Bug #6389: pgsql: u16 overflow found by oss-fuzz w/ quadfuzz - Suricata - Open Information Security Foundation

Actions

Copy link

Bug #6389

closed

pgsql: u16 overflow found by oss-fuzz w/ quadfuzz

Added by Juliana Fajardini Reichow 7 months ago. Updated 4 months ago.

Status:

Closed

Priority:

Normal

Assignee:

Juliana Fajardini Reichow

Target version:

8.0.0-beta1

Affected Versions:

Effort:

Difficulty:

Label:

Description

On https://github.com/OISF/suricata/blob/master/rust/src/pgsql/pgsql.rs#L85:

self.data_row_cnt += 1;

Reported by @Philippe Antoine

| thread '<unnamed>' panicked at 'attempt to add with overflow', src/pgsql/pgsql.rs:85:9 |
| --- |
|  | note: run with \`RUST\_BACKTRACE=1\` environment variable to display a backtrace |
|  | fatal runtime error: failed to initiate panic, error 5 |
|  | AddressSanitizer:DEADLYSIGNAL |
|  | \================================================================= |
|  | \==690==ERROR: AddressSanitizer: ABRT on unknown address 0x0539000002b2 (pc 0x7ad11f04e00b bp 0x7ffd0c7e5848 sp 0x7ffd0c7e53d0 T0) |
|  | SCARINESS: 10 (signal) |
|  | #0 0x7ad11f04e00b in raise /build/glibc-SzIz7B/glibc-2.31/sysdeps/unix/sysv/linux/raise.c:51:1 |
|  | #1 0x7ad11f02d858 in abort /build/glibc-SzIz7B/glibc-2.31/stdlib/abort.c:79:7 |
|  | #2 0x31cd586 in std::sys::unix::abort\_internal::h3063ccb109bab462 /rustc/1459b3128e288a85fcc4dd1fee7ada2cdcf28794/library/std/src/sys/unix/mod.rs:350:14 |
|  | #3 0x31c20f1 in rust\_panic /rustc/1459b3128e288a85fcc4dd1fee7ada2cdcf28794/library/std/src/panicking.rs:746:5 |
|  | #4 0x31c1ee9 in std::panicking::rust\_panic\_with\_hook::h34c77a71befec972 /rustc/1459b3128e288a85fcc4dd1fee7ada2cdcf28794/library/std/src/panicking.rs:714:5 |
|  | #5 0x31c1be1 in std::panicking::begin\_panic\_handler::\_$u7b$$u7b$closure$u7d$$u7d$::hb5ae8193b4163d8b /rustc/1459b3128e288a85fcc4dd1fee7ada2cdcf28794/library/std/src/panicking.rs:581:13 |
|  | #6 0x31beff5 in std::sys\_common::backtrace::\_\_rust\_end\_short\_backtrace::h53bbfcb82ab0fc3b /rustc/1459b3128e288a85fcc4dd1fee7ada2cdcf28794/library/std/src/sys\_common/backtrace.rs:150:18 |
|  | #7 0x31c1931 in rust\_begin\_unwind /rustc/1459b3128e288a85fcc4dd1fee7ada2cdcf28794/library/std/src/panicking.rs:579:5 |
|  | #8 0x5c10c2 in core::panicking::panic\_fmt::h712e519910af2aa1 /rustc/1459b3128e288a85fcc4dd1fee7ada2cdcf28794/library/core/src/panicking.rs:64:14 |
|  | #9 0x5c115c in core::panicking::panic::h7c5f6c047dc85cd8 /rustc/1459b3128e288a85fcc4dd1fee7ada2cdcf28794/library/core/src/panicking.rs:114:5 |
|  | #10 0x1662455 in suricata::pgsql::pgsql::PgsqlTransaction::incr\_row\_cnt::h5ee19e256060baaa [suricata/rust/src/pgsql/pgsql.rs:85](https://github.com/OISF/suricata/blob/1a132f454a64f699118dafcdfccb0687317b435e/rust/src/pgsql/pgsql.rs#L85):9 |
|  | #11 0x1662455 in suricata::pgsql::pgsql::PgsqlState::parse\_response::h7b243344c9c5e025 [suricata/rust/src/pgsql/pgsql.rs:474](https://github.com/OISF/suricata/blob/1a132f454a64f699118dafcdfccb0687317b435e/rust/src/pgsql/pgsql.rs#L474):29 |
|  | #12 0x1664e91 in rs\_pgsql\_parse\_response [suricata/rust/src/pgsql/pgsql.rs:657](https://github.com/OISF/suricata/blob/1a132f454a64f699118dafcdfccb0687317b435e/rust/src/pgsql/pgsql.rs#L657):16 |
|  | #13 0x715e06 in AppLayerParserParse [suricata/src/app-layer-parser.c:1403](https://github.com/OISF/suricata/blob/1a132f454a64f699118dafcdfccb0687317b435e/src/app-layer-parser.c#L1403):30 |
|  | #14 0x70fe36 in LLVMFuzzerTestOneInput [suricata/src/tests/fuzz/fuzz\_applayerparserparse.c:204](https://github.com/OISF/suricata/blob/1a132f454a64f699118dafcdfccb0687317b435e/src/tests/fuzz/fuzz_applayerparserparse.c#L204):16 |

Files

clusterfuzz-testcase-minimized-fuzz_applayerparserparse_pgsql-5028837559500800 (705 KB) clusterfuzz-testcase-minimized-fuzz_applayerparserparse_pgsql-5028837559500800

Juliana Fajardini Reichow, 10/09/2023 07:13 PM

Subtasks 1 (0 open — 1 closed)