Project

General

Profile

Actions
Copy link

Security #7229

closed
SL PA

detect: write to read-only memory in transforms

Security #7229: detect: write to read-only memory in transforms

Added by Simen Lybekk over 1 year ago. Updated 4 months ago.

Status:
Closed
Priority:
Normal
Assignee:
Philippe Antoine
Target version:
8.0.0-beta1
Affected Versions:
7.0.6
Label:
CVE:
2024-55605
Git IDs:

b58b886db755c60c9616af64808c9f0983849106

Severity:
CRITICAL
Disclosure Date:

Description

We've managed to trigger a segfault that seems very similar to Bug #4403 by creating a rule containing http.response_body; strip_whitespace; before any content match.

The segfault occurs during write to oi:
https://github.com/OISF/suricata/blob/suricata-7.0.6/src/detect-transform-strip-whitespace.c#L115

The recent state of oi is as follows:

(gdb) print oi
$1 = (uint8_t *) 0x7f4889ae3001 "" 
(gdb) print *(oi-1)
$5 = 0 '\000'
(gdb) print *(oi-2)
$6 = 207 '\317'
(gdb) print *(oi)
$7 = 0 '\000'

The output buffer is around 3 megabytes large, while buffer->inspect_len is several times that.
Regardless we're suddenly passing into read-only memory:

0x7f48898b4000->0x7f4889ae3000 at 0xf0d4a000: load194 ALLOC LOAD HAS_CONTENTS
0x7f4889ae3000->0x7f4889ae4000 at 0xf0f79000: load195 ALLOC LOAD READONLY HAS_CONTENTS

I'll update if we can find any more details. We are using a mix of libtcmalloc_minimal.so.4 and distro glibc across affected sensors. We do have some custom app layers and patches but nothing that introduces detect keywords, buffers, or changes memory allocation behavior.

Subtasks 1 (0 open1 closed)

Security #7306: detect: write to read-only memory in transforms (7.0.x backport)ClosedPhilippe AntoineActions

Related issues 1 (1 open0 closed)

Related to Suricata - Task #3195: tracking: rustify all inputAssignedVictor JulienActions

JI Updated by Jason Ish over 1 year ago Actions
Copy link
 #1

  • Private changed from No to Yes

PA Updated by Philippe Antoine over 1 year ago Actions
Copy link
 #2

  • Status changed from New to In Review
  • Assignee changed from OISF Dev to Philippe Antoine
  • Target version changed from TBD to 8.0.0-beta1

https://github.com/OISF/suricata/pull/11861

@404d could you try this PR ?

PA Updated by Philippe Antoine over 1 year ago Actions
Copy link
 #4

  • Related to Task #3195: tracking: rustify all input added

SL Updated by Simen Lybekk over 1 year ago Actions
Copy link
 #5

Philippe Antoine wrote in #note-2:

could you try this PR ?

Sorry, I haven't been able to reproduce this since by deliberately reintroducing the rule change on a select sensor. As such I haven't been able to capture a reproducer yet either.

I can deploy the change in our lab though if that's good?

SL Updated by Simen Lybekk over 1 year ago Actions
Copy link
 #6

  • Subject changed from Buffer overread in TransformStripWhitespace from FiledataWithXformsGetDataCallback to Write to read-only memory in TransformStripWhitespace from FiledataWithXformsGetDataCallback

PA Updated by Philippe Antoine over 1 year ago Actions
Copy link
 #7

Would you know your stack size ?

The output buffer is around 3 megabytes large, while buffer->inspect_len is several times that.

How much is buffer->inspect_len exactly ?

SL Updated by Simen Lybekk over 1 year ago ยท Edited Actions
Copy link
 #8

Clarification, "The output buffer is around 3 megabytes large" at the time of the crash, i.e. offset into the buffer

Philippe Antoine wrote in #note-7:

Would you know your stack size ?

I think it's 2 MiB / 8 MiB

Philippe Antoine wrote in #note-7:

How much is buffer->inspect_len exactly ?

11819549, assuming I found the correct coredump for the previously given example.

PA Updated by Philippe Antoine over 1 year ago Actions
Copy link
 #9

11819549, assuming I found the correct coredump for the previously given example.

So 11819549 > 8 MiB, this is indeed a stack overflow, thanks for the report

VJ Updated by Victor Julien over 1 year ago Actions
Copy link
 #10

  • Label Needs backport to 7.0 added

OT Updated by OISF Ticketbot over 1 year ago Actions
Copy link
 #11

  • Subtask #7306 added

OT Updated by OISF Ticketbot over 1 year ago Actions
Copy link
 #12

  • Label deleted (Needs backport to 7.0)

PA Updated by Philippe Antoine over 1 year ago Actions
Copy link
 #13

  • Status changed from In Review to Resolved

PA Updated by Philippe Antoine over 1 year ago Actions
Copy link
 #14

  • Status changed from Resolved to Closed

PA Updated by Philippe Antoine over 1 year ago Actions
Copy link
 #15

https://github.com/OISF/suricata/pull/12147 was a follow up to complete previous PR

VJ Updated by Victor Julien over 1 year ago Actions
Copy link
 #16

  • Severity changed from MODERATE to CRITICAL

JI Updated by Jason Ish over 1 year ago Actions
Copy link
 #17

Affected transforms include:

  • to_lowercase
  • to_uppercase
  • strip_whitespace
  • compress_whitespace
  • dotprefix
  • header_lowercase
  • strip_pseudo_headers
  • url_decode
  • xor

JF Updated by Juliana Fajardini Reichow over 1 year ago Actions
Copy link
 #18

  • Subject changed from Write to read-only memory in TransformStripWhitespace from FiledataWithXformsGetDataCallback to detect: write to read-only memory in transforms

VJ Updated by Victor Julien over 1 year ago Actions
Copy link
 #20

  • Git IDs updated (diff)

JF Updated by Juliana Fajardini Reichow 9 months ago Actions
Copy link
 #21

  • Private changed from Yes to No
Actions
Copy link

Also available in: PDF Atom