Project

General

Profile

Actions
Copy link

Bug #6294

closed

http2/brotli: subtract with overflow found by sydr-Fuzz

Added by Alexey Simakov about 1 year ago. Updated 12 months ago.

Status:
Closed
Priority:
Normal
Assignee:
Philippe Antoine
Target version:
7.0.3
Affected Versions:
7.0.0
Effort:
Difficulty:
Label:
Hardening

Description

Stacktrace:

    "#0  0x00007ffff79ec00b in raise () from /lib/x86_64-linux-gnu/libc.so.6",
    "#1  0x00007ffff79cb859 in abort () from /lib/x86_64-linux-gnu/libc.so.6",
    "#2  0x0000000000f140e7 in std::sys::unix::abort_internal () at /rustc/8ede3aae28fe6e4d52b38157d7bfe0d3bceef225/library/std/src/sys/unix/mod.rs:359",
    "#3  0x0000000000f088c9 in std::panicking::rust_panic () at /rustc/8ede3aae28fe6e4d52b38157d7bfe0d3bceef225/library/std/src/panicking.rs:756",
    "#4  0x0000000000f086f1 in std::panicking::rust_panic_with_hook () at /rustc/8ede3aae28fe6e4d52b38157d7bfe0d3bceef225/library/std/src/panicking.rs:727",
    "#5  0x0000000000f08401 in std::panicking::begin_panic_handler::{closure#0} () at /rustc/8ede3aae28fe6e4d52b38157d7bfe0d3bceef225/library/std/src/panicking.rs:595",
    "#6  0x0000000000f058c6 in std::sys_common::backtrace::__rust_end_short_backtrace<std::panicking::begin_panic_handler::{closure_env#0}, !> () at /rustc/8ede3aae28fe6e4d52b38157d7bfe0d3bceef225/library/std/src/sys_common/backtrace.rs:151",
    "#7  0x0000000000f08192 in std::panicking::begin_panic_handler () at /rustc/8ede3aae28fe6e4d52b38157d7bfe0d3bceef225/library/std/src/panicking.rs:593",
    "#8  0x0000000000f60c93 in core::panicking::panic_fmt () at /rustc/8ede3aae28fe6e4d52b38157d7bfe0d3bceef225/library/core/src/panicking.rs:67",
    "#9  0x0000000000f60d23 in core::panicking::panic () at /rustc/8ede3aae28fe6e4d52b38157d7bfe0d3bceef225/library/core/src/panicking.rs:117",
    "#10 0x00000000008079d2 in brotli_decompressor::decode::ProcessCommandsInternal<alloc_stdlib::std_alloc::StandardAlloc, alloc_stdlib::std_alloc::StandardAlloc, alloc_stdlib::std_alloc::StandardAlloc> (safe=false, s=0x61e0000018d0, input=...) at /suricata/rust/vendor/brotli-decompressor/src/bit_reader/mod.rs:151",
    "#11 0x0000000000a865a5 in brotli_decompressor::decode::ProcessCommands<alloc_stdlib::std_alloc::StandardAlloc, alloc_stdlib::std_alloc::StandardAlloc, alloc_stdlib::std_alloc::StandardAlloc> (s=0x61e0000018d0, input=...) at /suricata/rust/vendor/brotli-decompressor/src/decode.rs:2616",
    "#12 brotli_decompressor::decode::BrotliDecompressStream<alloc_stdlib::std_alloc::StandardAlloc, alloc_stdlib::std_alloc::StandardAlloc, alloc_stdlib::std_alloc::StandardAlloc> (input_offset=0x61e0000018b8, xinput=..., available_out=<optimized out>, output_offset=<optimized out>, output=..., total_out=0x61e0000018b0, s=0x61e0000018d0, available_in=<optimized out>) at /suricata/rust/vendor/brotli-decompressor/src/decode.rs:3151",
    "#13 brotli_decompressor::reader::{impl#5}::read<std::io::error::Error, brotli_decompressor::io_wrappers::IntoIoReader<suricata::http2::decompression::HTTP2cursor>, alloc_stdlib::heap_alloc::WrapBox<u8>, alloc_stdlib::std_alloc::StandardAlloc, alloc_stdlib::std_alloc::StandardAlloc, alloc_stdlib::std_alloc::StandardAlloc> (self=0x61e000001880, buf=...) at /suricata/rust/vendor/brotli-decompressor/src/reader.rs:283",
    "#14 brotli_decompressor::reader::{impl#1}::read<suricata::http2::decompression::HTTP2cursor, alloc_stdlib::heap_alloc::WrapBox<u8>, alloc_stdlib::std_alloc::StandardAlloc, alloc_stdlib::std_alloc::StandardAlloc, alloc_stdlib::std_alloc::StandardAlloc> (self=0x61e000001880, buf=...) at /suricata/rust/vendor/brotli-decompressor/src/reader.rs:85",
    "#15 brotli_decompressor::reader::{impl#3}::read<suricata::http2::decompression::HTTP2cursor> (self=0x61e000001880, buf=...) at /suricata/rust/vendor/brotli-decompressor/src/reader.rs:178",
    "#16 suricata::http2::decompression::http2_decompress<brotli_decompressor::reader::Decompressor<suricata::http2::decompression::HTTP2cursor>> (decoder=0x61e000001880, input=..., output=0x7fffffffdfe8) at /suricata/rust/src/http2/decompression.rs:145",
    "#17 0x0000000000a9cf3d in suricata::http2::decompression::HTTP2DecoderHalf::decompress (self=0x620000000a30, input=..., output=0x7fffffffdfe8) at /suricata/rust/src/http2/decompression.rs:209",
    "#18 0x0000000000a9cf3d in suricata::http2::decompression::HTTP2Decoder::decompress (input=..., output=0x7fffffffdfe8, dir=suricata::core::Direction::ToClient, self=<optimized out>)",
    "#19 suricata::http2::http2::HTTP2Transaction::decompress (input=..., dir=suricata::core::Direction::ToClient, sfcm=0x2af6b40 <sfc>, self=<optimized out>, over=<optimized out>, flow=<optimized out>) at /suricata/rust/src/http2/http2.rs:222",
    "#20 suricata::http2::http2::HTTP2State::parse_frames (self=0x60e00003dd00, input=..., il=584, dir=suricata::core::Direction::ToClient, flow=<optimized out>) at /suricata/rust/src/http2/http2.rs:982",
    "#21 0x0000000000aa2a29 in suricata::http2::http2::HTTP2State::parse_tc (self=0x60e00003dd00, input=..., flow=0x6120003b2cc0) at /suricata/rust/src/http2/http2.rs:1077",
    "#22 suricata::http2::http2::rs_http2_parse_tc (flow=0x6120003b2cc0, state=0x60e00003dd00, _pstate=<optimized out>, stream_slice=..., _data=<optimized out>) at /suricata/rust/src/http2/http2.rs:1170",
    "#23 0x0000000000fa0988 in AppLayerParserParse (tv=<optimized out>, alp_tctx=<optimized out>, f=0x6120003b2cc0, alproto=<optimized out>, flags=<optimized out>, input=<optimized out>, input_len=<optimized out>) at /suricata/src/app-layer-parser.c:1403",
    "#24 0x0000000000f887ac in LLVMFuzzerTestOneInput (data=<optimized out>, size=<optimized out>) at /suricata/src/tests/fuzz/fuzz_applayerparserparse.c:161",
    "#25 0x00000000007fd7fe in ExecuteFilesOnyByOne (argc=2, argv=0x7fffffffe948, callback=callback@entry=0xf87330 <LLVMFuzzerTestOneInput>) at /AFLplusplus/utils/aflpp_driver/aflpp_driver.c:255",
    "#26 0x00000000007fd609 in LLVMFuzzerRunDriver (argcp=argcp@entry=0x7fffffffe844, argvp=argvp@entry=0x7fffffffe848, callback=0xf87330 <LLVMFuzzerTestOneInput>) at /AFLplusplus/utils/aflpp_driver/aflpp_driver.c:364",
    "#27 0x00000000007fd1c9 in main (argc=2, argv=0x7fffffffe948) at /AFLplusplus/utils/aflpp_driver/aflpp_driver.c:300"

Files

crash-414aaa3d0b1f2b64c05db5abd223bb5b12d83869 (465 Bytes) crash-414aaa3d0b1f2b64c05db5abd223bb5b12d83869 Alexey Simakov, 09/04/2023 06:46 PM
Actions
Copy link
 #1

Updated by Alexey Simakov about 1 year ago

Applying additional information

fuzz target -fuzz_applayerparserparse_http2

Actions
Copy link
 #2

Updated by Juliana Fajardini Reichow about 1 year ago

  • Label Hardening added
Actions
Copy link
 #3

Updated by Philippe Antoine about 1 year ago

  • Status changed from New to In Review
  • Target version changed from TBD to 7.0.3
Actions
Copy link
 #4

Updated by Victor Julien about 1 year ago

  • Status changed from In Review to Feedback
  • Assignee changed from OISF Dev to Alexey Simakov

Alexey can you confirm is the issue in solved in our git master branch?

Actions
Copy link
 #5

Updated by Alexey Simakov about 1 year ago

Sorry for delay, need some time to check this

Actions
Copy link
 #6

Updated by Alexey Simakov 12 months ago

Issue solved

Actions
Copy link
 #7

Updated by Victor Julien 12 months ago

  • Subject changed from Subtract with overflow found by sydr-Fuzz to http2/brotli: subtract with overflow found by sydr-Fuzz
  • Status changed from Feedback to Closed
  • Assignee changed from Alexey Simakov to Philippe Antoine

Thanks Alexey!

Actions
Copy link

Also available in: Atom PDF