Project

General

Profile

Actions
Copy link

Bug #6104

closed

detect/multi-buffer: Heap-buffer-overflow in SigMatchAppendSMToList

Added by Philippe Antoine 12 months ago. Updated 6 months ago.

Status:
Closed
Priority:
Normal
Assignee:
Philippe Antoine
Target version:
7.0.2
Affected Versions:
Effort:
Difficulty:
Label:

Description

Found by oss-fuzz:
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=59422

Regression range is https://github.com/OISF/suricata/compare/22485b368e375d90df0e4129684a1ea54d9b67ff...6190913a461e9943e83f24d78a368043c22f0039

Related issues 1 (0 open1 closed)

Related to Suricata - Optimization #6194: detect: modernize filename fileext filemagicClosedVictor JulienActions
Actions
Copy link
 #1

Updated by Philippe Antoine 12 months ago

Rule minimized

drop ip :: 6 <> :: 3 filEext:uext;file.name:;content:" ";filename:Q;base64_decode;content:" ";filename:n;file.name:;base64_decode;content:" ";filename:Q9;base64_decode;content:" ";filename:Qn;file.name:;base64_decode;content:" ";filename:Q9;base64_decode;content:" ";filename:n;file.name:;base64_decode;content:" ";filename:Q9;base64_decode;content:" ";filename:n;file.name:;content:" ";filename:Qn;base64_decode;content:" ";filename:n;file.name:;base64_decode;content:" ";filename:Q9;base64_decode;content:" ";filename:Qn;file.name:;base64_decode;content:" ";filename:Q9;base64_decode;content:" ";filename:o;file.name:;base64_decode;content:" ";filename:Q9;base64_decode;content:" ";filename:n;file.name:;base64_decode;content:" ";filename:Q9;base64_decode;content:" ";filename: an;file.name:;base64_decode;content:" ";filename:Q9;base64_decode;content:" ";filename:n;file.name:;base64_decode;content:" ";filename:Q9;base64_decode;content:"( ";filename:n;file.name:;base64_decode;content:" ";filename:t9;base64_decode;content:" ";filename:n;file.name:;base64_decode;content:" ";filename:Q;base64_decode;content:" ";filename:n;file.name:;base64_decode;content:" ";filename:Q9;base64_decode;content:" ";filename:n;file.name:;base64_decode;content:" ";filename:Q9;base64_decode;content:" ";filename:n;file.name:;base64_decode;content:" ";filename:Q9;base64_decode;content:" ";filename:n;file.name:;base64_decode;content:" ";filename:Q9;base64_decode;content:"( ";filename:n;file.name:;base64_decode;content:" ";filename:th I;base64_decode;content:" ";filename:n;file.name:;base64_decode;content:" ";filename:Q9;base64_decode;content:" ";filename:n;file.name:;base64_decode;content:" ";filename:Q9;base64_decode;content:" ";filename:Qt: an;file.name:;base64_decode;content:" ";filename:Q9;base64_decode;content:" ";filename:1;

Actions
Copy link
 #2

Updated by Philippe Antoine 12 months ago

cf code

// return -1; TODO error handle

Actions
Copy link
 #3

Updated by Philippe Antoine 11 months ago

  • Target version changed from TBD to 7.0.0-rc2
Actions
Copy link
 #4

Updated by Victor Julien 11 months ago

  • Assignee changed from Victor Julien to OISF Dev
  • Priority changed from Normal to High
Actions
Copy link
 #5

Updated by Victor Julien 11 months ago

  • Target version changed from 7.0.0-rc2 to 7.0.0
Actions
Copy link
 #6

Updated by Philippe Antoine 10 months ago

Actions
Copy link
 #7

Updated by Victor Julien 10 months ago

  • Status changed from New to Closed
  • Assignee deleted (OISF Dev)
  • Priority changed from High to Normal
  • Target version deleted (7.0.0)

Possibly fixed unintentionally. We can reopen if oss-fuzz finds another vector.

Actions
Copy link
 #8

Updated by Philippe Antoine 8 months ago

  • Assignee set to Philippe Antoine
  • Target version set to 7.0.2
Actions
Copy link
 #9

Updated by Philippe Antoine 8 months ago

  • Status changed from Closed to Assigned

Reproducer is 

alert tcp any any <> any 0  uricontenT:"!";faSt_paTtern:only:r;byte_extract:2,5,pict,string,relative;metadata:s:oOdrOp _tsebisfL;filestore:ive;metadata:s:oOdrOp ip 0:: 3 gerprOp iaTtern*only:r;byte_extract:2,5,pict,string,relative;metadata:s:oOdqOp _tsebisfL;filestore:ive;metadata:s:oOdrOpstring,relative 0  uricontenT:"!";faSt_paTtern:only:r;byte_extract:2,5,pict,string,relative;metadata:s:oOdrOp _tsebisfL;filestore:ive;metadata:s:oOdrOp _tsebisfL;filestore:ive;metadata:s:oOdrOp ip 0:: 3 gerprOp iaTterncp>any any <> any 0  uricontenT:+!";faSt_paTtern:only:r;byte_extract:2,5,pict,string,relative;metadata:s:oOdrOp _tsebisfL;filestore:ive;metadata:s:oOdrOp i:s:oOdrOp ip 0:: 3 gerprOp iaTtern*only:r;byte_extract:2,5,pict,string,relative;metadata:s:oOdqOp _tsebisfL;filestore:ive;metadata:s:oOdrOpstring,relative 0  uricontenT:"!";faSt_paTtern:only:r;byte_extract:2,5,pict,string,relative;metadata:s:oOdrOp _tsebisfL;filestore:ive;metadata:s:oOdrOp _tsebisfL;filestore:ive;metadata:s:oOdrOp ip 0:: 3 gerprOp iaTterncp>any any <> any 0  uricontenT:+!";faSt_paTtern:only:r;byte_extract:2,5,pict,string,relative;metadata:s:oOdrOp _tsebisfL;filestore:ive;metadata:s:oOdrOp ip 0:: 3 gerprOp iaTtefn*onlny <> any 0  uricontefL;filestore:ive;metadata:s:oOdrOp ip 0:: 3 gerprOp Op^Mip :iaTtern*only:r;byte_extract:2,5,pict,string,relative;metadata:s 0:: 3 gerprOp iaTterncp any any <> any 0  uricontenT:"!";faSt_paTtern:only:r;byte_extract:2,5,pict,string,relative;metadata:sXoOdrOp _tsebisfL;filestore:ive;metadata:s:oOdrOp ip 0:: 3 gerprOp iaTtern*only:r;byte_extract:2,5,pict,string,relative;metadata:s:oOdqOp _tseb*only:r;byte_extract:2,5,pict,string,relative;metadata:s:oOdrOp _tsebi ip 0::binly:r;byte_extract:2,5,pict,string,relative;metadata:s:oOdrOpnly:r;byte_extract:2,5,pict,string,relative;metadata:s:oOd^Mip :OdrOp _tsebisfL;filestore:ive;metadata:s:oOdrOp ip 0:: 3 gerprOp iaTt,2335,150!1,150!0erncp any any <> aoy 0  uricontefL;filestore:ive;metadata:s:oOdrOp ip 0:: 3 gerprOp iaTtern*only:r;byte_extract:2,5,pict,string,relative;metadata:s:oOdqO,relative;metadata:s:oOdrOp _tsebisfL;filestore:ive;metadata:s:oOdrOp ip 0:: 3 gerprOp iaTtern*only:r;byte_extract:2,5,pict,string,relative;metadata:s:oOd^Mip :OdrOp _tsebisfL{filestore:ive;metadata:s:oOdrOp ipict,string,relative;metadata:s:oOd^Mip :OdrOp _tsebisfL;filestore:ive;metadata:s:oOdrOp ip 0:: 3 gerprOp iaTterncp any any <> any 0  uricontenT:"!";faSt_paTtern:only:r;byte_extract:2,5,pict,string,relative;metadata:sXoOdrOp _tsebisfL;filestore:ive;metadata:s:oOdrOp ip 0:: 3 gerprOp iaTtern*only:r;byte_extract:2,5,pit,string,relative;metadata:s:oOdqOp _tseb*only:r;byte_extract:2,5,pict,string,relative;metadata:s:oOdrOp _tsebi ip 0::binly:r;byte_extract:2,5,pict,string,relative;metadata:s:oOdrOpnly:r;byte_extract:2,5,pict,string,relative;metadata:s:oOd^Mip :OdrOp _tsebisfL;filestore:ive;metadata:s:;metadata:s:oOdrOp _tsebisfL;filestore:ive;metadata:s:oOdrOp ip 0:: 3 gerprOp iaTterncp>any any <> any 0  uricontenT:+!";faSt_paTtern:only:r;byte_extract:2,5,pict,string,relative;metadata:s:oOdrOp _tsebisfL;filestore:ive;metadata:s:oOdrOp ip 0stream_sizep iaTtefn*onlny <> any 0  uricontefL;filestore:ive;metadata:s:oOdrOp ip 0:: 3 gerprOp iaTtern*only:r;byte_extract:2,5,pict,string,relative;metadata:s 0:: 3 gerprOp iaTterncp any any <> any 0  uricontenT:"!";faSt_paTtern:only:r;byte_extract:2,5,pict,string,relative;metadata:sXoOdrOp _tsebisfL;filestore:ive;metadata:s:oOdrOp ip 0:: 3 gerprOpy:r;byte_extract:2,5,pict,string,relative;metadata:s 0:: 3 gerprOp iaTterncp any any <> any 0  uricontenT:"!";faSt_paTtern:only:r;byte_extract:2,5,pict,string,relative;metadata:sXoOdrOp _tsebisfL;filestore:ive;metadata:s:oOdrOp ip 0:: 3 gerprOp iaTtern*only:r;byte_extract:2,5,pict,string,relative;metadata:s:oOdqOp _tseb*only:r;byte_extract:2,5,pict,string,relative;metadata:s:oOdrOp _tsebi ip 0::binly:r;byte_extract:2,5,pict,string,relative;metadata:s:oOdrOpnly:r;byte_extract:2,5,pict,string,relative;metadata:s:oOd^Mip :OdrOp _tsebisfL;filestore:ive;metadata:s:oOdrOp ip 0:: 3 gerprOp iaTt,2335,150!1,150!0erncp any any <> aoy 0  uricontefL;filestore:ive;metadata:s:oOdrOp ip 0:: 3 gerprOp iaTtern*only:r;byte_extract:2,5,pict,string,relative;metadata:s:oOdqO,relative;metadata:s:oOdrOp _tsebisfL;filestore:ive;metadata:s:oOdrOp ip 0:: 3 gerprOp iaTtern*only:r;byte_extract:2,5,pict,string,relative;metadata:s:oOd^Mip :OdrOp _tsebisfL;filestore:ive;metadata:s:oOdrOp ipict,string,relative;metadata:s:oOd^Mip :OdrOp _tsebisfL;filestore:ive;metadata:s:oOdrOp ip 0:: 3 gerprOp iaTterncp any any <> any 0  uricontenT:"!";faSt_paTtern:only:r;byte_extract:2,5,pict,string,relative;metadata:sXoOdrOp _tsebisfL;filestore:ive;metadata:s:oOdrOp ip 0:: 3 gerprOp iaTtern*only:r;byte_extract:2,5,pit,string,relative;metadata:s:oOdqOp _tseb*only:r;byte_extract:2,5,pict,string,relative;metadata:s:oOdrOp _tsebi ip 0::binly:r;byte_extract:2,5,pict,string,relative;metadata:s:oOdrOpnly:r;byte_extract:2,5,pict,string,relative;metadata:s:oOd^Mip :OdrOp _tsebisfL;filestore:ive;metadata:s:;metadata:s:oOdrOp _tsebisfL;filestore:ive;metadata:s:oOdrOp ip 0:: 3 gerprOdnp3_indncp>any any <> any 0  uricontenT:+!";faSt_paTtern:only:r;byte_extract:2,5,pict,string,relative;metadata:s:oOdrOp relative;metadata:s:oOdrOp _tsebi ip 0::binly:r;byte_extract:2,5,pict,string,relative;metadata:s:oOdrOpnl <> any sebisfL;filestore:ive;metadata:s:oOdrOp ip 0:: 3 gerprOp iaTtern*only:r;byte_extract:2,5,pict,string,relative;metadata:s:oOdqOp _tsebisfL;filestore:ive;metadata:s:oOdrOpstring,relative 0  uricontenT:"!";faSt_paTtern:only:r;byte_extract:2,5,pict,string,relative;metadata:s:oOdrOp _tsebisfL;filestore:ive;metadata:s:oOdrOp _tsebisfL;filestore:ive;metadata:s:oOdrOp ip 0:: 3 gerprOp iaTterncp>any any <> any 0  uricontenT:+!";faSt_paTtern:only:r;byte_extract:2,5,pict,string,relative;metadata:s:oOdrOp _tsebisfL;filestore:ive;metadata:s:oOdrOp i:s:oOdrOp ip 0:: 3 gerprOp iaTtern*only:r;byte_extract:2,5,pict,string,relative;metadata:s:oOdqOp _tsebisfL;filestore:ive;metadata:s:oOdrOpstring,relative 0  uricontenT:"!";faSt_paTtern:only:r;byte_extract:2,5,pict,string,relative;metadata:s:oOdrOp _tsebisfL;filestore:ive;metadata:s:oOdrOp _tsebisfL;filestore:ive;metadata:s:oOdrOp ip 0:: t,string,relative;metadata:s:oOd^Mip :OdrOp _tsebisfL;filestore:ive;metadata:s:oOdrOp ip 0:: 3 gerprOp iaTterncp any any <> any 0  uricontenT:"!";faSt_paTtern:only:r;byte_extract:2,5,pict,string,relative;metadata:sXoOdrOp _tsebisfL;filestore:ive;metadata:s:oOdrOp ip 0:: 3 gerprOp iaTtern*only:r;byte_extract:2,5,pit,string,relative;metadata:s:oOdqOp _tseb*only:r;byte_extract:2,5,pict,string,relative;metadata:s:oOdrOp _tsebi ip 0::binly:r;byte_extract:2,5,pict,string,relative;metadata:s:oOdrOpnly:r;byte_extract:2,5,pict,string,relative;metadata:s:oOd^Mip :OdrOp _tsebisfL;filestore:ive;metadata:s:;metadata:s:oOdrOp _tsebisfL;filestore:ive;metadata:s:oOdrOp ip 0:: 3 gerprOp iaTterncp>any any <> any 0  uricontenT:+!";faSt_paTtern:only:r;byte_extract:2,5,pict,string,relative;metadata:s:oOdrOp _tsebisfL;filestore:ive;metadata:s:oOdrOp ip 0:: 3 gerprOp iaTtefn*onlny <> any 0  uricontefL;filestore:ive;metadata:s:oOdrOp ip 0:: 3 gerprOp iaTtern*only:r;byte_extract:2,5,pict,string,relative;metadata:s 0:: 3 gerprOp iaTterncp any any <> any 0  uricontenT:"!";faSt_paTtern:only:r;byte_extract:2,5,pict,string,relative;metadata:sXoOdrOp _tsebisfL;filestore:ive;metadata:s:oOdrOp ip 0:: 3 gerprOpy:r;byte_extract:2,5,pict,string,relative;metadata:s 0:: 3 gerprOp iaTterncp any any <> any 0  uricontenT:"!";faSt_paTtern:only:r;byte_extract:2,5,pict,string,relative;metadata:sXoOdrOp _tsebisfL;filestore:ive;metadata:s:oOdrOp ip 0:: 3 gerprOp iaTtern*only:r;byte_extract:2,5,pict,string,relative;metadata:s:oOdqOp _tseb*only:r;byte_extract:2,5,pict,string,relative;metadata:s:oOdrOp _tsebi ip 0::binly:r;byte_extract:2,5,pict,string,relative;metadata:s:oOdrOpnly:r;byte_extract:2,5,pict,string,relative;metadata:s:oOd^Mip :OdrOp _tsebisfL;filestore:ive;metadata:s:oOdrOp ip 0:: 3 gerprOp iaTt,2335,150!1,150!0erncp any any <> aoy 0  uricontefL;filestore:ive;metadata:s:oOdrOp ip 0:: 3 gerprOp iaTtern*only:r;byte_extract:2,5,pict,string,relative;metadata:s:oOdqO,relative;metadata:s:oOdrOp _tsebisfL;filestore:ive;metadata:s:oOdrOp ip 0:: 3 gerprOp iaTtern*only:r;byte_extract:2,5,pict,string,relative;metadata:s:oOd^Mip :OdrOp _tsebisfL;filestore:ive;meOdrOpnly:;metadata:slestore:ive;metadata:s:oOdrOpstring,relative;metadata:s:oOdrOp _tsebisfL;filestore^@dve;metadata:s:oOdrOp ip 0:: 3 gerprOp iaTterncp any any <> any 0  uricontenT:"!";faSt_paTtern:only:r;byte_extract:2,5,pict,stringp _tsebisfL;filestore:ive;metadata:s:oOdrOpstri<B5>g,relative;metadata:slestore:ive;metadata:s:oOdrOpstring,relative;metadata:s:oOdrOp ^@^T^U<A4>bisfL;filestore:ive;metadata:s:oOdrOp ip 0:: 3 gerprOp iaTterncp any any <> any 0  uricontenT:"!";

With lots or uricontent

Actions
Copy link
 #10

Updated by Philippe Antoine 8 months ago

  • Status changed from Assigned to In Progress
Actions
Copy link
 #11

Updated by Philippe Antoine 8 months ago

  • Status changed from In Progress to In Review
  • Target version changed from 7.0.2 to 7.0.1
Actions
Copy link
 #12

Updated by Victor Julien 8 months ago

  • Target version changed from 7.0.1 to 7.0.2
Actions
Copy link
 #13

Updated by Philippe Antoine 7 months ago

  • Status changed from In Review to Resolved
Actions
Copy link
 #15

Updated by Philippe Antoine 7 months ago

Should we have a new ticket for https://github.com/OISF/suricata/pull/9588 ?

Actions
Copy link
 #16

Updated by Victor Julien 6 months ago

  • Private changed from Yes to No
Actions
Copy link

Also available in: Atom PDF