Project

General

Profile

Actions

Bug #1467

closed

Specifying an IPv6 entry before an IPv4 entry in host-os-policy causes ASAN heap-buffer-overflow.

Added by Jason Ish over 9 years ago. Updated over 9 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

By putting an IPv6 entry in before IPv4 entries in the host-os-policy, ASAN will detect a heap-buffer-overflow.

Example: Moves the solaris entry up above linux:

host-os-policy:
  windows: [0.0.0.0/0]
  bsd: []
  bsd-right: []
  old-linux: []
  old-solaris: []
  solaris: ["::1"]
  linux: [10.0.0.0/8, 192.168.1.100, "8762:2352:6241:7245:E000:0000:0000:0000"]
  hpux10: []
  hpux11: []
  irix: []
  macos: []
  vista: []
  windows2k3: []

Results in:

==14550==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000027dd4 at pc 0x106286b bp 0x7ffdea1ca050 sp 0x7ffdea1ca040
READ of size 1 at 0x602000027dd4 thread T0 (Suricata-Main)
    #0 0x106286a in SCRadixAddKey /home/jason/projects/oisf/suricata/src/util-radix-tree.c:578
    #1 0x1065b92 in SCRadixAddKeyIPV4Netblock /home/jason/projects/oisf/suricata/src/util-radix-tree.c:897
    #2 0xf9a06a in SCHInfoAddHostOSInfo /home/jason/projects/oisf/suricata/src/util-host-os-info.c:198
    #3 0xf9b05e in SCHInfoLoadFromConfig /home/jason/projects/oisf/suricata/src/util-host-os-info.c:347
    #4 0xef477f in PostConfLoadedSetup /home/jason/projects/oisf/suricata/src/suricata.c:2068
    #5 0xef58ad in main /home/jason/projects/oisf/suricata/src/suricata.c:2227
    #6 0x7fa990589fdf in __libc_start_main (/lib64/libc.so.6+0x1ffdf)
    #7 0x407b48 (/home/jason/projects/oisf/bin/suricata+0x407b48)

0x602000027dd4 is located 0 bytes to the right of 4-byte region [0x602000027dd0,0x602000027dd4)
allocated by thread T0 (Suricata-Main) here:
    #0 0x7fa9935277c7 in malloc (/lib64/libasan.so.1+0x577c7)
    #1 0x105eb0c in SCRadixCreatePrefix /home/jason/projects/oisf/suricata/src/util-radix-tree.c:149
    #2 0x1061b8e in SCRadixAddKey /home/jason/projects/oisf/suricata/src/util-radix-tree.c:522
    #3 0x1065b92 in SCRadixAddKeyIPV4Netblock /home/jason/projects/oisf/suricata/src/util-radix-tree.c:897
    #4 0xf9a06a in SCHInfoAddHostOSInfo /home/jason/projects/oisf/suricata/src/util-host-os-info.c:198
    #5 0xf9b05e in SCHInfoLoadFromConfig /home/jason/projects/oisf/suricata/src/util-host-os-info.c:347
    #6 0xef477f in PostConfLoadedSetup /home/jason/projects/oisf/suricata/src/suricata.c:2068
    #7 0xef58ad in main /home/jason/projects/oisf/suricata/src/suricata.c:2227
    #8 0x7fa990589fdf in __libc_start_main (/lib64/libc.so.6+0x1ffdf)

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/jason/projects/oisf/suricata/src/util-radix-tree.c:578 SCRadixAddKey
Shadow bytes around the buggy address:
  0x0c047fffcf60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fffcf70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fffcf80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fffcf90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fffcfa0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c047fffcfb0: fa fa fa fa fa fa fa fa fa fa[04]fa fa fa 04 fa
  0x0c047fffcfc0: fa fa 00 03 fa fa 04 fa fa fa 01 fa fa fa 00 00
  0x0c047fffcfd0: fa fa fd fd fa fa fd fa fa fa 04 fa fa fa fd fa
  0x0c047fffcfe0: fa fa 04 fa fa fa fd fa fa fa fd fd fa fa 04 fa
  0x0c047fffcff0: fa fa fd fd fa fa 04 fa fa fa 02 fa fa fa fd fa
  0x0c047fffd000: fa fa 02 fa fa fa fd fa fa fa fd fa fa fa 00 fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Contiguous container OOB:fc
  ASan internal:           fe
==14550==ABORTING

I have a fix in progress but it will require review.

Actions #1

Updated by Jason Ish over 9 years ago

  • Assignee set to Jason Ish
Actions #2

Updated by Jason Ish over 9 years ago

  • Status changed from New to Assigned
Actions #3

Updated by Victor Julien over 9 years ago

  • Target version set to 3.0RC1

This one is fixed, right?

Actions #5

Updated by Victor Julien over 9 years ago

  • Status changed from Assigned to Closed
Actions

Also available in: Atom PDF