Project

General

Profile

Actions

Security #7229

closed

detect: write to read-only memory in transforms

Added by Simen Lybekk 11 months ago. Updated 4 days ago.

Status:
Closed
Priority:
Normal
Target version:
Affected Versions:
Label:
Git IDs:

b58b886db755c60c9616af64808c9f0983849106

Severity:
CRITICAL
Disclosure Date:

Description

We've managed to trigger a segfault that seems very similar to Bug #4403 by creating a rule containing http.response_body; strip_whitespace; before any content match.

The segfault occurs during write to oi:
https://github.com/OISF/suricata/blob/suricata-7.0.6/src/detect-transform-strip-whitespace.c#L115

The recent state of oi is as follows:

(gdb) print oi
$1 = (uint8_t *) 0x7f4889ae3001 "" 
(gdb) print *(oi-1)
$5 = 0 '\000'
(gdb) print *(oi-2)
$6 = 207 '\317'
(gdb) print *(oi)
$7 = 0 '\000'

The output buffer is around 3 megabytes large, while buffer->inspect_len is several times that.
Regardless we're suddenly passing into read-only memory:

0x7f48898b4000->0x7f4889ae3000 at 0xf0d4a000: load194 ALLOC LOAD HAS_CONTENTS
0x7f4889ae3000->0x7f4889ae4000 at 0xf0f79000: load195 ALLOC LOAD READONLY HAS_CONTENTS

I'll update if we can find any more details. We are using a mix of libtcmalloc_minimal.so.4 and distro glibc across affected sensors. We do have some custom app layers and patches but nothing that introduces detect keywords, buffers, or changes memory allocation behavior.


Subtasks 1 (0 open1 closed)

Security #7306: detect: write to read-only memory in transforms (7.0.x backport)ClosedPhilippe AntoineActions

Related issues 1 (1 open0 closed)

Related to Suricata - Task #3195: tracking: rustify all inputNewOISF DevActions
Actions

Also available in: Atom PDF