Actions
Bug #5016
closedpgsql: fix possible unsigned integer overflow
Added by Juliana Fajardini Reichow over 2 years ago. Updated over 1 year ago.
Affected Versions:
Effort:
Difficulty:
Label:
Description
In parser::pgsql_parse_response, when we call take(pseudo_header.1 + 1) may cause an integer overflow.
let (i, pseudo_header) = peek(tuple((be_u8, be_u32)))(i)?;
let (i, message) = map_parser(
take(pseudo_header.1 + 1),
(Fixing isn't too trivial due to how underlying nom parsers currently.)
Updated by Philippe Antoine over 2 years ago
Some more info from fuzzing
thread '<unnamed>' panicked at 'attempt to add with overflow', src/pgsql/parser.rs:1115:33
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace
fatal runtime error: failed to initiate panic, error 5
AddressSanitizer:DEADLYSIGNAL
=================================================================
==1894==ERROR: AddressSanitizer: ABRT on unknown address 0x000000000766 (pc 0x7fc0ca90018b bp 0x000000000001 sp 0x7ffe6904d180 T0)
SCARINESS: 10 (signal)
#0 0x7fc0ca90018b in raise (/lib/x86_64-linux-gnu/libc.so.6+0x4618b)
#1 0x7fc0ca8df858 in abort (/lib/x86_64-linux-gnu/libc.so.6+0x25858)
#2 0x2bc2066 in std::sys::unix::abort_internal::h7127d741bc006c5f /rustc/bd3cb52565faab2755ff1bdb54d88bc91f47b4b9/library/std/src/sys/unix/mod.rs:259:14
#3 0x2bb67cf in rust_panic /rustc/bd3cb52565faab2755ff1bdb54d88bc91f47b4b9/library/std/src/panicking.rs:735:5
#4 0x2bb6559 in std::panicking::rust_panic_with_hook::hd156dff710da39af /rustc/bd3cb52565faab2755ff1bdb54d88bc91f47b4b9/library/std/src/panicking.rs:703:5
#5 0x2bb60b1 in std::panicking::begin_panic_handler::_$u7b$$u7b$closure$u7d$$u7d$::hf8e6e87872422eb2 /rustc/bd3cb52565faab2755ff1bdb54d88bc91f47b4b9/library/std/src/panicking.rs:579:13
#6 0x2bb1943 in std::sys_common::backtrace::__rust_end_short_backtrace::h1dca537b9cc9d050 /rustc/bd3cb52565faab2755ff1bdb54d88bc91f47b4b9/library/std/src/sys_common/backtrace.rs:139:18
#7 0x2bb5e18 in rust_begin_unwind /rustc/bd3cb52565faab2755ff1bdb54d88bc91f47b4b9/library/std/src/panicking.rs:577:5
#8 0x53c0c0 in core::panicking::panic_fmt::h1734b56c73d3bf02 /rustc/bd3cb52565faab2755ff1bdb54d88bc91f47b4b9/library/core/src/panicking.rs:110:14
#9 0x53c00c in core::panicking::panic::h382af5c6fcd0fc86 /rustc/bd3cb52565faab2755ff1bdb54d88bc91f47b4b9/library/core/src/panicking.rs:48:5
#10 0x1674b87 in suricata::pgsql::parser::pgsql_parse_response::_$u7b$$u7b$closure$u7d$$u7d$::h61b20f2f9e374274 /src/suricata/rust/src/pgsql/parser.rs:1115:33
#11 0x1674b87 in nom::combinator::map_parser::_$u7b$$u7b$closure$u7d$$u7d$::hc2050c65c4f54d16 /rust/registry/src/github.com-1ecc6299db9ec823/nom-5.1.2/src/combinator/mod.rs:209:23
#12 0x1674b87 in nom::combinator::map_parserc::hcd11a49db00487c5 /rust/registry/src/github.com-1ecc6299db9ec823/nom-5.1.2/src/combinator/mod.rs:222:3
#13 0x1674b87 in suricata::pgsql::parser::pgsql_parse_response::h1992d53df13ed68b /rust/registry/src/github.com-1ecc6299db9ec823/nom-5.1.2/src/combinator/macros.rs:124:13
#14 0x1349d16 in suricata::pgsql::pgsql::PgsqlState::state_based_resp_parsing::h7e0f8fbaac2ab827 /src/suricata/rust/src/pgsql/pgsql.rs:406:13
#15 0x1349d16 in suricata::pgsql::pgsql::PgsqlState::parse_response::h81d275217d46cb30 /src/suricata/rust/src/pgsql/pgsql.rs:429:19
#16 0x134d060 in rs_pgsql_parse_response /src/suricata/rust/src/pgsql/pgsql.rs:627:16
#17 0x682a32 in AppLayerParserParse /src/suricata/src/app-layer-parser.c:1304:30
#18 0x67cf17 in LLVMFuzzerTestOneInput /src/suricata/src/tests/fuzz/fuzz_applayerparserparse.c:221:16
#19 0x573233 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) cxa_noexception.cpp
#20 0x572a1a in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool, bool*) cxa_noexception.cpp
#21 0x573fc9 in fuzzer::Fuzzer::MutateAndTestOne() cxa_noexception.cpp
#22 0x574c95 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<fuzzer::SizedFile, std::__Fuzzer::allocator<fuzzer::SizedFile> >&) cxa_noexception.cpp
#23 0x5645af in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) cxa_noexception.cpp
#24 0x58d492 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
#25 0x7fc0ca8e10b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
#26 0x53d5fd in _start (/builds/122582/build-out/fuzz_applayerparserparse_pgsql+0x53d5fd)
DEDUP_TOKEN: raise--abort--std::sys::unix::abort_internal::h7127d741bc006c5f
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: ABRT (/lib/x86_64-linux-gnu/libc.so.6+0x4618b) in raise
==1894==ABORTING
MS: 3 ChangeBinInt-InsertByte-CMP- DE: "\001\325\312z"-; base unit: 88029764fbb891b6eb60aa311678b61302a44c65
0x1,0x6,0x3,0x0,0xff,0x0,0x0,0xff,0xff,0xff,0x1,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0x1,0xd5,0xca,0x7a,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xee,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xdf,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,
\001\006\003\000\377\000\000\377\377\377\001\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\001\325\312z\377\377\377\377\377\377\377\377\377\377\377\377\356\377\377\377\377\377\377\377\377\377\377\377\377\337\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377
artifact_prefix='/tmp/tmph8yap2ox/'; Test unit written to /tmp/tmph8yap2ox/crash-2bc10bc18cce64112f4899f7177ab17c92088c0f
Base64: AQYDAP8AAP///wH/////////////////////AdXKev///////////////+7////////////////f//////////////////////////8=
Updated by Juliana Fajardini Reichow about 2 years ago
- Status changed from New to In Review
PR for review: https://github.com/OISF/suricata/pull/7348
Updated by Philippe Antoine about 2 years ago
- Status changed from In Review to Closed
Updated by Victor Julien over 1 year ago
- Target version set to 7.0.0-beta1
- Affected Versions git master added
- Affected Versions deleted (
7.0.0-beta1)
Actions