Project

General

Profile

Actions
Copy link

Security #8021

closed

eve/alert: heap buffer overflow on verdict

Added by Jules Lumbergh about 2 months ago. Updated 8 days ago.

Status:
Closed
Priority:
Normal
Assignee:
Victor Julien
Target version:
9.0.0-beta1
Affected Versions:
8.0.1, git main
Label:
CVE:
2025-64330
Git IDs:
Severity:
MODERATE
Disclosure Date:
10/27/2025

Description

While running suricata 8.0.1 we have been getting crashes related to memory issues. The system is operating fine for multiple days before crashing with a segfault.

Since we weren't able to reproduce the issue with a test system, we enabled sanitzer support on the target server.

This is the asan log from the most recent crash:

==3404==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7cd235b9a1dc at pc 0x564b10d7a6f9 bp 0x7b71feb87a50 sp 0x7b71feb87a48
READ of size 1 at 0x7cd235b9a1dc thread T8 (W#03-eth1)
    #0 0x564b10d7a6f8 in EveAddVerdict /src/suricata-8.0.1/src/output-json-alert.c:581:48
    #1 0x564b10d7f0a0 in AlertJson /src/suricata-8.0.1/src/output-json-alert.c:795:13
    #2 0x564b10d7a958 in JsonAlertLogger /src/suricata-8.0.1/src/output-json-alert.c:874:16
    #3 0x564b10db881f in OutputPacketLog /src/suricata-8.0.1/src/output-packet.c:106:13
    #4 0x564b1093aa72 in OutputLoggerLog /src/suricata-8.0.1/src/output.c:809:9
    #5 0x564b108c8c12 in FlowWorker /src/suricata-8.0.1/src/flow-worker.c:673:5
    #6 0x564b1037e977 in TmThreadsSlotVarRun /src/suricata-8.0.1/src/tm-threads.c:137:21
    #7 0x564b10972a6a in TmThreadsSlotProcessPkt /src/suricata-8.0.1/src/./tm-threads.h:202:17
    #8 0x564b1096d287 in AFPReadFromRing /src/suricata-8.0.1/src/source-af-packet.c:935:13
    #9 0x564b10964b09 in ReceiveAFPLoop /src/suricata-8.0.1/src/source-af-packet.c:1421:17
    #10 0x564b103a32b4 in TmThreadsSlotPktAcqLoop /src/suricata-8.0.1/src/tm-threads.c:334:13
    #11 0x564b10327b0b in asan_thread_start(void*) /src/compiler-rt-21.1.4.src/lib/asan/asan_interceptors.cpp:239:28
    #12 0x7f722ad9972b in start_thread pthread_create.c
    #13 0x7f722ae02627 in __GI___clone3 (/lib64/libc.so.6+0xef627)

0x7cd235b9a1dc is located 4 bytes after 600-byte region [0x7cd235b99f80,0x7cd235b9a1d8)
allocated by thread T8 (W#03-eth1) here:
    #0 0x564b1032ca09 in calloc /src/compiler-rt-21.1.4.src/lib/asan/asan_malloc_linux.cpp:74:3
    #1 0x564b103fbc1d in SCCallocFunc /src/suricata-8.0.1/src/util-mem.c:60:20
    #2 0x564b109435f8 in PacketInit /src/suricata-8.0.1/src/packet.c:66:24
    #3 0x564b10558173 in PacketGetFromAlloc /src/suricata-8.0.1/src/decode.c:264:5
    #4 0x564b103af584 in PacketPoolInit /src/suricata-8.0.1/src/tmqh-packetpool.c:254:21
    #5 0x564b103a4807 in TmThreadsSlotPktAcqLoopInit /src/suricata-8.0.1/src/tm-threads.c:217:5
    #6 0x564b103a31db in TmThreadsSlotPktAcqLoop /src/suricata-8.0.1/src/tm-threads.c:327:10
    #7 0x564b10327b0b in asan_thread_start(void*) /src/compiler-rt-21.1.4.src/lib/asan/asan_interceptors.cpp:239:28

Thread T8 (W#03-eth1) created by T0 (Suricata-Main) here:
    #0 0x564b1030efc1 in pthread_create /src/compiler-rt-21.1.4.src/lib/asan/asan_interceptors.cpp:250:3
    #1 0x564b10394ca1 in TmThreadSpawn /src/suricata-8.0.1/src/tm-threads.c:1745:14
    #2 0x564b10e1ba0d in RunModeSetLiveCaptureWorkersForDevice /src/suricata-8.0.1/src/util-runmodes.c:322:13
    #3 0x564b10e1b4e6 in RunModeSetLiveCaptureWorkers /src/suricata-8.0.1/src/util-runmodes.c:347:9
    #4 0x564b10dbf313 in RunModeIdsAFPWorkers /src/suricata-8.0.1/src/runmode-af-packet.c:877:11
    #5 0x564b10956dc2 in RunModeDispatch /src/suricata-8.0.1/src/runmodes.c:442:5
    #6 0x564b1037a10f in SuricataInit /src/suricata-8.0.1/src/suricata.c:3091:5
    #7 0x564b1036e83d in main /src/suricata-8.0.1/src/main.c:57:5
    #8 0x7f722ad3b63e in __libc_start_call_main libc-start.c
    #9 0x7f722ad3b6eb in __libc_start_main@GLIBC_2.2.5 (/lib64/libc.so.6+0x286eb)

SUMMARY: AddressSanitizer: heap-buffer-overflow /src/suricata-8.0.1/src/output-json-alert.c:581:48 in EveAddVerdict
Shadow bytes around the buggy address:
  0x7cd235b99f00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x7cd235b99f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x7cd235b9a000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x7cd235b9a080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x7cd235b9a100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x7cd235b9a180: 00 00 00 00 00 00 00 00 00 00 00[fa]fa fa fa fa
  0x7cd235b9a200: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x7cd235b9a280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x7cd235b9a300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x7cd235b9a380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x7cd235b9a400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==3404==ABORTING

Subtasks 2 (0 open2 closed)

Security #8022: eve/alert: heap buffer overflow on verdict (8.0.x backport)ClosedJuliana Fajardini ReichowActions
Security #8029: eve/alert: heap buffer overflow on verdict (7.0.x backport)ClosedJuliana Fajardini ReichowActions

Related issues 2 (1 open1 closed)

Related to Suricata - Optimization #5180: detect/alert: make sure that signatures with `drop` action are respected, even if the alert is discardedIn ProgressJuliana Fajardini ReichowActions
Related to Suricata - Bug #7630: eve/alert: incorrect verdict with pass + alert ruleClosedJuliana Fajardini ReichowActions
Actions
Copy link

Also available in: Atom PDF