Project

General

Profile

Actions

Security #7029

closed

http/range: segv when http.memcap is reached

Added by Victor Julien 6 months ago. Updated 5 months ago.

Status:
Closed
Priority:
Normal
Target version:
Affected Versions:
Label:
Git IDs:
Severity:
HIGH
Disclosure Date:
05/16/2024

Description

Test with app-layer.protocols.http.memcap of 1MiB.

Starting program: /home/victor/dev/suricata/src/suricata -c suricata.yaml -l tmp/ --disable-detection -r /pcap81/alexatop25k.pcap -v --runmode=single
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Notice: suricata: This is Suricata version 8.0.0-dev (806052d76 2024-05-14) running in USER mode [LogVersion:suricata.c:1164]
Info: cpu: CPUs/cores online: 56 [UtilCpuPrintSummary:util-cpu.c:149]
Info: suricata: Setting engine mode to IDS mode by default [PostConfLoadedSetup:suricata.c:2706]
Info: exception-policy: master exception-policy set to: auto [ExceptionPolicyMasterParse:util-exception-policy.c:201]
Info: app-layer-htp-mem: HTTP memcap: 1048576 [HTPParseMemcap:app-layer-htp-mem.c:61]
Info: app-layer-ftp: FTP memcap: 1048576 [FTPParseMemcap:app-layer-ftp.c:129]
Info: logopenfile: fast output device (regular) initialized: fast.log [SCConfLogOpenGeneric:util-logopenfile.c:617]
Info: logopenfile: eve-log output device (regular) initialized: eve.json [SCConfLogOpenGeneric:util-logopenfile.c:617]
Info: logopenfile: stats output device (regular) initialized: stats.log [SCConfLogOpenGeneric:util-logopenfile.c:617]
[New Thread 0x7fffe331e640 (LWP 283534)]
[New Thread 0x7fffe2b1d640 (LWP 283535)]
[New Thread 0x7fffe231c640 (LWP 283536)]
[New Thread 0x7fffe1b1b640 (LWP 283537)]
[New Thread 0x7fffe131a640 (LWP 283538)]
Warning: suricata: "security.limit-noproc" (setrlimit()) not set when using address sanitizer [SuricataPostInit:suricata.c:3032]
Info: pcap: Starting file run for /pcap81/alexatop25k.pcap [ReceivePcapFileLoop:source-pcap-file.c:180]
Notice: threads: Threads created -> W: 1 FM: 1 FR: 1   Engine started. [TmThreadWaitOnThreadRunning:tm-threads.c:1899]
Info: checksum: Less than 1/10th of packets have an invalid checksum, assuming checksum offloading is NOT used (2/1000) [ChecksumAutoModeCheck:util-checksum.c:84]

Thread 2 "W#01" received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7fffe331e640 (LWP 283534)]
0x0000000000685596 in HttpRangeAppendData (sbcfg=0x1485100 <htp_sbcfg>, c=0x0, data=0x626000468281 "\263w\313K\256V\254\266\060\272˹$\246\324/\322\001ϣ\t\201", len=5455) at app-layer-htp-range.c:403
403         if (c->toskip >= len) {
(gdb) bt
#0  0x0000000000685596 in HttpRangeAppendData (sbcfg=0x1485100 <htp_sbcfg>, c=0x0, data=0x626000468281 "\263w\313K\256V\254\266\060\272˹$\246\324/\322\001ϣ\t\201", len=5455) at app-layer-htp-range.c:403
#1  0x0000000000685516 in HttpRangeOpenFile (c=0x60d000060d28, start=49152, end=769328, total=769329, sbcfg=0x1485100 <htp_sbcfg>, name=0x6040000d98a8 "/225/VBWdPROS6P/clip.mp4\003\021", name_len=24, flags=598, 
    data=0x626000468281 "\263w\313K\256V\254\266\060\272˹$\246\324/\322\001ϣ\t\201", len=5455) at app-layer-htp-range.c:354
#2  0x0000000000684a9f in HttpRangeContainerOpenFile (key=0x604000621090 "image4.vod.pornhd.com/225/VBWdPROS6P/clip.mp4", keylen=45, f=0x6120003ce8c0, crparsed=0x7fffe33179a0, sbcfg=0x1485100 <htp_sbcfg>, name=0x6040000d98a8 "/225/VBWdPROS6P/clip.mp4\003\021", name_len=24, 
    flags=598, data=0x626000468281 "\263w\313K\256V\254\266\060\272˹$\246\324/\322\001ϣ\t\201", data_len=5455) at app-layer-htp-range.c:372
#3  0x000000000067ac44 in HTPFileOpenWithRange (s=0x60b000255c10, txud=0x6110000c2140, filename=0x6040000d98a8 "/225/VBWdPROS6P/clip.mp4\003\021", filename_len=24, data=0x626000468281 "\263w\313K\256V\254\266\060\272˹$\246\324/\322\001ϣ\t\201", data_len=5455, tx=0x614000329e40, 
    rawvalue=0x6060005d43a0, htud=0x6110000c2140) at app-layer-htp-file.c:197
#4  0x0000000000677cd7 in HtpResponseBodyHandle (hstate=0x60b000255c10, htud=0x6110000c2140, tx=0x614000329e40, data=0x626000468281 "\263w\313K\256V\254\266\060\272˹$\246\324/\322\001ϣ\t\201", data_len=5455) at app-layer-htp.c:1825
#5  0x0000000000670110 in HTPCallbackResponseBodyData (d=0x7fffe3318220) at app-layer-htp.c:2049
#6  0x00000000010c87db in htp_hook_run_all (hook=0x602000099130, user_data=0x7fffe3318220, user_data@entry=0x7fffe3318280) at htp_hooks.c:127
#7  0x00000000010ef93f in htp_res_run_hook_body_data (connp=<optimized out>, d=d@entry=0x7fffe3318220) at htp_util.c:2358
#8  0x00000000010e0a90 in htp_tx_res_process_body_data_ex (tx=0x614000329e40, data=<optimized out>, len=<optimized out>) at htp_transaction.c:1005
#9  0x00000000010d8cd7 in htp_connp_RES_BODY_IDENTITY_CL_KNOWN (connp=0x614000370240) at htp_response.c:490
#10 0x00000000010dbb83 in htp_connp_res_data (connp=0x614000370240, timestamp=<optimized out>, data=<optimized out>, len=<optimized out>) at htp_response.c:1344
#11 0x000000000066c95c in HTPHandleResponseData (f=0x6120003ce8c0, htp_state=0x60b000255c10, pstate=0x6060000396e0, stream_slice=..., local_data=0x0) at app-layer-htp.c:973
#12 0x0000000000690723 in AppLayerParserParse (tv=0x6120003f2440, alp_tctx=0x61900013c980, f=0x6120003ce8c0, alproto=1, flags=8 '\b', 
    input=0x626000468100 "HTTP/1.1 206 Partial Content\r\nServer: nginx/1.6.2\r\nDate: Wed, 23 Sep 2015 00:08:24 GMT\r\nContent-Type: video/mp4\r\nContent-Length: 720177\r\nLast-Modified: Tue, 15 Sep 2015 18:22:57 GMT\r\nConnection: keep-"..., input_len=5840)
    at app-layer-parser.c:1382
#13 0x0000000000638820 in AppLayerHandleTCPData (tv=0x6120003f2440, ra_ctx=0x604000147910, p=0x61d0002ee080, f=0x6120003ce8c0, ssn=0x61200061fcc0, stream=0x7fffe3319840, 
    data=0x626000468100 "HTTP/1.1 206 Partial Content\r\nServer: nginx/1.6.2\r\nDate: Wed, 23 Sep 2015 00:08:24 GMT\r\nContent-Type: video/mp4\r\nContent-Length: 720177\r\nLast-Modified: Tue, 15 Sep 2015 18:22:57 GMT\r\nConnection: keep-"..., data_len=5840, flags=8 '\b', 
    dir=UPDATE_DIR_OPPOSING) at app-layer.c:839
#14 0x0000000000a962c8 in ReassembleUpdateAppLayer (tv=0x6120003f2440, ra_ctx=0x604000147910, ssn=0x61200061fcc0, stream=0x7fffe3319840, p=0x61d0002ee080, dir=UPDATE_DIR_OPPOSING) at stream-tcp-reassemble.c:1324
#15 0x0000000000a941f7 in StreamTcpReassembleAppLayer (tv=0x6120003f2440, ra_ctx=0x604000147910, ssn=0x61200061fcc0, stream=0x61200061fcd0, p=0x61d0002ee080, dir=UPDATE_DIR_OPPOSING) at stream-tcp-reassemble.c:1387
#16 0x0000000000a9b4ab in StreamTcpReassembleHandleSegmentUpdateACK (tv=0x6120003f2440, ra_ctx=0x604000147910, ssn=0x61200061fcc0, stream=0x61200061fcd0, p=0x61d0002ee080) at stream-tcp-reassemble.c:1946
#17 0x0000000000a9aebd in StreamTcpReassembleHandleSegment (tv=0x6120003f2440, ra_ctx=0x604000147910, ssn=0x61200061fcc0, stream=0x61200061fd58, p=0x61d0002ee080) at stream-tcp-reassemble.c:2004
#18 0x0000000000a6db6f in HandleEstablishedPacketToServer (tv=0x6120003f2440, ssn=0x61200061fcc0, p=0x61d0002ee080, stt=0x60700007ac80) at stream-tcp.c:2834
#19 0x0000000000a43d0b in StreamTcpPacketStateEstablished (tv=0x6120003f2440, p=0x61d0002ee080, stt=0x60700007ac80, ssn=0x61200061fcc0) at stream-tcp.c:3383
#20 0x0000000000a29c77 in StreamTcpStateDispatch (tv=0x6120003f2440, p=0x61d0002ee080, stt=0x60700007ac80, ssn=0x61200061fcc0, state=4 '\004') at stream-tcp.c:5420
#21 0x0000000000a1fa9f in StreamTcpPacket (tv=0x6120003f2440, p=0x61d0002ee080, stt=0x60700007ac80, pq=0x61000001f170) at stream-tcp.c:5618
#22 0x0000000000a2ac2d in StreamTcp (tv=0x6120003f2440, p=0x61d0002ee080, data=0x60700007ac80, pq=0x61000001f170) at stream-tcp.c:5934
#23 0x000000000090b335 in FlowWorkerStreamTCPUpdate (tv=0x6120003f2440, fw=0x61000001f140, p=0x61d0002ee080, detect_thread=0x0, timeout=false) at flow-worker.c:371
#24 0x0000000000909745 in FlowWorker (tv=0x6120003f2440, p=0x61d0002ee080, data=0x61000001f140) at flow-worker.c:599
#25 0x00000000005ca9fd in TmThreadsSlotVarRun (tv=0x6120003f2440, p=0x61d0002ee080, slot=0x6060000aa8a0) at tm-threads.c:135
#26 0x0000000000a1abe3 in TmThreadsSlotProcessPkt (tv=0x6120003f2440, s=0x6060000aa8a0, p=0x61d0002ee080) at ./tm-threads.h:200
#27 0x0000000000a19bfc in PcapFileCallbackLoop (user=0x60700007ac10 "P\261\b", h=0x7fffe331b980, pkt=0x62a00002a21c "\b") at source-pcap-file-helper.c:108
#28 0x00007ffff73dec54 in ?? () from /lib/x86_64-linux-gnu/libpcap.so.0.8
#29 0x0000000000a18ae2 in PcapFileDispatch (ptv=0x60700007ac10) at source-pcap-file-helper.c:153
#30 0x0000000000a1370d in ReceivePcapFileLoop (tv=0x6120003f2440, data=0x60b00012f1e0, slot=0x6060000aa5a0) at source-pcap-file.c:181
#31 0x00000000005d7498 in TmThreadsSlotPktAcqLoop (td=0x6120003f2440) at tm-threads.c:318
#32 0x00007ffff6894ac3 in start_thread (arg=<optimized out>) at ./nptl/pthread_create.c:442
#33 0x00007ffff6926850 in clone3 () at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81
(gdb) f 1
#1  0x0000000000685516 in HttpRangeOpenFile (c=0x60d000060d28, start=49152, end=769328, total=769329, sbcfg=0x1485100 <htp_sbcfg>, name=0x6040000d98a8 "/225/VBWdPROS6P/clip.mp4\003\021", name_len=24, flags=598, 
    data=0x626000468281 "\263w\313K\256V\254\266\060\272˹$\246\324/\322\001ϣ\t\201", len=5455) at app-layer-htp-range.c:354
354         if (HttpRangeAppendData(sbcfg, r, data, len) < 0) {
(gdb) l
349             uint64_t end, uint64_t total, const StreamingBufferConfig *sbcfg, const uint8_t *name,
350             uint16_t name_len, uint16_t flags, const uint8_t *data, uint32_t len)
351     {
352         HttpRangeContainerBlock *r =
353                 HttpRangeOpenFileAux(c, start, end, total, sbcfg, name, name_len, flags);
354         if (HttpRangeAppendData(sbcfg, r, data, len) < 0) {
355             SCLogDebug("Failed to append data while opening");
356         }
357         return r;
358     }
(gdb) p r
$1 = (HttpRangeContainerBlock *) 0x0
(gdb)

Subtasks 1 (0 open1 closed)

Security #7033: http/range: segv when http.memcap is reached (7.0.x backport)ClosedPhilippe AntoineActions
Actions #1

Updated by Victor Julien 6 months ago

  • Description updated (diff)
Actions #2

Updated by Philippe Antoine 6 months ago

  • Status changed from Assigned to In Review
Actions #3

Updated by Philippe Antoine 6 months ago

  • Tracker changed from Bug to Security
  • Severity set to MODERATE
  • Disclosure Date set to 05/16/2024
  • Label Needs backport to 7.0 added
Actions #4

Updated by OISF Ticketbot 6 months ago

  • Subtask #7033 added
Actions #5

Updated by OISF Ticketbot 6 months ago

  • Label deleted (Needs backport to 7.0)
Actions #6

Updated by Philippe Antoine 6 months ago

  • Status changed from In Review to Resolved
Actions #7

Updated by Philippe Antoine 6 months ago

  • Status changed from Resolved to Closed
Actions #8

Updated by Victor Julien 5 months ago

  • Severity changed from MODERATE to CRITICAL
Actions #9

Updated by Victor Julien 5 months ago

Does not affect 6.0.x.

Actions #10

Updated by Victor Julien 5 months ago

  • Severity changed from CRITICAL to HIGH

HIGH as http.memcap is disabled by default.

Actions #12

Updated by Juliana Fajardini Reichow 5 months ago

  • CVE set to 2024-38536
Actions #13

Updated by Victor Julien 5 months ago

  • Private changed from Yes to No
Actions

Also available in: Atom PDF