Security #7229
closeddetect: write to read-only memory in transforms
b58b886db755c60c9616af64808c9f0983849106
Description
We've managed to trigger a segfault that seems very similar to Bug #4403 by creating a rule containing http.response_body; strip_whitespace;
before any content match.
The segfault occurs during write to oi
:
https://github.com/OISF/suricata/blob/suricata-7.0.6/src/detect-transform-strip-whitespace.c#L115
The recent state of oi
is as follows:
(gdb) print oi $1 = (uint8_t *) 0x7f4889ae3001 "" (gdb) print *(oi-1) $5 = 0 '\000' (gdb) print *(oi-2) $6 = 207 '\317' (gdb) print *(oi) $7 = 0 '\000'
The output buffer is around 3 megabytes large, while buffer->inspect_len
is several times that.
Regardless we're suddenly passing into read-only memory:
0x7f48898b4000->0x7f4889ae3000 at 0xf0d4a000: load194 ALLOC LOAD HAS_CONTENTS 0x7f4889ae3000->0x7f4889ae4000 at 0xf0f79000: load195 ALLOC LOAD READONLY HAS_CONTENTS
I'll update if we can find any more details. We are using a mix of libtcmalloc_minimal.so.4
and distro glibc across affected sensors. We do have some custom app layers and patches but nothing that introduces detect keywords, buffers, or changes memory allocation behavior.