Security #7229
closeddetect: write to read-only memory in transforms
b58b886db755c60c9616af64808c9f0983849106
Description
We've managed to trigger a segfault that seems very similar to Bug #4403 by creating a rule containing http.response_body; strip_whitespace; before any content match.
The segfault occurs during write to oi:
https://github.com/OISF/suricata/blob/suricata-7.0.6/src/detect-transform-strip-whitespace.c#L115
The recent state of oi is as follows:
(gdb) print oi $1 = (uint8_t *) 0x7f4889ae3001 "" (gdb) print *(oi-1) $5 = 0 '\000' (gdb) print *(oi-2) $6 = 207 '\317' (gdb) print *(oi) $7 = 0 '\000'
The output buffer is around 3 megabytes large, while buffer->inspect_len is several times that.
Regardless we're suddenly passing into read-only memory:
0x7f48898b4000->0x7f4889ae3000 at 0xf0d4a000: load194 ALLOC LOAD HAS_CONTENTS 0x7f4889ae3000->0x7f4889ae4000 at 0xf0f79000: load195 ALLOC LOAD READONLY HAS_CONTENTS
I'll update if we can find any more details. We are using a mix of libtcmalloc_minimal.so.4 and distro glibc across affected sensors. We do have some custom app layers and patches but nothing that introduces detect keywords, buffers, or changes memory allocation behavior.
Updated by Philippe Antoine 9 months ago
- Status changed from New to In Review
- Assignee changed from OISF Dev to Philippe Antoine
- Target version changed from TBD to 8.0.0-beta1
https://github.com/OISF/suricata/pull/11861
@Simen Lybekk could you try this PR ?
Updated by Philippe Antoine 9 months ago
- Related to Task #3195: tracking: rustify all input added
Updated by Simen Lybekk 9 months ago
Philippe Antoine wrote in #note-2:
could you try this PR ?
Sorry, I haven't been able to reproduce this since by deliberately reintroducing the rule change on a select sensor. As such I haven't been able to capture a reproducer yet either.
I can deploy the change in our lab though if that's good?
Updated by Simen Lybekk 9 months ago
- Subject changed from Buffer overread in TransformStripWhitespace from FiledataWithXformsGetDataCallback to Write to read-only memory in TransformStripWhitespace from FiledataWithXformsGetDataCallback
Updated by Philippe Antoine 9 months ago
Would you know your stack size ?
The output buffer is around 3 megabytes large, while buffer->inspect_len is several times that.
How much is buffer->inspect_len exactly ?
Updated by Simen Lybekk 9 months ago ยท Edited
Clarification, "The output buffer is around 3 megabytes large" at the time of the crash, i.e. offset into the buffer
Philippe Antoine wrote in #note-7:
Would you know your stack size ?
I think it's 2 MiB / 8 MiB
Philippe Antoine wrote in #note-7:
How much is buffer->inspect_len exactly ?
11819549, assuming I found the correct coredump for the previously given example.
Updated by Philippe Antoine 9 months ago
11819549, assuming I found the correct coredump for the previously given example.
So 11819549 > 8 MiB, this is indeed a stack overflow, thanks for the report
Updated by Philippe Antoine 8 months ago
- Status changed from In Review to Resolved
Updated by Philippe Antoine 8 months ago
- Status changed from Resolved to Closed
Updated by Philippe Antoine 8 months ago
https://github.com/OISF/suricata/pull/12147 was a follow up to complete previous PR
Updated by Victor Julien 7 months ago
- Severity changed from MODERATE to CRITICAL
Updated by Juliana Fajardini Reichow 7 months ago
- Subject changed from Write to read-only memory in TransformStripWhitespace from FiledataWithXformsGetDataCallback to detect: write to read-only memory in transforms
Updated by Juliana Fajardini Reichow 7 months ago
- CVE set to 2024-55605