Actions
Bug #7334
closedasan/profiling: global-buffer-overflow error
Affected Versions:
Effort:
Difficulty:
Label:
Description
With profiling enabled on an ASAN build, Suricata eventually crashes with a global-buffer-overflow error while handling packet-related profiling data.
==2190781==ERROR: AddressSanitizer: global-buffer-overflow on address 0x63bd3c5ff600 at pc 0x63bd3a8f9972 bp 0x7d5988bfeff0 sp 0x7d5988bfefe8
READ of size 8 at 0x63bd3c5ff600 thread T17 (W#16)
#0 0x63bd3a8f9971 in SCProfilingUpdatePacketAppRecord /home/jlucovsky/src/jal/2290/src/util-profiling.c:925:13
#1 0x63bd3a8f9971 in SCProfilingUpdatePacketAppRecords /home/jlucovsky/src/jal/2290/src/util-profiling.c:944:17
#2 0x63bd3a8f7650 in SCProfilingAddPacket /home/jlucovsky/src/jal/2290/src/util-profiling.c:1135:13
#3 0x63bd3a889e9b in TmqhOutputPacketpool /home/jlucovsky/src/jal/2290/src/tmqh-packetpool.c:409:5
#4 0x63bd3a894e8a in TmThreadsSlotVar /home/jlucovsky/src/jal/2290/src/tm-threads.c:484:13
#5 0x63bd3a84080c in asan_thread_start(void*) asan_interceptors.cpp.o
#6 0x7d59bea9ca93 in start_thread nptl/pthread_create.c:447:8
#7 0x7d59beb29c3b in clone3 misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:78
0x63bd3c5ff600 is located 544 bytes after global variable 'packet_profile_app_data4' defined in '/home/jlucovsky/src/jal/2290/src/util-profiling.c:75' (0x63bd3c5b2f20) of size 312512
SUMMARY: AddressSanitizer: global-buffer-overflow /home/jlucovsky/src/jal/2290/src/util-profiling.c:925:13 in SCProfilingUpdatePacketAppRecord
Shadow bytes around the buggy address:
0x63bd3c5ff380: 00 00 00 00 00 00 00 00 00 00 00 00 f9 f9 f9 f9
0x63bd3c5ff400: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
0x63bd3c5ff480: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
0x63bd3c5ff500: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
0x63bd3c5ff580: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
=>0x63bd3c5ff600:[f9]f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
0x63bd3c5ff680: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
0x63bd3c5ff700: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
0x63bd3c5ff780: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
0x63bd3c5ff800: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
0x63bd3c5ff880: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Thread T17 (W#16) created by T0 (Suricata-Main) here:
#0 0x63bd3a828695 in pthread_create (/home/jlucovsky/src/jal/2290/src/.libs/suricata+0x3ad695) (BuildId: b56f8d796cd212fb3584d2acc656e3ab6a959555)
#1 0x63bd3a890fb1 in TmThreadSpawn /home/jlucovsky/src/jal/2290/src/tm-threads.c:1678:14
#2 0x63bd3b080831 in RunModeFilePcapAutoFp /home/jlucovsky/src/jal/2290/src/runmode-pcap-file.c:216:13
#3 0x63bd3addf891 in RunModeDispatch /home/jlucovsky/src/jal/2290/src/runmodes.c:423:5
#4 0x63bd3a888235 in SuricataInit /home/jlucovsky/src/jal/2290/src/suricata.c:2967:5
#5 0x63bd3a88131f in main /home/jlucovsky/src/jal/2290/src/main.c:54:5
#6 0x7d59bea2a1c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#7 0x7d59bea2a28a in __libc_start_main csu/../csu/libc-start.c:360:3
#8 0x63bd3a7a7ed4 in _start (/home/jlucovsky/src/jal/2290/src/.libs/suricata+0x32ced4) (BuildId: b56f8d796cd212fb3584d2acc656e3ab6a959555)
==2190781==ABORTING
Actions