Project

General

Profile

Actions

Bug #5228

closed

pcre2: SEGV during rule loading

Added by Victor Julien 6 months ago. Updated 6 months ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

This may be an edge case, as I'm on ARM 32bit, Ubuntu Xenial (EOL), but I see:

Program received signal SIGSEGV, Segmentation fault.
0xb6e0bcf8 in pcre2_substring_list_free_8 () from /usr/lib/arm-linux-gnueabihf/libpcre2-8.so.0
(gdb) bt
#0  0xb6e0bcf8 in pcre2_substring_list_free_8 () from /usr/lib/arm-linux-gnueabihf/libpcre2-8.so.0
#1  0x0018fa56 in DetectUrilenParse (urilenstr=0xbefed578 "9") at detect-urilen.c:210
#2  0x0018fbc2 in DetectUrilenSetup (de_ctx=0x1285018, s=0x189cd40, urilenstr=0xbefed578 "9")
    at detect-urilen.c:255
#3  0x00177ffc in SigParseOptions (de_ctx=0x1285018, s=0x189cd40, optstr=0xbefed571 "urilen", 
    output=0xbefed4a0 "", output_size=204) at detect-parse.c:815
#4  0x00178c3e in SigParse (de_ctx=0x1285018, s=0x189cd40, 
    sigstr=0xbeffd78c "alert http $HOME_NET any -> $EXTERNAL_NET any (msg:\"ET EXPLOIT_KIT BegOpEK - TDS - icon.php\"; flow:established,to_server; content:\"/icon.php\"; urilen:9; classtype:exploit-kit; sid:2015789; rev:2; meta"..., addrs_direction=0 '\000', parser=0xbefed6dc) at detect-parse.c:1251
#5  0x0017a1c2 in SigInitHelper (de_ctx=0x1285018, 
    sigstr=0xbeffd78c "alert http $HOME_NET any -> $EXTERNAL_NET any (msg:\"ET EXPLOIT_KIT BegOpEK - TDS - icon.php\"; flow:established,to_server; content:\"/icon.php\"; urilen:9; classtype:exploit-kit; sid:2015789; rev:2; meta"..., dir=0 '\000') at detect-parse.c:1957
#6  0x0017a76e in SigInit (de_ctx=0x1285018, 
    sigstr=0xbeffd78c "alert http $HOME_NET any -> $EXTERNAL_NET any (msg:\"ET EXPLOIT_KIT BegOpEK - TDS - icon.php\"; flow:established,to_server; content:\"/icon.php\"; urilen:9; classtype:exploit-kit; sid:2015789; rev:2; meta"...) at detect-parse.c:2124
#7  0x0017ac52 in DetectEngineAppendSig (de_ctx=0x1285018, 
    sigstr=0xbeffd78c "alert http $HOME_NET any -> $EXTERNAL_NET any (msg:\"ET EXPLOIT_KIT BegOpEK - TDS - icon.php\"; flow:established,to_server; content:\"/icon.php\"; urilen:9; classtype:exploit-kit; sid:2015789; rev:2; meta"...) at detect-parse.c:2422
#8  0x00149774 in DetectLoadSigFile (de_ctx=0x1285018, sig_file=0x12bd868 "emerging-all.rules", 
    goodsigs=0xbefff830, badsigs=0xbefff834) at detect-engine-loader.c:169
#9  0x00149b40 in ProcessSigFiles (de_ctx=0x1285018, pattern=0xbefffc6e "emerging-all.rules", 
    st=0x1285bb8, good_sigs=0xbefff830, bad_sigs=0xbefff834) at detect-engine-loader.c:252
#10 0x00149d6c in SigLoadSignatures (de_ctx=0x1285018, sig_file=0xbefffc6e "emerging-all.rules", 
    sig_file_exclusive=1) at detect-engine-loader.c:331
#11 0x000e5a62 in LoadSignatures (de_ctx=0x1285018, suri=0x76bcfc <suricata>) at suricata.c:2329
#12 0x000e5e90 in PostConfLoadedDetectSetup (suri=0x76bcfc <suricata>) at suricata.c:2481
#13 0x000e69fe in SuricataMain (argc=8, argv=0xbefffac4) at suricata.c:2916
#14 0x000e1dfa in main (argc=8, argv=0xbefffac4) at main.c:22
(gdb) f 1
#1  0x0018fa56 in DetectUrilenParse (urilenstr=0xbefed578 "9") at detect-urilen.c:210
210         pcre2_substring_free((PCRE2_UCHAR *)arg1);
(gdb) p arg1
$1 = 0x0
(gdb) 

arg1 can be null if there is something like urilen:6;.

Perhaps later pcre2 free funcs accept NULL values.

Actions #1

Updated by Victor Julien 6 months ago

  • Status changed from Assigned to In Review
Actions

Also available in: Atom PDF