Project

General

Profile

Actions

Bug #7360

open

BUG_ON triggered from GetLeftEdge

Added by Artem Sdvizhkov about 2 months ago.

Status:
New
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

Hi! During fuzz testing an assert was identified in the GetLeftEdge function.
Stack trace is

./fuzz_predefpcap_aware: Running 1 inputs 1 time(s) each.
Running: crash-769f80750c1dc3bbf5706dee2e740a356fc4fbca
fuzz_predefpcap_aware: stream-tcp-list.c:835: uint64_t GetLeftEdge(Flow *, TcpSession *, TcpStream *): Assertion `!((last_ack_abs < left_edge && !StreamTcpInlineMode() && !f->ffr && ssn->state < TCP_CLOSED))' failed.
==27034== ERROR: libFuzzer: deadly signal
    #0 0x57bd0b91a884 in __sanitizer_print_stack_trace /llvm-project-llvmorg-18.1.8/compiler-rt/lib/ubsan/ubsan_diag_standalone.cpp:31:3
    #1 0x57bd0b8ee098 in fuzzer::PrintStackTrace() /llvm-project-llvmorg-18.1.8/compiler-rt/lib/fuzzer/FuzzerUtil.cpp:210:5
    #2 0x57bd0b8d3953 in fuzzer::Fuzzer::CrashCallback() /llvm-project-llvmorg-18.1.8/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:231:3
    #3 0x717953d2151f  (/lib/x86_64-linux-gnu/libc.so.6+0x4251f) (BuildId: 490fef8403240c91833978d494d39e537409b92e)
    #4 0x717953d759fb in pthread_kill (/lib/x86_64-linux-gnu/libc.so.6+0x969fb) (BuildId: 490fef8403240c91833978d494d39e537409b92e)
    #5 0x717953d21475 in gsignal (/lib/x86_64-linux-gnu/libc.so.6+0x42475) (BuildId: 490fef8403240c91833978d494d39e537409b92e)
    #6 0x717953d077f2 in abort (/lib/x86_64-linux-gnu/libc.so.6+0x287f2) (BuildId: 490fef8403240c91833978d494d39e537409b92e)
    #7 0x717953d0771a  (/lib/x86_64-linux-gnu/libc.so.6+0x2871a) (BuildId: 490fef8403240c91833978d494d39e537409b92e)
    #8 0x717953d18e95 in __assert_fail (/lib/x86_64-linux-gnu/libc.so.6+0x39e95) (BuildId: 490fef8403240c91833978d494d39e537409b92e)
    #9 0x57bd0ba11bcf in GetLeftEdge /suricata/src/stream-tcp-list.c:834:5
    #10 0x57bd0ba11633 in StreamTcpPruneSession /suricata/src/stream-tcp-list.c:928:32
    #11 0x57bd0b9ba011 in FlowWorker /suricata/src/flow-worker.c:659:13
    #12 0x57bd0b91c10a in LLVMFuzzerTestOneInput /suricata/src/tests/fuzz/fuzz_predefpcap_aware.c:140:13
    #13 0x57bd0b8d4f43 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /llvm-project-llvmorg-18.1.8/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:614:13
    #14 0x57bd0b8bea6f in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /llvm-project-llvmorg-18.1.8/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:327:6
    #15 0x57bd0b8c478a in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /llvm-project-llvmorg-18.1.8/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:862:9
    #16 0x57bd0b8eea22 in main /llvm-project-llvmorg-18.1.8/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
    #17 0x717953d08d8f  (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f) (BuildId: 490fef8403240c91833978d494d39e537409b92e)
    #18 0x717953d08e3f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x29e3f) (BuildId: 490fef8403240c91833978d494d39e537409b92e)
    #19 0x57bd0b8b9434 in _start (/suricata/src/fuzz_predefpcap_aware+0x154434)

Build info:

This is Suricata version 8.0.0-dev (3a7eef812 2024-10-28)
Features: DEBUG_VALIDATION PCAP_SET_BUFF AF_PACKET HAVE_PACKET_FANOUT LIBCAP_NG LIBNET1.1 HAVE_HTP_URI_NORMALIZE_HOOK PCRE_JIT HAVE_NSS HTTP2_DECOMPRESSION HAVE_LUA HAVE_JA3 HAVE_JA4 HAVE_LIBJANSSON TLS TLS_C11 MAGIC RUST POPCNT64 
SIMD support: SSE_2 
Atomic intrinsics: 1 2 4 8 byte(s)
64-bits, Little-endian architecture
GCC version Clang 18.1.8, C version 201112
compiled with _FORTIFY_SOURCE=0
L1 cache line size (CLS)=64
thread local storage method: _Thread_local
compiled with LibHTP v0.5.49, linked against LibHTP v0.5.49

Suricata Configuration:
  AF_PACKET support:                       yes
  AF_XDP support:                          no
  DPDK support:                            no
  eBPF support:                            no
  XDP support:                             no
  PF_RING support:                         no
  NFQueue support:                         no
  NFLOG support:                           no
  IPFW support:                            no
  Netmap support:                          no 
  DAG enabled:                             no
  Napatech enabled:                        no
  WinDivert enabled:                       no

  Unix socket enabled:                     yes
  Detection enabled:                       yes

  Libmagic support:                        yes
  libjansson support:                      yes
  hiredis support:                         no
  hiredis async with libevent:             no
  PCRE jit:                                yes
  GeoIP2 support:                          yes
  JA3 support:                             yes
  JA4 support:                             yes
  Non-bundled htp:                         no
  Hyperscan support:                       no
  Libnet support:                          yes
  liblz4 support:                          no
  Landlock support:                        yes
  Systemd support:                         yes

  Rust support:                            yes
  Rust strict mode:                        no
  Rust compiler path:                      /root/.cargo/bin/rustc
  Rust compiler version:                   rustc 1.82.0 (f6e511eec 2024-10-15)
  Cargo path:                              /root/.cargo/bin/cargo
  Cargo version:                           cargo 1.82.0 (8f40fc59f 2024-08-21)

  Python support:                          no
  Python path:                             not set
  Install suricatactl:                     requires python
  Install suricatasc:                      requires python
  Install suricata-update:                 no, not bundled

  Profiling enabled:                       no
  Profiling locks enabled:                 no
  Profiling rules enabled:                 no

  Plugin support (experimental):           yes
  DPDK Bond PMD:                           no

Development settings:
  Coccinelle / spatch:                     no
  Unit tests enabled:                      no
  Debug output enabled:                    no
  Debug validation enabled:                yes
  Fuzz targets enabled:                    yes

Generic build parameters:
  Installation prefix:                     /usr/local
  Configuration directory:                 /usr/local/etc/suricata/
  Log directory:                           /usr/local/var/log/suricata/

  --prefix                                 /usr/local
  --sysconfdir                             /usr/local/etc
  --localstatedir                          /usr/local/var
  --datarootdir                            /usr/local/share

  Host:                                    x86_64-pc-linux-gnu
  Compiler:                                clang (exec name) / clang++ (real)
  GCC Protect enabled:                     no
  GCC march native enabled:                no
  GCC Profile enabled:                     no
  Position Independent Executable enabled: no
  CFLAGS                                   -g -fPIC -DOS_LINUX -std=c11 -I${srcdir}/../rust/gen -I${srcdir}/../rust/dist -I../rust/gen
  PCAP_CFLAGS                               
  SECCFLAGS                               


Files

No data to display

Actions

Also available in: Atom PDF