Project

General

Profile

Bug #6903

Updated by Victor Julien 8 months ago

<pre><code class="c"> 
 #define DATA_FITS(sb, len) ((sb)->region.buf_offset + (len) <= (sb)->region.buf_size) 

 int StreamingBufferAppend(StreamingBuffer *sb, const StreamingBufferConfig *cfg, 
         StreamingBufferSegment *seg, const uint8_t *data, uint32_t data_len) 
 { 
     DEBUG_VALIDATE_BUG_ON(seg == NULL); 
 
     if (sb->region.buf == NULL) { 
         if (InitBuffer(sb, cfg) == -1) 
             return -1; 
     } 

 [1]    if (!DATA_FITS(sb, data_len)) { 
         if (sb->region.buf_size == 0) { 
             if (GrowToSize(sb, cfg, data_len) != SC_OK) 
                 return -1; 
         } else { 
             if (GrowToSize(sb, cfg, sb->region.buf_offset + data_len) != SC_OK) 
                 return -1; 
         } 
     } 

     DEBUG_VALIDATE_BUG_ON(!DATA_FITS(sb, data_len)); 

 [2]    memcpy(sb->region.buf + sb->region.buf_offset, data, data_len); 
 </code></pre> 
 1 - DATA_FITS() macro is vulnerable to integer overflow 
 2 - it will lead to heap overflow on this line 

 How to verify: 

 1) get source code 
 2) apply this patch: 

 <pre><code class="diff"> <pre> 
 --- current/src/util-streaming-buffer.c 2020-01-15 20:13:36.257117891 +0300 
 +++ suricata/src/util-streaming-buffer.c          2020-01-15 20:40:20.353179670 +0300 
 @@ -1836,7 +1836,14 @@ 
      StreamingBufferSegment seg1; 
      FAIL_IF(StreamingBufferAppend(sb, &cfg, &seg1, (const uint8_t *)"ABCDEFGH", 8) != 0); 
 +        
      StreamingBufferSegment seg2; 
 +      unsigned int data_len = 0xffffffff; 
 +      unsigned char *ptr = malloc(data_len); 
 +      FAIL_IF(StreamingBufferAppend(sb, &cfg, &seg2, ptr, data_len) != 0); 
 + 
 +      return 0; 
 +    
      FAIL_IF(StreamingBufferAppend(sb, &cfg, &seg2, (const uint8_t *)"01234567", 8) != 0); 
      FAIL_IF(sb->region.stream_offset != 0); 
      FAIL_IF(sb->region.buf_offset != 16); 
 </code></pre> 

 </pre> 

 

 3) build as in previous issue 

 4) run unittest: 

 $ ./src/suricata -U StreamingBufferTest02 -u 

 ASAN LOG: 
 <pre> 
 ==77575==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6030000261b8 at pc 0x7f491f83a2c3 bp 0x7ffee377c170 sp 0x7ffee377b918 
 WRITE of size 4294967295 at 0x6030000261b8 thread T0 (Suricata-Main) 
     #0 0x7f491f83a2c2 in __interceptor_memcpy ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:827 
     #1 0x5568fa174e86 in StreamingBufferAppend suricata/src/util-streaming-buffer.c:1090 
     #2 0x5568fa17943a in StreamingBufferTest02 suricata/src/util-streaming-buffer.c:1843 
     #3 0x5568f97e922c in UtRunTests suricata/src/util-unittest.c:212 
     #4 0x5568f9faeffb in RunUnittests suricata/src/runmode-unittests.c:286 
     #5 0x5568f9745460 in StartInternalRunMode suricata/src/suricata.c:2335 
     #6 0x5568f9747fc6 in SuricataMain suricata/src/suricata.c:2901 
     #7 0x5568f97388eb in main suricata/src/main.c:22 
     #8 0x7f491f229d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 
     #9 0x7f491f229e3f in __libc_start_main_impl ../csu/libc-start.c:392 
 </pre>

Back