Project

General

Profile

Actions
Copy link

Security #6187

open

detect: handle allocation failures during rule reload

Added by Philippe Antoine over 2 years ago. Updated 11 days ago.

Status:
In Progress
Priority:
Normal
Assignee:
Philippe Antoine
Target version:
9.0.0-beta1
Affected Versions:
Label:
CVE:
Git IDs:
Severity:
MODERATE
Disclosure Date:

Description

Currently, we `BUG_ON` allocation failures

It looks plausible to run out of memory when trying to reload rules...

Found by nallocfuzz

Related issues 3 (2 open1 closed)

Blocked by Suricata - Bug #8146: utils-spm-hs: missing deallocators on hs_compile failureResolvedSergey ZhidkihActions
Copied from Suricata - Security #5851: rust: handle allocation failuresNewOISF DevActions
Copied to Suricata - Optimization #6188: ConfYamlLoadString: handle allocation failuresClosedPhilippe AntoineActions
Actions
Copy link
 #1

Updated by Philippe Antoine over 2 years ago

Actions
Copy link
 #2

Updated by Philippe Antoine over 2 years ago

Actions
Copy link
 #3

Updated by Philippe Antoine about 2 years ago

  • Priority changed from Normal to Low
Actions
Copy link
 #4

Updated by Victor Julien over 1 year ago

  • Status changed from New to Assigned
  • Priority changed from Low to Normal
Actions
Copy link
 #5

Updated by Philippe Antoine over 1 year ago

I think this one can be postponed after 8

Actions
Copy link
 #6

Updated by Victor Julien 11 months ago

  • Target version changed from 8.0.0-beta1 to 9.0.0-beta1

Additionally to handling the C asserts, we have the problem of Rust panic catching.

Actions
Copy link
 #7

Updated by Victor Julien 4 months ago

  • Subject changed from DetectEngineReload: handle allocation failures to detect: handle allocation failures during rule reload
Actions
Copy link
 #8

Updated by Philippe Antoine about 2 months ago

  • Status changed from Assigned to In Progress
Actions
Copy link
 #9

Updated by Philippe Antoine about 2 months ago

  • Blocked by Bug #8146: utils-spm-hs: missing deallocators on hs_compile failure added
Actions
Copy link
 #11

Updated by Philippe Antoine 11 days ago

So, nallocfuzz on fuzz_siginit with rust quickly trips on logging with its to_safe_cstring function

Actions
Copy link
 #12

Updated by Philippe Antoine 11 days ago

And we trip on the std lib doing allocations with format!

    #6 0x7f6e722a5858 in abort /build/glibc-B3wQXB/glibc-2.31/stdlib/abort.c:79:7
    #7 0x562d5624f5d9 in std::sys::pal::unix::abort_internal::h2c8c5e618a5d893e /rustc/f8297e351a40c1439a467bbbb6879088047f50b3/library/std/src/sys/pal/unix/mod.rs:368:14
    #8 0x562d562509b8 in std::process::abort::h54ed4a3dab913a93 /rustc/f8297e351a40c1439a467bbbb6879088047f50b3/library/std/src/process.rs:2500:5
    #9 0x562d56250751 in std::alloc::rust_oom::h3f57c0361440059a /rustc/f8297e351a40c1439a467bbbb6879088047f50b3/library/std/src/alloc.rs:377:5
    #10 0x562d5624f302 in __rustc::__rg_oom /rustc/f8297e351a40c1439a467bbbb6879088047f50b3/library/std/src/alloc.rs:372:1
    #11 0x562d56255618 in alloc::alloc::handle_alloc_error::rt_error::he18ac328611fcef0 /rustc/f8297e351a40c1439a467bbbb6879088047f50b3/library/alloc/src/alloc.rs:406:13
    #12 0x562d56255618 in alloc::alloc::handle_alloc_error::h1a71ccc8de2526dc /rustc/f8297e351a40c1439a467bbbb6879088047f50b3/library/alloc/src/alloc.rs:412:9
    #13 0x562d562556e7 in alloc::raw_vec::handle_error::h44cc7051d170a168 /rustc/f8297e351a40c1439a467bbbb6879088047f50b3/library/alloc/src/raw_vec/mod.rs:792:38
    #14 0x562d56d8e0e8 in alloc::raw_vec::RawVecInner$LT$A$GT$::with_capacity_in::h0c5609bb037d30b3 /rustc/f8297e351a40c1439a467bbbb6879088047f50b3/library/alloc/src/raw_vec/mod.rs:430:25
    #15 0x562d56d8e0e8 in alloc::raw_vec::RawVec$LT$T$C$A$GT$::with_capacity_in::h7d69998492c5943b /rustc/f8297e351a40c1439a467bbbb6879088047f50b3/library/alloc/src/raw_vec/mod.rs:190:20
    #16 0x562d56d8e0e8 in alloc::vec::Vec$LT$T$C$A$GT$::with_capacity_in::hf1bca3175e785bdc /rustc/f8297e351a40c1439a467bbbb6879088047f50b3/library/alloc/src/vec/mod.rs:958:20
    #17 0x562d56d8e0e8 in alloc::vec::Vec$LT$T$GT$::with_capacity::he27be8a2bd161c4f /rustc/f8297e351a40c1439a467bbbb6879088047f50b3/library/alloc/src/vec/mod.rs:520:9
    #18 0x562d56d8e0e8 in alloc::string::String::with_capacity::hf0f787346c33b718 /rustc/f8297e351a40c1439a467bbbb6879088047f50b3/library/alloc/src/string.rs:488:23
    #19 0x562d56d8e0e8 in alloc::fmt::format::format_inner::hfd79f8caa80769a9 /rustc/f8297e351a40c1439a467bbbb6879088047f50b3/library/alloc/src/fmt.rs:647:26
    #20 0x562d56accab7 in alloc::fmt::format::_$u7b$$u7b$closure$u7d$$u7d$::h7415db4cb0b6c097 /rustc/f8297e351a40c1439a467bbbb6879088047f50b3/library/alloc/src/fmt.rs:654:34
    #21 0x562d56accab7 in core::option::Option$LT$T$GT$::map_or_else::h8d16cf609f2066b0 /rustc/f8297e351a40c1439a467bbbb6879088047f50b3/library/core/src/option.rs:1272:21
    #22 0x562d56accab7 in alloc::fmt::format::h12bc1d07fd0dc453 /rustc/f8297e351a40c1439a467bbbb6879088047f50b3/library/alloc/src/fmt.rs:654:19
    #23 0x562d56accab7 in suricata::detect::requires::parse_requires::h4ae781a8a6227cbe /root/suricata/rust/src/debug.rs:149:21
    #24 0x562d56accab7 in core::ops::function::FnOnce::call_once::hfa950d73fca0c4a1 /rustc/f8297e351a40c1439a467bbbb6879088047f50b3/library/core/src/ops/function.rs:250:5
    #25 0x562d56accab7 in core::result::Result$LT$T$C$E$GT$::and_then::h55b61f518876d21d /rustc/f8297e351a40c1439a467bbbb6879088047f50b3/library/core/src/result.rs:1486:22
    #26 0x562d56accab7 in SCDetectCheckRequires /root/suricata/rust/src/detect/requires.rs:486:10
Actions
Copy link

Also available in: Atom PDF