Actions
Bug #5762
closeddetect/pcre: JIT not disabled when OS doesn't allow RWX pages
Affected Versions:
Effort:
Difficulty:
Label:
Description
On Ubuntu 22.04.1 LTS, if you configure Suricata systemd service file with the following security hardening settings "MemoryDenyWriteExecute=true" the suricata Service will crash with a segmentation fault once the PCRE engine is triggerd to compile a PCRE found in a rule using JIT.
to reproduce this issue please follow these steps:
- install suricata 6.0.9 from ppa:oisf/suricata-stable on Ubuntu 22.04.1 LTS
- configure suricata to listen to the interface
- configure suricata with the following rule
alert ip any any -> any any (msg:"crash test"; content:"test"; pcre:"/^[^\r\n]+\.(?:t(?:ar|gz)|exe|zip)/Ri"; classtype:bad-unknown; sid:1;)
- use the following systemd file to run suricata service, place it in: /lib/systemd/system/suricata.service
# IDSTower Suricata systemd unit file. [Unit] Description=IDSTower Suricata Service After=syslog.target network-online.target systemd-tmpfiles-setup.service Documentation=man:suricata(1) [Service] ExecStartPre=/bin/rm -f /etc/suricata/suricata.pid ExecStart=/usr/bin/suricata -c /etc/suricata/suricata.yaml --pidfile /etc/suricata/suricata.pid --af-packet -vvv ExecReload=/bin/kill -USR2 $MAINPID ### Security Settings ### MemoryDenyWriteExecute=true LockPersonality=true ProtectControlGroups=true ProtectKernelModules=true [Install] WantedBy=multi-user.target
Note: this is the same systemd service file avaiable in Suricata Redhat/CentOS RPMs
#create a txt file named trigger.txt containing the word test on another machine
user@idstowerubuntu22:~$ cat trigger.txt
test
#start a simple python server to serve trigger.txt and curl it from the suricata machine
python -m http.server
curl -X GET http://192.168.3.242:8000/trigger.txt
#Suricata service will crash
running: sudo dmesg -T
Files
Updated by Victor Julien about 2 years ago
- Subject changed from Suricata On Ubuntu dose not disable PCRE JIT when OS doesn't allow RWX pages to detect/pcre: JIT not disabled when OS doesn't allow RWX pages
- Status changed from New to In Progress
- Assignee changed from OISF Dev to Victor Julien
- Target version changed from TBD to 6.0.10
Updated by Victor Julien about 2 years ago
- Status changed from In Progress to In Review
Updated by Victor Julien about 2 years ago
- Status changed from In Review to Closed
Actions