Project

General

Profile

Actions

Bug #5644

closed

Integer overflow at dcerpc.rs:846

Added by Ivan Kapranov about 2 years ago. Updated almost 2 years ago.

Status:
Closed
Priority:
Normal
Target version:
Affected Versions:
Effort:
medium
Difficulty:
medium
Label:

Description

Hello there! I found panic at dcerps.rs:846 (attempt to subtract with overflow) during fuzz testing with AFL++.
Trace:

Reading 65564 bytes from overflow_crash
thread '<unnamed>' panicked at 'attempt to subtract with overflow', src/dcerpc/dcerpc.rs:846:30
stack backtrace:
   0:     0x5652142438ed - std::backtrace_rs::backtrace::libunwind::trace::h9135f25bc195152c
                               at /rustc/a55dd71d5fb0ec5a6a3a9e8c27b2127ba491ce52/library/std/src/../../backtrace/src/backtrace/libunwind.rs:93:5
   1:     0x5652142438ed - std::backtrace_rs::backtrace::trace_unsynchronized::h015ee85be510df51
                               at /rustc/a55dd71d5fb0ec5a6a3a9e8c27b2127ba491ce52/library/std/src/../../backtrace/src/backtrace/mod.rs:66:5
   2:     0x5652142438ed - std::sys_common::backtrace::_print_fmt::h5fad03caa9652a2c
                               at /rustc/a55dd71d5fb0ec5a6a3a9e8c27b2127ba491ce52/library/std/src/sys_common/backtrace.rs:66:5
   3:     0x5652142438ed - <std::sys_common::backtrace::_print::DisplayBacktrace as core::fmt::Display>::fmt::h2b42ca28d244e5c7
                               at /rustc/a55dd71d5fb0ec5a6a3a9e8c27b2127ba491ce52/library/std/src/sys_common/backtrace.rs:45:22
   4:     0x56521429dddc - core::fmt::write::h401e827d053130ed
                               at /rustc/a55dd71d5fb0ec5a6a3a9e8c27b2127ba491ce52/library/core/src/fmt/mod.rs:1198:17
   5:     0x5652142351a1 - std::io::Write::write_fmt::hffec93268f5cde32
                               at /rustc/a55dd71d5fb0ec5a6a3a9e8c27b2127ba491ce52/library/std/src/io/mod.rs:1672:15
   6:     0x565214246605 - std::sys_common::backtrace::_print::h180c4c706ee1d3fb
                               at /rustc/a55dd71d5fb0ec5a6a3a9e8c27b2127ba491ce52/library/std/src/sys_common/backtrace.rs:48:5
   7:     0x565214246605 - std::sys_common::backtrace::print::hd0c35d18765761c9
                               at /rustc/a55dd71d5fb0ec5a6a3a9e8c27b2127ba491ce52/library/std/src/sys_common/backtrace.rs:35:9
   8:     0x565214246605 - std::panicking::default_hook::{{closure}}::h1f023310983bc730
                               at /rustc/a55dd71d5fb0ec5a6a3a9e8c27b2127ba491ce52/library/std/src/panicking.rs:295:22
   9:     0x565214246321 - std::panicking::default_hook::h188fec3334afd5be
                               at /rustc/a55dd71d5fb0ec5a6a3a9e8c27b2127ba491ce52/library/std/src/panicking.rs:314:9
  10:     0x565214246c26 - std::panicking::rust_panic_with_hook::hf26e9d4f97b40096
                               at /rustc/a55dd71d5fb0ec5a6a3a9e8c27b2127ba491ce52/library/std/src/panicking.rs:698:17
  11:     0x565214246ad9 - std::panicking::begin_panic_handler::{{closure}}::hfab912107608087a
                               at /rustc/a55dd71d5fb0ec5a6a3a9e8c27b2127ba491ce52/library/std/src/panicking.rs:586:13
  12:     0x565214243de4 - std::sys_common::backtrace::__rust_end_short_backtrace::h434b685ce8d9965b
                               at /rustc/a55dd71d5fb0ec5a6a3a9e8c27b2127ba491ce52/library/std/src/sys_common/backtrace.rs:138:18
  13:     0x565214246849 - rust_begin_unwind
                               at /rustc/a55dd71d5fb0ec5a6a3a9e8c27b2127ba491ce52/library/std/src/panicking.rs:584:5
  14:     0x56521386e163 - core::panicking::panic_fmt::ha6dc7f2ab2479463
                               at /rustc/a55dd71d5fb0ec5a6a3a9e8c27b2127ba491ce52/library/core/src/panicking.rs:142:14
  15:     0x56521386e02d - core::panicking::panic::hb3ad04c589a0e3c8
                               at /rustc/a55dd71d5fb0ec5a6a3a9e8c27b2127ba491ce52/library/core/src/panicking.rs:48:5
  16:     0x565213cdce2d - suricata::dcerpc::dcerpc::DCERPCState::handle_common_stub::h4582d3f0e52da7ee
  17:     0x565213cdd993 - suricata::dcerpc::dcerpc::DCERPCState::process_request_pdu::h9153bc7e54afe93b
  18:     0x565213cdec03 - suricata::dcerpc::dcerpc::DCERPCState::handle_input_data::hd75d9953d62354c8
  19:     0x565213cdffda - rs_dcerpc_parse_request
  20:     0x56521387752c - AppLayerParserParse
                               at /fuzz/suricata-7.0.0-beta1/src/app-layer-parser.c:1374:30
  21:     0x56521386f28a - LLVMFuzzerTestOneInput
                               at /fuzz/suricata-7.0.0-beta1/src/tests/fuzz/fuzz_applayerparserparse.c:198:16
  22:     0x56521386ec5e - ExecuteFilesOnyByOne
  23:     0x56521386ea69 - LLVMFuzzerRunDriver
  24:     0x56521386e649 - main
  25:     0x7fb80cc33d90 - <unknown>
  26:     0x7fb80cc33e40 - __libc_start_main
  27:     0x56521386e4b5 - _start
  28:                0x0 - <unknown>
fatal runtime error: failed to initiate panic, error 5

Build info:

This is Suricata version 7.0.0-beta1 RELEASE
Features: DEBUG DEBUG_VALIDATION PCAP_SET_BUFF AF_PACKET HAVE_PACKET_FANOUT LIBCAP_NG LIBNET1.1 HAVE_HTP_URI_NORMALIZE_HOOK PCRE_JIT HAVE_NSS HTTP2_DECOMPRESSION HAVE_LIBJANSSON TLS TLS_C11 MAGIC RUST 
SIMD support: none
Atomic intrinsics: 1 2 4 8 byte(s)
64-bits, Little-endian architecture
GCC version Ubuntu Clang 14.0.6, C version 201112
compiled with _FORTIFY_SOURCE=0
L1 cache line size (CLS)=64
thread local storage method: _Thread_local
compiled with LibHTP v0.5.41, linked against LibHTP v0.5.41

Suricata Configuration:
  AF_PACKET support:                       yes
  DPDK support:                            no
  eBPF support:                            no
  XDP support:                             no
  PF_RING support:                         no
  NFQueue support:                         no
  NFLOG support:                           no
  IPFW support:                            no
  Netmap support:                          no 
  DAG enabled:                             no
  Napatech enabled:                        no
  WinDivert enabled:                       no

  Unix socket enabled:                     yes
  Detection enabled:                       yes

  Libmagic support:                        yes
  libjansson support:                      yes
  hiredis support:                         no
  hiredis async with libevent:             no
  PCRE jit:                                yes
  LUA support:                             no
  libluajit:                               no
  GeoIP2 support:                          no
  Non-bundled htp:                         no
  Hyperscan support:                       no
  Libnet support:                          yes
  liblz4 support:                          yes
  Landlock support:                        yes

  Rust support:                            yes
  Rust strict mode:                        no
  Rust compiler path:                      /etc/cargo/bin/rustc
  Rust compiler version:                   rustc 1.64.0 (a55dd71d5 2022-09-19)
  Cargo path:                              /etc/cargo/bin/cargo
  Cargo version:                           cargo 1.64.0 (387270bc7 2022-09-16)

  Python support:                          yes
  Python path:                             /usr/bin/python3
  Install suricatactl:                     yes
  Install suricatasc:                      yes
  Install suricata-update:                 yes

  Profiling enabled:                       no
  Profiling locks enabled:                 no

  Plugin support (experimental):           yes

Development settings:
  Coccinelle / spatch:                     no
  Unit tests enabled:                      no
  Debug output enabled:                    yes
  Debug validation enabled:                yes
  Fuzz targets enabled:                    yes

Generic build parameters:
  Installation prefix:                     /usr/local
  Configuration directory:                 /usr/local/etc/suricata/
  Log directory:                           /usr/local/var/log/suricata/

  --prefix                                 /usr/local
  --sysconfdir                             /usr/local/etc
  --localstatedir                          /usr/local/var
  --datarootdir                            /usr/local/share

  Host:                                    x86_64-pc-linux-gnu
  Compiler:                                afl-clang-fast (exec name) / afl-clang-fast++ (real)
  GCC Protect enabled:                     no
  GCC march native enabled:                no
  GCC Profile enabled:                     no
  Position Independent Executable enabled: no
  CFLAGS                                   -g -O2 -fPIC -std=c11 -I${srcdir}/../rust/gen -I${srcdir}/../rust/dist
  PCAP_CFLAGS                               -I/usr/include
  SECCFLAGS                               


Files

overflow_crash (64 KB) overflow_crash Ivan Kapranov, 11/07/2022 10:20 AM

Subtasks 1 (0 open1 closed)

Bug #5696: Integer overflow at dcerpc.rs:846 (6.0.x backport)ClosedVictor JulienActions
Actions #1

Updated by Victor Julien about 2 years ago

  • Target version changed from 7.0.0-beta1 to 7.0.0-rc1
  • Label Needs backport to 6.0 added
Actions #2

Updated by Shivani Bhardwaj about 2 years ago

  • Subtask #5696 added
Actions #3

Updated by Shivani Bhardwaj about 2 years ago

  • Label deleted (Needs backport to 6.0, Rust)
Actions #5

Updated by Victor Julien almost 2 years ago

  • Assignee changed from OISF Dev to Philippe Antoine
Actions

Also available in: Atom PDF