   Stack after return:      f5
Sep 29 21:00:15 c2758 suricata[30905]:   Stack use after scope:   f8
Sep 29 21:00:15 c2758 suricata[30905]:   Global redzone:          f9
Sep 29 21:00:15 c2758 suricata[30905]:   Global init order:       f6
Sep 29 21:00:15 c2758 suricata[30905]:   Poisoned by user:        f7
Sep 29 21:00:15 c2758 suricata[30905]:   Container overflow:      fc
Sep 29 21:00:15 c2758 suricata[30905]:   Array cookie:            ac
Sep 29 21:00:15 c2758 suricata[30905]:   Intra object redzone:    bb
Sep 29 21:00:15 c2758 suricata[30905]:   ASan internal:           fe
Sep 29 21:00:15 c2758 suricata[30905]:   Left alloca redzone:     ca
Sep 29 21:00:15 c2758 suricata[30905]:   Right alloca redzone:    cb
Sep 29 21:00:15 c2758 suricata[30905]: ==30905==ABORTING
Actions #1

Updated by Philippe Antoine about 1 year ago

Nothing obvious.
Do you have a way to reproduce ?

Do you understand this part of the back traces ?

Sep 29 21:00:15 c2758 suricata[30905]:     #4 0x556326e3cfcf in alloc::raw_vec::finish_grow::h03a2f4074daa10b8 /build/rustc-h1hlaa/rustc-1.51.0+dfsg1+llvm/library/alloc/src/raw_vec.rs:486
Sep 29 21:00:15 c2758 suricata[30905]:     #5 0x55632668a736 in SSLv3ParseHandshakeTypeCertificate /home/victor/dev/suricata/src/app-layer-ssl.c:1524

I do not see SSLv3ParseHandshakeTypeCertificate calling rust ?!

Actions #2

Updated by Philippe Antoine about 1 year ago

  • Status changed from Assigned to In Review
Actions #3

Updated by Victor Julien about 1 year ago

  • Status changed from In Review to Closed
  • Priority changed from High to Normal
Actions

Also available in: Atom PDF