Actions
Bug #6865
openBUG_ON triggered from AdjustToAcked
Affected Versions:
Effort:
Difficulty:
Label:
Description
Hello there! I found failed assertions in AdjustToAcked function during fuzz testing with sydr-fuzz.
Example of trace:
NFO: Running with entropic power schedule (0xFF, 100).
INFO: Seed: 1892362162
./src/fuzz_predefpcap_aware: Running 1 inputs 1 time(s) each.
Running: /fuzz/fuzz_predefpcap_aware-afl++-out/crashes/crash-7eeb77a587ea16a678ecc9875676db1f8a77514a
fuzz_predefpcap_aware: stream-tcp-reassemble.c:1199: uint32_t AdjustToAcked(const Packet *, const TcpSession *, const TcpStream *, const uint64_t, const uint32_t): Assertion `!((app_progress > last_ack_abs))' failed.
==158020== ERROR: libFuzzer: deadly signal
#0 0x54b3f4 in __sanitizer_print_stack_trace /llvm-project-llvmorg-14.0.6/compiler-rt/lib/ubsan/ubsan_diag_standalone.cpp:31:3
#1 0x5220a7 in fuzzer::PrintStackTrace() /llvm-project-llvmorg-14.0.6/compiler-rt/lib/fuzzer/FuzzerUtil.cpp:210:5
#2 0x508223 in fuzzer::Fuzzer::CrashCallback() /llvm-project-llvmorg-14.0.6/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:233:3
#3 0x7ffff7c0941f (/lib/x86_64-linux-gnu/libpthread.so.0+0x1441f) (BuildId: 0c044ba611aeeeaebb8374e660061f341ebc0bac)
#4 0x7ffff79eb00a in raise (/lib/x86_64-linux-gnu/libc.so.6+0x4300a) (BuildId: eebe5d5f4b608b8a53ec446b63981bba373ca0ca)
#5 0x7ffff79ca858 in abort (/lib/x86_64-linux-gnu/libc.so.6+0x22858) (BuildId: eebe5d5f4b608b8a53ec446b63981bba373ca0ca)
#6 0x7ffff79ca728 (/lib/x86_64-linux-gnu/libc.so.6+0x22728) (BuildId: eebe5d5f4b608b8a53ec446b63981bba373ca0ca)
#7 0x7ffff79dbfd5 in __assert_fail (/lib/x86_64-linux-gnu/libc.so.6+0x33fd5) (BuildId: eebe5d5f4b608b8a53ec446b63981bba373ca0ca)
#8 0x5acbaa in AdjustToAcked /root/suricata/src/stream-tcp-reassemble.c:1199:13
#9 0x5acbaa in ReassembleUpdateAppLayer /root/suricata/src/stream-tcp-reassemble.c:1248:22
#10 0x5acbaa in StreamTcpReassembleAppLayer /root/suricata/src/stream-tcp-reassemble.c:1389:12
#11 0x5ad656 in StreamTcpReassembleHandleSegment /root/suricata/src/stream-tcp-reassemble.c:2053:13
#12 0x5a2316 in StreamTcpStateDispatch /root/suricata/src/stream-tcp.c
#13 0x5a0889 in StreamTcpPacket /root/suricata/src/stream-tcp.c:5433:13
#14 0x5a60ec in StreamTcp /root/suricata/src/stream-tcp.c:5745:11
#15 0x57e62c in FlowWorkerStreamTCPUpdate /root/suricata/src/flow-worker.c:371:5
#16 0x57ddc2 in FlowWorker /root/suricata/src/flow-worker.c:587:13
#17 0x54cf62 in LLVMFuzzerTestOneInput /root/suricata/src/tests/fuzz/fuzz_predefpcap_aware.c:140:13
#18 0x509761 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /llvm-project-llvmorg-14.0.6/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:611:15
#19 0x4f361c in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /llvm-project-llvmorg-14.0.6/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:324:6
#20 0x4f939b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /llvm-project-llvmorg-14.0.6/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:860:9
#21 0x5229e2 in main /llvm-project-llvmorg-14.0.6/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
#22 0x7ffff79cc082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: eebe5d5f4b608b8a53ec446b63981bba373ca0ca)
#23 0x4edebd in _start (/root/suricata/src/fuzz_predefpcap_aware+0x4edebd)
NOTE: libFuzzer has rudimentary signal handlers.
Combine libFuzzer with AddressSanitizer or similar for better crash reports.
SUMMARY: libFuzzer: deadly signal
Build info:
This is Suricata version 8.0.0-dev (ff8597d50 2024-03-16)
Features: DEBUG_VALIDATION PCAP_SET_BUFF AF_PACKET HAVE_PACKET_FANOUT LIBCAP_NG LIBNET1.1 HAVE_HTP_URI_NORMALIZE_HOOK PCRE_JIT HAVE_NSS HTTP2_DECOMPRESSION HAVE_LIBJANSSON TLS TLS_C11 MAGIC RUST POPCNT64
SIMD support: SSE_2
Atomic intrinsics: 1 2 4 8 byte(s)
64-bits, Little-endian architecture
GCC version Clang 14.0.6, C version 201112
compiled with _FORTIFY_SOURCE=0
L1 cache line size (CLS)=64
thread local storage method: _Thread_local
compiled with LibHTP v0.5.46, linked against LibHTP v0.5.46
Suricata Configuration:
AF_PACKET support: yes
AF_XDP support: no
DPDK support: no
eBPF support: no
XDP support: no
PF_RING support: no
NFQueue support: no
NFLOG support: no
IPFW support: no
Netmap support: no
DAG enabled: no
Napatech enabled: no
WinDivert enabled: no
Unix socket enabled: yes
Detection enabled: yes
Libmagic support: yes
libjansson support: yes
hiredis support: no
hiredis async with libevent: no
PCRE jit: yes
LUA support: no
libluajit: no
GeoIP2 support: no
Non-bundled htp: no
Hyperscan support: no
Libnet support: yes
liblz4 support: no
Landlock support: no
Rust support: yes
Rust strict mode: no
Rust compiler path: /root/.cargo/bin/rustc
Rust compiler version: rustc 1.76.0 (07dca489a 2024-02-04)
Cargo path: /root/.cargo/bin/cargo
Cargo version: cargo 1.76.0 (c84b36747 2024-01-18)
Python support: yes
Python path: /usr/bin/python3
Install suricatactl: yes
Install suricatasc: yes
Install suricata-update: no, not bundled
Profiling enabled: no
Profiling locks enabled: no
Profiling rules enabled: no
Plugin support (experimental): yes
DPDK Bond PMD: no
Development settings:
Coccinelle / spatch: no
Unit tests enabled: no
Debug output enabled: no
Debug validation enabled: yes
Fuzz targets enabled: yes
Generic build parameters:
Installation prefix: /usr/local
Configuration directory: /usr/local/etc/suricata/
Log directory: /usr/local/var/log/suricata/
--prefix /usr/local
--sysconfdir /usr/local/etc
--localstatedir /usr/local/var
--datarootdir /usr/local/share
Host: x86_64-pc-linux-gnu
Compiler: clang (exec name) / clang++ (real)
GCC Protect enabled: no
GCC march native enabled: no
GCC Profile enabled: no
Position Independent Executable enabled: no
CFLAGS -g -O2 -fPIC -std=c11 -I${srcdir}/../rust/gen -I${srcdir}/../rust/dist
PCAP_CFLAGS
SECCFLAGS
Files
Updated by Victor Julien 9 months ago
- Target version changed from 7.0.3 to 8.0.0-beta1
This assertion is only present in debug validation mode, so considering a bug but not a sec issue.
Updated by Victor Julien 9 months ago
Is it possible to turn the crash input into a pcap?
Actions