Project

General

Profile

Actions
Copy link

Security #7393

closed

tcp: segfault on StreamingBufferSlideToOffsetWithRegions

Added by Philippe Antoine 8 months ago. Updated 6 days ago.

Status:
Closed
Priority:
Normal
Assignee:
Philippe Antoine
Target version:
8.0.0-beta1
Affected Versions:
Label:
CVE:
2024-55627
Git IDs:

282509f70c4ce805098e59535af445362e3e9ebd
8900041405dbb5f9584edae994af2100733fb4be
9a53ec43b13f0039a083950511a18bf6f408e432

Severity:
CRITICAL
Disclosure Date:

Description

Triggers on the same callstack
On SMB traffic (app-layer.smb.stream-depth == 200mb)
On a compile of the 7.0.6 tag

(gdb) bt
#0  0x00007f78baad7aa0 in __memset_sse2 () from /lib64/libc.so.6
#1  0x0000559bde7c244d in memset (__len=<optimized out>, __ch=0, __dest=<optimized out>) at /usr/include/bits/string3.h:84
#2  GrowRegionToSize (size=<optimized out>, region=0x7f77f41cee40, cfg=0x559bdf104598 <stream_config+56>, sb=0x7f77f41cee40) at util-streaming-buffer.c:736
#3  StreamingBufferSlideToOffsetWithRegions (slide_offset=37755546, cfg=0x559bdf104598 <stream_config+56>, sb=0x7f77f41cee40) at util-streaming-buffer.c:946
#4  StreamingBufferSlideToOffset (sb=sb@entry=0x7f77f41cee40, cfg=cfg@entry=0x559bdf104598 <stream_config+56>, offset=offset@entry=37755546) at util-streaming-buffer.c:1016
#5  0x0000559bde7a61ff in StreamTcpPruneSession (f=0x7f7786a7a090, flags=<optimized out>) at stream-tcp-list.c:940
#6  0x0000559bde768c89 in FlowWorker (tv=0x559be8a787f0, p=0x7f780117ff70, data=0x7f78011eabf0) at flow-worker.c:657
#7  0x0000559bde6c06bd in TmThreadsSlotVarRun (tv=tv@entry=0x559be8a787f0, p=p@entry=0x7f780117ff70, slot=<optimized out>) at tm-threads.c:135
#8  0x0000559bde793015 in TmThreadsSlotProcessPkt (p=0x7f780117ff70, s=<optimized out>, tv=0x559be8a787f0) at tm-threads.h:200
#9  AFPParsePacketV3 (pbd=<optimized out>, ppd=0x7f77286e1ee0, ptv=0x7f78011809a0) at source-af-packet.c:1013
#10 AFPWalkBlock (pbd=<optimized out>, ptv=0x7f78011809a0) at source-af-packet.c:1032
#11 AFPReadFromRingV3 (ptv=0x7f78011809a0) at source-af-packet.c:1079
#12 0x0000559bde79331b in ReceiveAFPLoop (tv=0x559be8a787f0, data=<optimized out>, slot=<optimized out>) at source-af-packet.c:1431
#13 0x0000559bde6c1eca in TmThreadsSlotPktAcqLoop (td=0x559be8a787f0) at tm-threads.c:318
#14 0x00007f78bc00eea5 in start_thread () from /lib64/libpthread.so.0
#15 0x00007f78bab46b2d in clone () from /lib64/libc.so.6

# The result of ToNextMultipleOf from line 723
(gdb) print grow
grow = 1327104

# The offset in the memory region for the start of the new data, as per line 735
(gdb) print region->buf_size
region->buf_size = 1329152

# The value of diff, as per line 734
(gdb) print grow - region->buf_size
diff = 4294965248

Subtasks 1 (0 open1 closed)

Security #7404: tcp: segfault on StreamingBufferSlideToOffsetWithRegions (7.0.x backport)ClosedPhilippe AntoineActions
Actions
Copy link

Also available in: Atom PDF