Project

General

Profile

Actions

Bug #5236

closed

frame: buffer over read in SCACSearch

Added by Philippe Antoine 6 months ago. Updated 6 months ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

Found by oss-fuzz
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=44940

Reproducer is
./src/suricata -r frame.pcap -S frame.rules -k none -c suricata.yaml --set stream.midstream=true

Stack trace from ASAN is

==80048==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62b000006200 at pc 0x000102652483 bp 0x70000ddeb330 sp 0x70000ddeb328
READ of size 1 at 0x62b000006200 thread T13
    #0 0x102652482 in SCACSearch util-mpm-ac.c:1041
    #1 0x1023ca796 in PrefilterMpmFrame detect-engine-frame.c:101
    #2 0x1023ca233 in DetectRunPrefilterFrame detect-engine-frame.c:53
    #3 0x10235e931 in DetectRunFrames detect.c:1566
    #4 0x10235a825 in DetectRun detect.c
    #5 0x102357099 in Detect detect.c:1755
    #6 0x1024dc68e in FlowWorker flow-worker.c:552
    #7 0x1025eed94 in TmThreadsSlotVarRun tm-threads.c:117
    #8 0x1025f8efa in TmThreadsSlotVar tm-threads.c:463
    #9 0x7ff8008134f3 in _pthread_start+0x7c (libsystem_pthread.dylib:x86_64+0x64f3)
    #10 0x7ff80080f00e in thread_start+0xe (libsystem_pthread.dylib:x86_64+0x200e)

0x62b000006200 is located 0 bytes to the right of 24576-byte region [0x62b000000200,0x62b000006200)
allocated by thread T13 here:
    #0 0x103d439e5 in wrap_realloc+0xa5 (libclang_rt.asan_osx_dynamic.dylib:x86_64+0x449e5)
    #1 0x10263e619 in SCReallocFunc util-mem.c:44
    #2 0x1025d8dba in ReassembleRealloc stream-tcp-reassemble.c:221
    #3 0x10268e0a2 in StreamingBufferInsertAt util-streaming-buffer.c:668
    #4 0x1025c9ca0 in StreamTcpReassembleInsertSegment stream-tcp-list.c:585
    #5 0x1025d1a43 in StreamTcpReassembleHandleSegmentHandleData stream-tcp-reassemble.c:701
    #6 0x1025d8782 in StreamTcpReassembleHandleSegment stream-tcp-reassemble.c:1895
    #7 0x1025bfbb3 in HandleEstablishedPacketToClient stream-tcp.c:2465
    #8 0x102591c3a in StreamTcpStateDispatch stream-tcp.c:4778
    #9 0x1025844d4 in StreamTcpPacket stream-tcp.c:4967
    #10 0x1025ade46 in StreamTcp stream-tcp.c:5305
    #11 0x1024dd72e in FlowWorkerStreamTCPUpdate flow-worker.c:370
    #12 0x1024dc5f3 in FlowWorker flow-worker.c:536
    #13 0x1025eed94 in TmThreadsSlotVarRun tm-threads.c:117
    #14 0x1025f8efa in TmThreadsSlotVar tm-threads.c:463
    #15 0x7ff8008134f3 in _pthread_start+0x7c (libsystem_pthread.dylib:x86_64+0x64f3)
    #16 0x7ff80080f00e in thread_start+0xe (libsystem_pthread.dylib:x86_64+0x200e)


Files

frame.rules (1.86 KB) frame.rules Philippe Antoine, 04/08/2022 09:28 AM
frame.pcap (27.7 KB) frame.pcap Philippe Antoine, 04/08/2022 09:28 AM
Actions #1

Updated by Victor Julien 6 months ago

  • Tracker changed from Security to Bug
  • Status changed from New to Assigned
  • Severity deleted (MODERATE)
Actions #2

Updated by Victor Julien 6 months ago

  • Private changed from Yes to No
Actions #3

Updated by Victor Julien 6 months ago

  • Status changed from Assigned to Closed
Actions

Also available in: Atom PDF