Security #7881: detect/tls: keyword tls.subjectaltname leads to NULL Deref if tls.subjectaltname contains zero - Suricata - Open Information Security Foundation

Actions

Copy link

Security #7881

closed

detect/tls: keyword tls.subjectaltname leads to NULL Deref if tls.subjectaltname contains zero

Added by Philippe Antoine 2 months ago. Updated about 1 month ago.

Status:

Closed

Priority:

Normal

Assignee:

Philippe Antoine

Target version:

8.0.1

Affected Versions:

Label:

CVE:

2025-59150

Git IDs:

Severity:

HIGH

Disclosure Date:

Description

Found by manual fuzzing with augmented corpus from https://github.com/google/oss-fuzz/pull/13923

No need to backport as tls.subjectaltname is only in 8

Stack trace

==14==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f15bf5a0915 bp 0x7ffeaa4cac10 sp 0x7ffeaa4ca3c8 T0)
==14==The signal is caused by a READ memory access.
==14==Hint: address points to the zero page.
SCARINESS: 10 (null-deref)
    #0 0x7f15bf5a0915  (/lib/x86_64-linux-gnu/libc.so.6+0x188915) (BuildId: 5792732f783158c66fb4f3756458ca24e46e827d)
    #1 0x5604f2223123 in strlen /src/llvm-project/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc
    #2 0x5604f23b5d9c in TlsSubjectAltNameGetData /src/suricata/src/detect-tls-subjectaltname.c:71:26
    #3 0x5604f23126a9 in DetectGetMultiData /src/suricata/src/detect-engine.c:2149:10
    #4 0x5604f25fd382 in PrefilterMultiMpm /src/suricata/src/detect-engine-prefilter.c:1643:36
    #5 0x5604f25f3f4a in DetectRunPrefilterTx /src/suricata/src/detect-engine-prefilter.c:149:13
    #6 0x5604f23c890d in DetectRunTx /src/suricata/src/detect.c:1759:13
    #7 0x5604f23c890d in DetectRun /src/suricata/src/detect.c:190:9
    #8 0x5604f23c30e9 in Detect /src/suricata/src/detect.c
    #9 0x5604f23d36a6 in FlowWorker /src/suricata/src/flow-worker.c:667:9
    #10 0x5604f22e506b in LLVMFuzzerTestOneInput /src/suricata/src/tests/fuzz/fuzz_sigpcap_aware.c:179:13