Project

General

Profile

Actions

Bug #4858

closed

fuzz: Timeout with pcre

Added by Philippe Antoine over 3 years ago. Updated 8 days ago.

Status:
Closed
Priority:
Normal
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

Found by oss-fuzz
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=40380

Reproducer signature is alert ip any any -> any any (pcre:"/.*\.loca|domain/"; sid:1;)


alert ip any any -> any any (pcre:"/.*\seqppcre:"/.*|.localdom 'HTTP/2.FPC0e:"/.*|.localdomain/"; sid:1;)
alert ip any any -> any any (content:"dummy"; sid:2;)

The second signature makes the run 500 times faster

That is because raw_stream_progress is updated only by PrefilterPktStream
But I am not sure this fast result is always correct...


Files

lolb.pcap (1.29 KB) lolb.pcap Philippe Antoine, 11/29/2021 09:11 AM
pcrexform.rules (255 Bytes) pcrexform.rules Philippe Antoine, 04/08/2022 08:58 AM
pcrexform.pcap (421 KB) pcrexform.pcap Philippe Antoine, 04/08/2022 08:58 AM

Related issues 2 (2 open0 closed)

Related to Suricata - Optimization #5076: keyword content does not work over reassembled TCPNewVictor JulienActions
Related to Suricata - Feature #7328: detect: use hyper scan streaming modeNewOISF DevActions
Actions #1

Updated by Philippe Antoine over 3 years ago

So, the next step is to check if

alert ip any any -> any any (pcre:"/testoverpackets/"; sid:1;)
alert ip any any -> any any (content:"dummy"; sid:2;)

gives the expected results when testoverpackets is split over 2 packets (with or without the second signature enabled)

Actions #2

Updated by Philippe Antoine over 3 years ago

So, we have indeed a wrong result :

alert ip any any -> any any (pcre:"/HTTP\/2.loc/"; sid:11;)
#alert http any any -> any any (content:"dummy"; sid:2;)

/src/suricata -S lol.rules -k none -c suricata.yaml -r /Users/catena/catena/prod/bounty/fuzzpcap/build/lolb.pcap -l log --set stream.reassembly.toserver-chunk-size=25
gives either 0 or 3 matches for sid 11

Actions #3

Updated by Philippe Antoine over 3 years ago

Even alert ip any any -> any any (content:"HTTP/2.loc"; sid:11;) alone does not trigger with stream.reassembly.toserver-chunk-size=25

Actions #4

Updated by Victor Julien over 3 years ago

  • Status changed from New to Assigned
  • Assignee changed from Philippe Antoine to Victor Julien

Can you split this ticket into 2 tickets, one for the pcre timeout and one for the evasion.

Actions #5

Updated by Philippe Antoine over 3 years ago

Actions #6

Updated by Philippe Antoine over 3 years ago

  • Related to deleted (Optimization #5076: keyword content does not work over reassembled TCP)
Actions #7

Updated by Philippe Antoine over 3 years ago

Updated by Philippe Antoine over 3 years ago

https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=44742 is some variant of Regexp DOS :
using rules

alert tcp any any -> any any (file.data; strip_whitespace; pcrexform:"[a-wA-Z]+\S+(.*)\s+HTTP"; content:"/z4>0m"; endswith; sid:124;)
alert tcp any any -> any any (file.data; strip_whitespace; pcrexform:"[a-wA-Z]+\s+(.*)\s+HTTP"; content:"pass"; sid:19;)

and a pcap with multiple http files to do this transform where we spend much time in DetectTransformPcrexform/pcre2_match_8

Actions #9

Updated by Philippe Antoine about 3 years ago

For the timeout, I think the solution is to have hyperscan/pcre2 do stream detection, instead of running pcre2 on a 65k payload everytime there is a new packet...

Actions #10

Updated by Victor Julien almost 3 years ago

  • Target version changed from 7.0.0-beta1 to 7.0.0-rc1
Actions #11

Updated by Philippe Antoine almost 3 years ago

  • Target version changed from 7.0.0-rc1 to TBD

I think this can be post 7...

Actions #12

Updated by Victor Julien over 2 years ago

  • Target version changed from TBD to 8.0.0-beta1
Actions #14

Updated by Philippe Antoine about 1 year ago

I think this one can be postponed after 8

Actions #15

Updated by Philippe Antoine 10 months ago

  • Status changed from Assigned to In Review
Actions #16

Updated by Philippe Antoine 10 months ago

Philippe Antoine wrote in #note-9:

For the timeout, I think the solution is to have hyperscan/pcre2 do stream detection, instead of running pcre2 on a 65k payload everytime there is a new packet...

This hard to implement solution can be investigated after the easy solution to make oss-fuzz happy

Actions #17

Updated by Philippe Antoine 10 months ago

  • Status changed from In Review to Resolved
Actions #18

Updated by Philippe Antoine 10 months ago

  • Blocked by deleted (Optimization #5076: keyword content does not work over reassembled TCP)
Actions #19

Updated by Philippe Antoine 10 months ago

Actions #20

Updated by Philippe Antoine 10 months ago

  • Status changed from Resolved to Closed
  • Assignee changed from Victor Julien to Philippe Antoine
Actions #21

Updated by Philippe Antoine 10 months ago

  • Subject changed from Timeout with pcre to fuzz: Timeout with pcre
Actions #22

Updated by Philippe Antoine 10 months ago

  • Related to Feature #7328: detect: use hyper scan streaming mode added
Actions #23

Updated by Philippe Antoine 7 months ago

oss-fuzz found another case with

alert ip any any -> any any (content:!"4008.mp65533";pcre:!"/.detect.alerttcppcre:!/wk"/.*bCaprt.lte.c^hFPC5|\H+?0{},{}n*bbpcre:eCaprt.ltf.cbqoluterttcppcre:!/wk"/.*bCaprt.lte.c^hFPC0|\H+?0{},{}n*bbpcre:eCaprt.lte.cbsolute_o[fset\H+0}{?,{}n*re:eCaprt.flow.wrk.fl|\; dnp3_ind:]5{},{:.c^hF]PC0|absolulows_evicted_plte.c^hFPC0|\W+?3{}H+0*hhhhn/"; pcre:!/.*\A.l,Focaldomain/"; sid:1;)

Actions #26

Updated by Jason Ish 8 days ago

  • Private changed from Yes to No
Actions

Also available in: Atom PDF