Actions
Security #7838
closeddetect/entropy: segfault when not anchored to a sticky buffer
Git IDs:
Severity:
HIGH
Disclosure Date:
Description
When not anchored to a sticky buffer, suricata will segfault
Rule
alert tcp-pkt any any -> any any (msg:"Entropy segfault"; entropy: value >= 6; sid:1; )
Stack:
#0 0x000055555584bd47 in DetectEntropyDoMatch (det_ctx=0x7fffe037f1a0, s=0x55555750b950, ctx=0x55555750bf10, buffer=0x7ffff028a4b2 "220 Welcome to file2pcap ftp server\r\n", buffer_len=37) at detect-entropy.c:79
#1 0x0000555555ae7e25 in DetectEngineContentInspectionInternal (det_ctx=0x7fffe037f1a0, ctx=0x7fffe75fdd30, s=0x55555750b950, smd=0x55555750c840, p=0x7ffff028a2b0, f=0x55555739eb00, buffer=0x7ffff028a4b2 "220 Welcome to file2pcap ftp server\r\n", buffer_len=37, stream_start_offset=0, flags=3 '\003',
inspection_mode=DETECT_ENGINE_CONTENT_INSPECTION_MODE_PAYLOAD) at detect-engine-content-inspection.c:500
#2 0x0000555555ae70ec in DetectEngineContentInspection (de_ctx=0x555557437e50, det_ctx=0x7fffe037f1a0, s=0x55555750b950, smd=0x55555750c840, p=0x7ffff028a2b0, f=0x55555739eb00, buffer=0x7ffff028a4b2 "220 Welcome to file2pcap ftp server\r\n", buffer_len=37, stream_start_offset=0, flags=3 '\003',
inspection_mode=DETECT_ENGINE_CONTENT_INSPECTION_MODE_PAYLOAD) at detect-engine-content-inspection.c:758
#3 0x0000555555816b08 in DetectEngineInspectPacketPayload (de_ctx=0x555557437e50, det_ctx=0x7fffe037f1a0, s=0x55555750b950, f=0x55555739eb00, p=0x7ffff028a2b0) at detect-engine-payload.c:164
#4 0x0000555555842953 in DetectEngineInspectRulePayloadMatches (det_ctx=0x7fffe037f1a0, engine=0x555557439180, s=0x55555750b950, p=0x7ffff028a2b0, alert_flags=0x7fffe75fdf32 "") at detect-engine.c:1805
#5 0x00005555558425a8 in DetectEnginePktInspectionRun (tv=0x55555743bda0, det_ctx=0x7fffe037f1a0, s=0x55555750b950, f=0x55555739eb00, p=0x7ffff028a2b0, alert_flags=0x7fffe75fdf32 "") at detect-engine.c:1820
#6 0x000055555596c6af in DetectRulePacketRules (tv=0x55555743bda0, de_ctx=0x555557437e50, det_ctx=0x7fffe037f1a0, p=0x7ffff028a2b0, pflow=0x55555739eb00, scratch=0x7fffe75fdfb8) at detect.c:757
#7 0x000055555596d9ba in DetectRun (th_v=0x55555743bda0, de_ctx=0x555557437e50, det_ctx=0x7fffe037f1a0, p=0x7ffff028a2b0) at detect.c:143
#8 0x000055555595d092 in DetectFlow (tv=0x55555743bda0, de_ctx=0x555557437e50, det_ctx=0x7fffe037f1a0, p=0x7ffff028a2b0) at detect.c:2295
#9 0x000055555595cea1 in Detect (tv=0x55555743bda0, p=0x7ffff028a2b0, data=0x7fffe037f1a0) at detect.c:2387
#10 0x000055555597e774 in FlowWorker (tv=0x55555743bda0, p=0x7ffff028a2b0, data=0x7fffe028cb70) at flow-worker.c:667
#11 0x00005555556c5824 in TmThreadsSlotVarRun (tv=0x55555743bda0, p=0x7ffff028a2b0, slot=0x55555743bed0) at tm-threads.c:137
#12 0x00005555556ca5a0 in TmThreadsSlotVar (td=0x55555743bda0) at tm-threads.c:506
#13 0x00007ffff7a9caa4 in start_thread (arg=<optimized out>) at ./nptl/pthread_create.c:447
#14 0x00007ffff7b29c3c in clone3 () at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:78
Fault occurs because the packet pointer is null:
(gdb) p det_ctx->p $1 = (Packet *) 0x0
Files
Updated by Victor Julien about 2 months ago
- Status changed from New to Assigned
- Target version changed from TBD to 8.0.1
Updated by Victor Julien about 2 months ago
- Tracker changed from Bug to Security
- Severity set to MODERATE
Updated by Philippe Antoine 29 days ago ยท Edited
Argh, oss-fuzz corpus only uses SV tests directly under tests/ not subdirectories like tests/entropy/entropy-01/
https://github.com/google/oss-fuzz/pull/13923 for oss-fuzz to find it...
Actions