Project

General

Profile

Actions

Security #7229

closed

detect: write to read-only memory in transforms

Added by Simen Lybekk 11 months ago. Updated 4 days ago.

Status:
Closed
Priority:
Normal
Target version:
Affected Versions:
Label:
Git IDs:

b58b886db755c60c9616af64808c9f0983849106

Severity:
CRITICAL
Disclosure Date:

Description

We've managed to trigger a segfault that seems very similar to Bug #4403 by creating a rule containing http.response_body; strip_whitespace; before any content match.

The segfault occurs during write to oi:
https://github.com/OISF/suricata/blob/suricata-7.0.6/src/detect-transform-strip-whitespace.c#L115

The recent state of oi is as follows:

(gdb) print oi
$1 = (uint8_t *) 0x7f4889ae3001 "" 
(gdb) print *(oi-1)
$5 = 0 '\000'
(gdb) print *(oi-2)
$6 = 207 '\317'
(gdb) print *(oi)
$7 = 0 '\000'

The output buffer is around 3 megabytes large, while buffer->inspect_len is several times that.
Regardless we're suddenly passing into read-only memory:

0x7f48898b4000->0x7f4889ae3000 at 0xf0d4a000: load194 ALLOC LOAD HAS_CONTENTS
0x7f4889ae3000->0x7f4889ae4000 at 0xf0f79000: load195 ALLOC LOAD READONLY HAS_CONTENTS

I'll update if we can find any more details. We are using a mix of libtcmalloc_minimal.so.4 and distro glibc across affected sensors. We do have some custom app layers and patches but nothing that introduces detect keywords, buffers, or changes memory allocation behavior.


Subtasks 1 (0 open1 closed)

Security #7306: detect: write to read-only memory in transforms (7.0.x backport)ClosedPhilippe AntoineActions

Related issues 1 (1 open0 closed)

Related to Suricata - Task #3195: tracking: rustify all inputNewOISF DevActions
Actions #1

Updated by Jason Ish 11 months ago

  • Private changed from No to Yes
Actions #2

Updated by Philippe Antoine 9 months ago

  • Status changed from New to In Review
  • Assignee changed from OISF Dev to Philippe Antoine
  • Target version changed from TBD to 8.0.0-beta1
Actions #4

Updated by Philippe Antoine 9 months ago

  • Related to Task #3195: tracking: rustify all input added
Actions #5

Updated by Simen Lybekk 9 months ago

Philippe Antoine wrote in #note-2:

could you try this PR ?

Sorry, I haven't been able to reproduce this since by deliberately reintroducing the rule change on a select sensor. As such I haven't been able to capture a reproducer yet either.

I can deploy the change in our lab though if that's good?

Actions #6

Updated by Simen Lybekk 9 months ago

  • Subject changed from Buffer overread in TransformStripWhitespace from FiledataWithXformsGetDataCallback to Write to read-only memory in TransformStripWhitespace from FiledataWithXformsGetDataCallback
Actions #7

Updated by Philippe Antoine 9 months ago

Would you know your stack size ?

The output buffer is around 3 megabytes large, while buffer->inspect_len is several times that.

How much is buffer->inspect_len exactly ?

Actions #8

Updated by Simen Lybekk 9 months ago ยท Edited

Clarification, "The output buffer is around 3 megabytes large" at the time of the crash, i.e. offset into the buffer

Philippe Antoine wrote in #note-7:

Would you know your stack size ?

I think it's 2 MiB / 8 MiB

Philippe Antoine wrote in #note-7:

How much is buffer->inspect_len exactly ?

11819549, assuming I found the correct coredump for the previously given example.

Actions #9

Updated by Philippe Antoine 9 months ago

11819549, assuming I found the correct coredump for the previously given example.

So 11819549 > 8 MiB, this is indeed a stack overflow, thanks for the report

Actions #10

Updated by Victor Julien 9 months ago

  • Label Needs backport to 7.0 added
Actions #11

Updated by OISF Ticketbot 9 months ago

  • Subtask #7306 added
Actions #12

Updated by OISF Ticketbot 9 months ago

  • Label deleted (Needs backport to 7.0)
Actions #13

Updated by Philippe Antoine 8 months ago

  • Status changed from In Review to Resolved
Actions #14

Updated by Philippe Antoine 8 months ago

  • Status changed from Resolved to Closed
Actions #15

Updated by Philippe Antoine 8 months ago

https://github.com/OISF/suricata/pull/12147 was a follow up to complete previous PR

Actions #16

Updated by Victor Julien 7 months ago

  • Severity changed from MODERATE to CRITICAL
Actions #17

Updated by Jason Ish 7 months ago

Affected transforms include:

  • to_lowercase
  • to_uppercase
  • strip_whitespace
  • compress_whitespace
  • dotprefix
  • header_lowercase
  • strip_pseudo_headers
  • url_decode
  • xor
Actions #18

Updated by Juliana Fajardini Reichow 7 months ago

  • Subject changed from Write to read-only memory in TransformStripWhitespace from FiledataWithXformsGetDataCallback to detect: write to read-only memory in transforms
Actions #20

Updated by Victor Julien 7 months ago

  • Git IDs updated (diff)
Actions #21

Updated by Juliana Fajardini Reichow 4 days ago

  • Private changed from Yes to No
Actions

Also available in: Atom PDF