Project

General

Profile

Security #5700

Updated by Jeff Lucovsky over 1 year ago

SCRealloc with a request size of 2940207104 crashes the memory allocator within Suricata (jemalloc). 

 The stack shows that Suricata was processing SMB traffic 

 The stack with the Suricata (but not the memory allocator): 
 <pre> </pre> 
 #17 0x000055b30661018c in SCReallocFunc (ptr=ptr@entry=0x7f3b58400e00, size=size@entry=2940207104) at util-mem.c:44 
         ptrmem = <optimized out> 
         __FUNCTION__ = <removed> 
 #18 0x000055b30662d638 in Grow (sb=0x7f3e435ff8c0) at util-streaming-buffer.c:496 
         grow = 2940207104 
         ptr = <optimized out> 
         diff = <optimized out> 
         new_mem = <optimized out> 
         grow = <optimized out> 
         ptr = <optimized out> 
         diff = <optimized out> 
         new_mem = <optimized out> 
 #19 StreamingBufferAppendNoTrack (sb=0x7f3e435ff8c0, data=0x7f3b55c005b4 <removed>..., data_len=20648) at util-streaming-buffer.c:649 
         rel_offset = <optimized out> 
 #20 0x000055b306608253 in AppendData (data_len=<optimized out>, data=<optimized out>, file=0x7f3e41d10900) at util-file.c:610 
 No locals. 
 #21 FileAppendDataDo (data_len=<optimized out>, data=<optimized out>, ff=0x7f3e41d10900) at util-file.c:701 
         r = <optimized out> 
         r = <optimized out> 
 #22 FileAppendDataDo (data_len=<optimized out>, data=<optimized out>, ff=0x7f3e41d10900) at util-file.c:650 
         r = <optimized out> 
         r = <optimized out> 
 #23 FileAppendDataById (ffc=<optimized out>, track_id=<optimized out>, data=<optimized out>, data_len=<optimized out>) at util-file.c:757 
         r = <optimized out> 
         ff = 0x7f3e41d10900 
 #24 0x000055b3066e0561 in suricata::filecontainer::FileContainer::file_append (self=0x7f3e41ce20f0, track_id=0x7f3e41da8cc8, data=..., is_gap=<optimized out>) at src/filecontainer.rs:77 
         c = 0x0 
 #25 suricata::filetracker::FileTransferTracker::update (self=0x7f3e41da8c70, files=0x7f3e41ce20f0, flags=<optimized out>, data=..., gap_size=0) at src/filetracker.rs:307 
         is_gap = <optimized out> 
         consumed = 0 
 #26 0x000055b30669efcc in suricata::smb::files::filetracker_newchunk (ft=0x7f3e41da8c70, files=0x7f3e41ce20f0, flags=<optimized out>, name=<optimized out>, data=..., chunk_offset=<optimized out>, chunk_size=<optimized out>, is_last=false, xid=<optimized out>) at src/smb/files.rs:90 
         sfcm = 0x6a7f3e9cc0a700 
 #27 suricata::smb::smb2::smb2_write_request_record (state=0x7f3e41ce2000, r=<optimized out>) at src/smb/smb2.rs:314 
         file_id = <optimized out> 
         tdf = <optimized out> 
         tx = <optimized out> 
         files = 0x7f3e41ce20f0 
         flags = <optimized out> 
         set_event_fileoverlap = false 
         file_name = alloc::vec::Vec<u8, alloc::alloc::Global> {buf: alloc::raw_vec::RawVec<u8, alloc::alloc::Global> {ptr: core::ptr::unique::Unique<u8> {pointer: 0x1e40034000011, _marker: core::marker::PhantomData<u8>}, cap: 139904264699933, alloc: alloc::alloc::Global}, len: 16} 
         file_guid = alloc::vec::Vec<u8, alloc::alloc::Global> {buf: alloc::raw_vec::RawVec<u8, alloc::alloc::Global> {ptr: core::ptr::unique::Unique<u8> {pointer: 0x0, _marker: core::marker::PhantomData<u8>}, cap: 139905408674552, alloc: alloc::alloc::Global}, len: 94227395112323} 
         guid_key = suricata::smb::smb::SMBCommonHdr {ssn_id: <optimized out>, tree_id: <optimized out>, rec_type: 1, msg_id: <optimized out>} 
         wr = suricata::smb::smb2_records::Smb2WriteRequestRecord {wr_len: <synthetic pointer>, wr_offset: <optimized out>, guid: &[u8] {data_ptr: <optimized out>, length: <optimized out>}, data: &[u8] {data_ptr: <optimized out>, length: 20648}} 
         max_queue_cnt = <optimized out> 
         max_queue_size = <optimized out> 
 #28 0x000055b30671fea4 in suricata::smb::smb::SMBState::parse_tcp_data_ts_partial (self=0x7f3e41ce2000, input=...) at src/smb/smb.rs:1353 
         smb_record = 0x6a7f3e9cc0a700 
         smb = <optimized out> 
         nbss_part_hdr = <optimized out> 
         output = <optimized out> 
 #29 0x000055b306720587 in suricata::smb::smb::SMBState::parse_tcp_data_ts (self=0x7f3e41ce2000, i=...) at src/smb/smb.rs:1511 
         n = <optimized out> 
         needed = <error reading variable needed (Cannot access memory at address 0x0)> 
         consumed = <optimized out> 
         consumed = <optimized out> 
         cur_i = &[u8] {data_ptr: 0x7f3b55c00540, length: 20764} 
 #30 0x000055b306721782 in suricata::smb::smb::rs_smb_parse_request_tcp (flow=flow@entry=0x7f3e2352a580, state=state@entry=0x7f3e41ce2000, _pstate=_pstate@entry=0x7f3e41d1cd00, input=input@entry=0x7f3b55c00540, input_len=input_len@entry=20764, _data=_data@entry=0x0, flags=4) at src/smb/smb.rs:1901 
         buf = &[u8] {data_ptr: 0x7f3b55c00540, length: 20764} 
 #31 0x000055b3064fe6bc in SMBTCPParseRequest (flags=4 '\004', local_data=0x0, input_len=20764, input=0x7f3b55c00540 "", pstate=0x7f3e41d1cd00, state=0x7f3e41ce2000, f=0x7f3e2352a580) at app-layer-smb.c:46 
         res = {status = 0, consumed = 0, needed = 1} 
         file_flags = <optimized out> 
         res = <optimized out> 
 #32 SMBTCPParseRequest (f=0x7f3e2352a580, state=0x7f3e41ce2000, pstate=0x7f3e41d1cd00, input=0x7f3b55c00540 "", input_len=20764, local_data=0x0, flags=4 '\004') at app-layer-smb.c:33 
         file_flags = <optimized out> 
         res = <optimized out> 
 #33 0x000055b3064fd496 in AppLayerParserParse (tv=tv@entry=0x7f3e9e329580, alp_tctx=0x7f3e41939800, f=f@entry=0x7f3e2352a580, alproto=8, flags=4 '\004', input=input@entry=0x7f3b55c00540 "", input_len=20764) at app-layer-parser.c:1310 
         res = <optimized out> 
         pstate = 0x7f3e41d1cd00 
         p = <optimized out> 
         alstate = 0x7f3e41ce2000 
         p_tx_cnt = 40 
         consumed = 20764 
         direction = 0 
         cur_tx_cnt = <optimized out> 
 #34 0x000055b3064d6d4e in AppLayerHandleTCPData (tv=tv@entry=0x7f3e9e329580, ra_ctx=ra_ctx@entry=0x7f3e437ff040, p=p@entry=0x7f3e4191a600, f=0x7f3e2352a580, ssn=ssn@entry=0x7f3e41cbe240, stream=stream@entry=0x7f3e442faff8, data=0x7f3b55c00540 "", data_len=20764, flags=4 '\004') at app-layer.c:724 
         app_tctx = <optimized out> 
         alproto = <optimized out> 
         r = 0 
         end = <optimized out> 
         direction = 0 
         failure = <optimized out> 
 #35 0x000055b3065e5cd9 in ReassembleUpdateAppLayer (dir=UPDATE_DIR_OPPOSING, p=0x7f3e4191a600, stream=0x7f3e442faff8, ssn=0x7f3e41cbe240, ra_ctx=0x7f3e437ff040, tv=0x7f3e9e329580) at stream-tcp-reassemble.c:1202 
         flags = <optimized out> 
         check_for_gap_ahead = <optimized out> 
         new_app_progress = <optimized out> 
         mydata = 0x7f3b55c00540 "" 
         mydata_len = 20764 
         app_progress = 2883182952 
         gap_ahead = <optimized out> 
         last_was_gap = false 
         app_progress = <optimized out> 
         mydata = <optimized out> 
         mydata_len = <optimized out> 
         gap_ahead = <optimized out> 
         last_was_gap = <optimized out> 
         flags = <optimized out> 
         check_for_gap_ahead = <optimized out> 
         new_app_progress = <optimized out> 
         r = <optimized out> 
         no_progress_update = <optimized out> 
 #36 StreamTcpReassembleAppLayer (tv=tv@entry=0x7f3e9e329580, ra_ctx=ra_ctx@entry=0x7f3e437ff040, ssn=ssn@entry=0x7f3e41cbe240, stream=<optimized out>, stream@entry=0x7f3e41cbe2d8, p=p@entry=0x7f3e4191a600, dir=dir@entry=UPDATE_DIR_OPPOSING) at stream-tcp-reassemble.c:1265 
 No locals. 
 #37 0x000055b3065e6ba9 in StreamTcpReassembleHandleSegmentUpdateACK (p=<optimized out>, stream=<optimized out>, ssn=<optimized out>, ra_ctx=<optimized out>, tv=<optimized out>) at stream-tcp-reassemble.c:1834 
 No locals. 
 #38 StreamTcpReassembleHandleSegment (tv=tv@entry=0x7f3e9e329580, ra_ctx=0x7f3e437ff040, ssn=ssn@entry=0x7f3e41cbe240, stream=0x7f3e41cbe250, p=p@entry=0x7f3e4191a600, pq=pq@entry=0x7f3e435ff048) at stream-tcp-reassemble.c:1883 
         opposing_stream = 0x7f3e41cbe2d8 
         reversed_before_ack_handling = <optimized out> 
         reversed_after_ack_handling = <optimized out> 
         dir = UPDATE_DIR_OPPOSING 
 #39 0x000055b3065da252 in HandleEstablishedPacketToClient (pq=<optimized out>, stt=<optimized out>, p=<optimized out>, ssn=<optimized out>, tv=<optimized out>) at stream-tcp.c:2502 
         zerowindowprobe = <optimized out> 
         zerowindowprobe = <optimized out> 
         ack_diff = <optimized out> 
         ack_diff = <optimized out> 
         ack_diff = <optimized out> 
         ack_diff = <optimized out> 
         sacked_size__ = <optimized out> 
 #40 StreamTcpPacketStateEstablished (tv=tv@entry=0x7f3e9e329580, p=p@entry=0x7f3e4191a600, stt=stt@entry=0x7f3e435ff040, ssn=ssn@entry=0x7f3e41cbe240, pq=0x7f3e435ff048) at stream-tcp.c:2735 
 No locals. 
 #41 0x000055b3065dfe31 in StreamTcpStateDispatch (state=<optimized out>, pq=0x7f3e435ff048, ssn=0x7f3e41cbe240, stt=0x7f3e435ff040, p=0x7f3e4191a600, tv=0x7f3e9e329580) at stream-tcp.c:4744 
 No locals. 
 #42 StreamTcpPacket (tv=0x7f3e9e329580, p=p@entry=0x7f3e4191a600, stt=stt@entry=0x7f3e435ff040, pq=0x7f3e4193d030) at stream-tcp.c:4929 
         ssn = 0x7f3e41cbe240 
         error = <optimized out> 
 #43 0x000055b3065e03df in StreamTcp (tv=tv@entry=0x7f3e9e329580, p=p@entry=0x7f3e4191a600, data=0x7f3e435ff040, pq=pq@entry=0x7f3e4193d030) at stream-tcp.c:5270 
         stt = 0x7f3e435ff040 
 #44 0x000055b3065955a0 in FlowWorkerStreamTCPUpdate (timeout=false, detect_thread=0x7f3e41cd0000, p=0x7f3e4191a600, fw=0x7f3e4193d000, tv=0x7f3e9e329580) at flow-worker.c:370 
         x = <optimized out> 
         x = <optimized out> 
 #45 FlowWorker (tv=0x7f3e9e329580, p=0x7f3e4191a600, data=0x7f3e4193d000) at flow-worker.c:535 
         fw = 0x7f3e4193d000 
         detect_thread = 0x7f3e41cd0000 
 #46 0x000055b3065ee9cf in TmThreadsSlotVarRun (tv=tv@entry=0x7f3e9e329580, p=p@entry=0x7f3e4191a600, slot=<optimized out>) at tm-threads.c:127 
         r = <optimized out> 
         s = 0x7f3e9f4a52c0 
 #47 0x000055b3065cccf1 in TmThreadsSlotProcessPkt (p=0x7f3e4191a600, s=<optimized out>, tv=0x7f3e9e329580) at tm-threads.h:195 
         r = <optimized out> 
         r = <optimized out> 
 #48 NapatechPacketLoop (tv=0x7f3e9e329580, data=0x7f3e4191b000, slot=<optimized out>) at source-napatech.c:1070 
         p = 0x7f3e4191a600 
         status = <optimized out> 
         error_buffer = <removed>, '\000' <repeats 11 times>, <removed> 
         pkt_ts = <optimized out> 
         packet_buffer = 0x7f3e78811a00 
         ntv = 0x7f3e4191b000 
         hba_pkt_drops = 0 
         hba_byte_drops = 0 
         numa_node = <optimized out> 
         set_cpu_affinity = 0 
         closer = 0 
         is_autoconfig = 0 
         __FUNCTION__ = <removed> 
         s = <optimized out> 
 #49 0x000055b3065f05f7 in TmThreadsSlotPktAcqLoop (td=0x7f3e9e329580) at tm-threads.c:322 
         tv = 0x7f3e9e329580 
         s = 0x7f3e9f4a5240 
         run = 1 '\001' 
         r = <optimized out> 
         slot = 0x0 
         __FUNCTION__ = <removed> 
 #50 0x00007f3ea1ebb37e in start_thread (arg=0x7f3e442ff640) at pthread_create.c:463 
         ret = <optimized out> 
         pd = 0x7f3e442ff640 
         unwind_buf = {cancel_jmp_buf = {{jmp_buf = {139905408693824, -7709624411948685753, 140730008245022, 0, 140730008245023, 139905408693824, 7745453786463626823, 7745253092130973255}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}} 
         not_first_call = 0 
 #51 0x00007f3ea25fcb8f in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95 
 No locals. 
 </pre>

Back