Actions
Bug #2154
closedDynamic stack overflow in payload printable output
Affected Versions:
Effort:
Difficulty:
Label:
Description
When running Suricata with ASAN build against a pcap, with payload-printable activated in alert output, I got the following crash
ASAN_SYMBOLIZER_PATH=/usr/lib/llvm-3.8/bin/llvm-symbolizer ~/builds/suricata/bin/suricata -r qa/docker/pcaps/sandnet.pcap -l /tmp/ -c ~/builds/suricata/etc/suricata/suricata.yaml [1174] 22/6/2017 -- 12:14:08 - (suricata.c:1109) <Notice> (LogVersion) -- This is Suricata version 4.0.0-dev (rev 3.2.1-SN) [1174] 22/6/2017 -- 12:14:15 - (util-file.c:165) <Warning> (FileForceHashParseCfg) -- [ERRCODE: SC_ERR_DEPRECATED_CONF(274)] - deprecated 'force-md5' option found. Please use 'force-hash: [md5]' instead [1174] 22/6/2017 -- 12:14:15 - (tm-threads.c:2178) <Notice> (TmThreadWaitOnThreadInit) -- all 13 packet processing threads, 4 management threads initialized, engine started. ================================================================= ==1174==ERROR: AddressSanitizer: dynamic-stack-buffer-overflow on address 0x7f46518ab341 at pc 0x00000043e083 bp 0x7f46518ab300 sp 0x7f46518aaab0 READ of size 7 at 0x7f46518ab341 thread T11 (W#10) #0 0x43e082 in __interceptor_strlen.part.45 (/home/eric/builds/suricata/bin/suricata+0x43e082) #1 0x7f4670a4d14d in json_string (/usr/lib/x86_64-linux-gnu/libjansson.so.4+0x814d) #2 0xa0bdf1 in AlertJson /home/eric/git/oisf/src/output-json-alert.c:460:41 #3 0xa0750f in JsonAlertLogger /home/eric/git/oisf/src/output-json-alert.c:617:16 #4 0xa768ed in OutputPacketLog /home/eric/git/oisf/src/output-packet.c:115:13 #5 0x9f9bcd in OutputLoggerLog /home/eric/git/oisf/src/output.c:914:13 #6 0x96f212 in FlowWorker /home/eric/git/oisf/src/flow-worker.c:262:5 #7 0xbaf6a2 in TmThreadsSlotVarRun /home/eric/git/oisf/src/tm-threads.c:128:17 #8 0xbbf0f8 in TmThreadsSlotVar /home/eric/git/oisf/src/tm-threads.c:585:17 #9 0x7f467082f493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493) #10 0x7f466ee88a8e in clone (/lib/x86_64-linux-gnu/libc.so.6+0xe8a8e) Address 0x7f46518ab341 is located in stack of thread T11 (W#10) SUMMARY: AddressSanitizer: dynamic-stack-buffer-overflow (/home/eric/builds/suricata/bin/suricata+0x43e082) in __interceptor_strlen.part.45 Shadow bytes around the buggy address: 0x0fe94a30d610: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0fe94a30d620: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0fe94a30d630: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0fe94a30d640: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0fe94a30d650: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0fe94a30d660: 00 00 00 00 ca ca ca ca[01]cb cb cb cb cb cb cb 0x0fe94a30d670: f1 f1 f1 f1 00 f2 f2 f2 04 f2 00 f2 f2 f2 04 f2 0x0fe94a30d680: 00 00 00 00 00 06 f3 f3 f3 f3 f3 f3 00 00 00 00 0x0fe94a30d690: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0fe94a30d6a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0fe94a30d6b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Thread T11 (W#10) created by T0 (Suricata-Main) here: #0 0x432de9 in __interceptor_pthread_create (/home/eric/builds/suricata/bin/suricata+0x432de9) #1 0xbbb4e5 in TmThreadSpawn /home/eric/git/oisf/src/tm-threads.c:1903:14 #2 0xab3e98 in RunModeFilePcapAutoFp /home/eric/git/oisf/src/runmode-pcap-file.c:253:13 #3 0xac3b5c in RunModeDispatch /home/eric/git/oisf/src/runmodes.c:384:5 #4 0xb87e51 in main /home/eric/git/oisf/src/suricata.c:2882:5 #5 0x7f466edc02b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0) ==1174==ABORTING
Updated by Victor Julien over 7 years ago
- Status changed from New to Closed
- Assignee set to Eric Leblond
- Target version set to 4.0rc1
Actions