Project

General

Profile

Actions
Copy link

Security #7526

closed
PA PA

detect: infinite loop in DetectEngineContentInspectionInternal with negated pcre

Security #7526: detect: infinite loop in DetectEngineContentInspectionInternal with negated pcre

Added by Philippe Antoine about 1 year ago. Updated 9 months ago.

Status:
Closed
Priority:
Normal
Assignee:
Philippe Antoine
Target version:
8.0.0-beta1
Affected Versions:
Label:
CVE:
2025-29918
Git IDs:
Severity:
HIGH
Disclosure Date:
04/28/2025

Description

Found by oss-fuzz
https://issues.oss-fuzz.com/u/1/issues/392180063

Reproducer rule is alert ip any any -> any any (pcre:!/weak"/.*bC/"; byte_extract:1,4,rpkt_len,relative; byte_jump:rpkt_len,0,relative; sid:1;

Files

infu.pcap (972 Bytes) infu.pcap Philippe Antoine, 01/28/2025 01:50 PM

Subtasks 1 (0 open1 closed)

Security #7527: detect: infinite loop with negated pcre and indefinite recursion limit setting (7.0.x backport)ClosedPhilippe AntoineActions

OT Updated by OISF Ticketbot about 1 year ago Actions
Copy link
 #1

  • Subtask #7527 added

OT Updated by OISF Ticketbot about 1 year ago Actions
Copy link
 #2

  • Label deleted (Needs backport to 7.0)

PA Updated by Philippe Antoine about 1 year ago Actions
Copy link
 #3 

diff --git a/src/detect-engine-content-inspection.c b/src/detect-engine-content-inspection.c
index dbc18c2980..8bf548c81f 100644
--- a/src/detect-engine-content-inspection.c
+++ b/src/detect-engine-content-inspection.c
@@ -478,6 +478,9 @@ static int DetectEngineContentInspectionInternal(DetectEngineThreadCtx *det_ctx,
                 SCReturnInt(-1);
             }

+            if (prev_offset == 0) {
+                SCReturnInt(-1);
+            }
             det_ctx->buffer_offset = prev_buffer_offset;
             det_ctx->pcre_match_start_offset = prev_offset;
         } while (1);

Fix without understanding the sig

PA Updated by Philippe Antoine about 1 year ago Actions
Copy link
 #4

Here is the pcap to reproduce

I think the root cause is negated pcre not increasing pcre_match_start_offset

PA Updated by Philippe Antoine about 1 year ago Actions
Copy link
 #5

  • Status changed from New to In Review
  • Assignee changed from OISF Dev to Philippe Antoine

Gitlab

PA Updated by Philippe Antoine about 1 year ago Actions
Copy link
 #6

jq '.. | objects | select(.pcre and .pcre.relative_next and .pcre.negated)' rules.json on engine-analysis output tells if a rule is vulnerable

PA Updated by Philippe Antoine about 1 year ago Actions
Copy link
 #7

  • Subject changed from detect: infinite loop in DetectEngineContentInspectionInternal to detect: infinite loop in DetectEngineContentInspectionInternal with negated pcre

JI Updated by Jason Ish about 1 year ago Actions
Copy link
 #8

  • Severity changed from MODERATE to HIGH

JI Updated by Jason Ish about 1 year ago Actions
Copy link
 #10

  • Status changed from In Review to Resolved

Has been merged to master.

JI Updated by Jason Ish about 1 year ago Actions
Copy link
 #11

  • Status changed from Resolved to Closed

JF Updated by Juliana Fajardini Reichow 9 months ago Actions
Copy link
 #12

  • Private changed from Yes to No
Actions
Copy link

Also available in: PDF Atom