Actions
Security #8021
closedeve/alert: heap buffer overflow on verdict
Git IDs:
Severity:
MODERATE
Disclosure Date:
10/27/2025
Description
While running suricata 8.0.1 we have been getting crashes related to memory issues. The system is operating fine for multiple days before crashing with a segfault.
Since we weren't able to reproduce the issue with a test system, we enabled sanitzer support on the target server.
This is the asan log from the most recent crash:
==3404==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7cd235b9a1dc at pc 0x564b10d7a6f9 bp 0x7b71feb87a50 sp 0x7b71feb87a48
READ of size 1 at 0x7cd235b9a1dc thread T8 (W#03-eth1)
#0 0x564b10d7a6f8 in EveAddVerdict /src/suricata-8.0.1/src/output-json-alert.c:581:48
#1 0x564b10d7f0a0 in AlertJson /src/suricata-8.0.1/src/output-json-alert.c:795:13
#2 0x564b10d7a958 in JsonAlertLogger /src/suricata-8.0.1/src/output-json-alert.c:874:16
#3 0x564b10db881f in OutputPacketLog /src/suricata-8.0.1/src/output-packet.c:106:13
#4 0x564b1093aa72 in OutputLoggerLog /src/suricata-8.0.1/src/output.c:809:9
#5 0x564b108c8c12 in FlowWorker /src/suricata-8.0.1/src/flow-worker.c:673:5
#6 0x564b1037e977 in TmThreadsSlotVarRun /src/suricata-8.0.1/src/tm-threads.c:137:21
#7 0x564b10972a6a in TmThreadsSlotProcessPkt /src/suricata-8.0.1/src/./tm-threads.h:202:17
#8 0x564b1096d287 in AFPReadFromRing /src/suricata-8.0.1/src/source-af-packet.c:935:13
#9 0x564b10964b09 in ReceiveAFPLoop /src/suricata-8.0.1/src/source-af-packet.c:1421:17
#10 0x564b103a32b4 in TmThreadsSlotPktAcqLoop /src/suricata-8.0.1/src/tm-threads.c:334:13
#11 0x564b10327b0b in asan_thread_start(void*) /src/compiler-rt-21.1.4.src/lib/asan/asan_interceptors.cpp:239:28
#12 0x7f722ad9972b in start_thread pthread_create.c
#13 0x7f722ae02627 in __GI___clone3 (/lib64/libc.so.6+0xef627)
0x7cd235b9a1dc is located 4 bytes after 600-byte region [0x7cd235b99f80,0x7cd235b9a1d8)
allocated by thread T8 (W#03-eth1) here:
#0 0x564b1032ca09 in calloc /src/compiler-rt-21.1.4.src/lib/asan/asan_malloc_linux.cpp:74:3
#1 0x564b103fbc1d in SCCallocFunc /src/suricata-8.0.1/src/util-mem.c:60:20
#2 0x564b109435f8 in PacketInit /src/suricata-8.0.1/src/packet.c:66:24
#3 0x564b10558173 in PacketGetFromAlloc /src/suricata-8.0.1/src/decode.c:264:5
#4 0x564b103af584 in PacketPoolInit /src/suricata-8.0.1/src/tmqh-packetpool.c:254:21
#5 0x564b103a4807 in TmThreadsSlotPktAcqLoopInit /src/suricata-8.0.1/src/tm-threads.c:217:5
#6 0x564b103a31db in TmThreadsSlotPktAcqLoop /src/suricata-8.0.1/src/tm-threads.c:327:10
#7 0x564b10327b0b in asan_thread_start(void*) /src/compiler-rt-21.1.4.src/lib/asan/asan_interceptors.cpp:239:28
Thread T8 (W#03-eth1) created by T0 (Suricata-Main) here:
#0 0x564b1030efc1 in pthread_create /src/compiler-rt-21.1.4.src/lib/asan/asan_interceptors.cpp:250:3
#1 0x564b10394ca1 in TmThreadSpawn /src/suricata-8.0.1/src/tm-threads.c:1745:14
#2 0x564b10e1ba0d in RunModeSetLiveCaptureWorkersForDevice /src/suricata-8.0.1/src/util-runmodes.c:322:13
#3 0x564b10e1b4e6 in RunModeSetLiveCaptureWorkers /src/suricata-8.0.1/src/util-runmodes.c:347:9
#4 0x564b10dbf313 in RunModeIdsAFPWorkers /src/suricata-8.0.1/src/runmode-af-packet.c:877:11
#5 0x564b10956dc2 in RunModeDispatch /src/suricata-8.0.1/src/runmodes.c:442:5
#6 0x564b1037a10f in SuricataInit /src/suricata-8.0.1/src/suricata.c:3091:5
#7 0x564b1036e83d in main /src/suricata-8.0.1/src/main.c:57:5
#8 0x7f722ad3b63e in __libc_start_call_main libc-start.c
#9 0x7f722ad3b6eb in __libc_start_main@GLIBC_2.2.5 (/lib64/libc.so.6+0x286eb)
SUMMARY: AddressSanitizer: heap-buffer-overflow /src/suricata-8.0.1/src/output-json-alert.c:581:48 in EveAddVerdict
Shadow bytes around the buggy address:
0x7cd235b99f00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x7cd235b99f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x7cd235b9a000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x7cd235b9a080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x7cd235b9a100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x7cd235b9a180: 00 00 00 00 00 00 00 00 00 00 00[fa]fa fa fa fa
0x7cd235b9a200: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x7cd235b9a280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x7cd235b9a300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x7cd235b9a380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x7cd235b9a400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==3404==ABORTING
Updated by Victor Julien about 2 months ago
- Assignee set to OISF Dev
- Priority changed from Normal to High
- Target version changed from TBD to 9.0.0-beta1
- Label Needs backport to 8.0 added
Thanks for your report. Is the crash always in the same function? If other crashed look different, please add them to the ticket as well.
Updated by OISF Ticketbot about 2 months ago
- Label deleted (
Needs backport to 8.0)
Updated by Juliana Fajardini Reichow about 2 months ago
- Affected Versions git main added
Updated by Juliana Fajardini Reichow about 2 months ago
- Related to Optimization #5180: detect/alert: make sure that signatures with `drop` action are respected, even if the alert is discarded added
Updated by Juliana Fajardini Reichow about 2 months ago
- Assignee changed from OISF Dev to Juliana Fajardini Reichow
Assigning it to me as I investigate it further.
Updated by Philippe Antoine about 2 months ago
- Tracker changed from Bug to Security
- Status changed from New to In Review
- Severity set to MODERATE
Gitlab MR
Updated by Philippe Antoine about 2 months ago
- Label Needs backport to 7.0 added
Updated by OISF Ticketbot about 2 months ago
- Label deleted (
Needs backport to 7.0)
Updated by Juliana Fajardini Reichow about 2 months ago
- Assignee changed from Juliana Fajardini Reichow to Philippe Antoine
Updated by Philippe Antoine about 2 months ago
- Assignee changed from Philippe Antoine to Juliana Fajardini Reichow
Juliana, I proposed a test and a POC fix, but you look like you know better this code, and will propose better tests and fix, right ?
Updated by Jules Lumbergh about 2 months ago
Victor Julien wrote in #note-1:
Thanks for your report. Is the crash always in the same function? If other crashed look different, please add them to the ticket as well.
Hello Victor, thank you for your fast response. This is the first crash where we got an asan report from. If we get a another, different looking asan report, I'll add it to the ticket.
Updated by Juliana Fajardini Reichow about 2 months ago
Philippe Antoine wrote in #note-13:
Juliana, I proposed a test and a POC fix, but you look like you know better this code, and will propose better tests and fix, right ?
I can! I had assigned the ticket to you because I saw that you had shared proposed solutions, but I can take it over.
Updated by Philippe Antoine about 2 months ago
- Subject changed from Suricata crash - asan heap-buffer-overflow to output/verdict : asan heap-buffer-overflow
Updated by Shivani Bhardwaj about 2 months ago
- Subject changed from output/verdict : asan heap-buffer-overflow to output/alert: heap buffer overflow on verdict
Updated by Philippe Antoine about 2 months ago
- Disclosure Date set to 10/27/2025
Updated by Victor Julien about 2 months ago
- Subject changed from output/alert: heap buffer overflow on verdict to eve/alert: heap buffer overflow on verdict
Updated by Juliana Fajardini Reichow about 2 months ago
- Related to Bug #7630: eve/alert: incorrect verdict with pass + alert rule added
Updated by Juliana Fajardini Reichow about 2 months ago
- Assignee changed from Juliana Fajardini Reichow to Philippe Antoine
Once again assigning to Philippe, as I think his patch fixes it best.
Updated by Philippe Antoine about 2 months ago
- Assignee changed from Philippe Antoine to Victor Julien
I am not the one working on the good fix for this ;-p
Updated by Jason Ish about 2 months ago
Severity of MODERATE was chosen as this does not occur with a default configuration. @verdict" in the EVE alert output must be enabled.
Updated by Juliana Fajardini Reichow about 1 month ago
- CVE set to 2025-64330
Updated by Victor Julien about 1 month ago
- Status changed from In Review to Closed
Actions