Actions
Bug #3226
closedftp: ASAN error
Affected Versions:
Effort:
Difficulty:
Label:
Description
AddressSanitizer:DEADLYSIGNAL
=================================================================
==13109==ERROR: AddressSanitizer: SEGV on unknown address 0x60210149c62f (pc 0x000000631fc6 bp 0x7fe6582825f0 sp 0x7fe6582820e0 T56)
==13109==The signal is caused by a WRITE memory access.
#0 0x631fc5 in FTPParseRequest /home/victor/dev/suricata/src/app-layer-ftp.c
#1 0x676f2b in AppLayerParserParse /home/victor/dev/suricata/src/app-layer-parser.c:1225:13
#2 0x531993 in AppLayerHandleTCPData /home/victor/dev/suricata/src/app-layer.c:660:17
#3 0xd18545 in ReassembleUpdateAppLayer /home/victor/dev/suricata/src/stream-tcp-reassemble.c:1066:11
#4 0xd17140 in StreamTcpReassembleAppLayer /home/victor/dev/suricata/src/stream-tcp-reassemble.c:1123:12
#5 0xd1df1a in StreamTcpReassembleHandleSegmentUpdateACK /home/victor/dev/suricata/src/stream-tcp-reassemble.c:1689:9
#6 0xd1dbd7 in StreamTcpReassembleHandleSegment /home/victor/dev/suricata/src/stream-tcp-reassemble.c:1732:9
#7 0xcf3970 in HandleEstablishedPacketToClient /home/victor/dev/suricata/src/stream-tcp.c:2408:9
#8 0xcb5bb2 in StreamTcpPacketStateEstablished /home/victor/dev/suricata/src/stream-tcp.c:2645:13
#9 0xc9396c in StreamTcpStateDispatch /home/victor/dev/suricata/src/stream-tcp.c:4650:17
#10 0xc8a300 in StreamTcpPacket /home/victor/dev/suricata/src/stream-tcp.c:4838:13
#11 0xc94a09 in StreamTcp /home/victor/dev/suricata/src/stream-tcp.c:5174:11
#12 0xa7e0de in FlowWorker /home/victor/dev/suricata/src/flow-worker.c:233:9
#13 0xd5ef38 in TmThreadsSlotVarRun /home/victor/dev/suricata/src/tm-threads.c:128:17
#14 0xd70548 in TmThreadsSlotVar /home/victor/dev/suricata/src/tm-threads.c:585:17
#15 0x7fe68ad446da in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76da)
AddressSanitizer:DEADLYSIGNAL
#16 0x7fe68886988e in clone /build/glibc-OTsEL5/glibc-2.27/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/victor/dev/suricata/src/app-layer-ftp.c in FTPParseRequest
Thread T56 (W#55) created by T0 (Suricata-Main) here:
#0 0x4b3f9d in pthread_create (/home/victor/dev/suricata/src/suricata+0x4b3f9d)
#1 0xd6c1b2 in TmThreadSpawn /home/victor/dev/suricata/src/tm-threads.c:1868:14
#2 0xc0d989 in RunModeFilePcapAutoFp /home/victor/dev/suricata/src/runmode-pcap-file.c:252:13
#3 0xc243eb in RunModeDispatch /home/victor/dev/suricata/src/runmodes.c:377:5
#4 0xd2e861 in main /home/victor/dev/suricata/src/suricata.c:3034:5
#5 0x7fe688769b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
==13109==ABORTING
This is with a very large pcap, so will see if I can somehow isolate it. Please see if you can find an issue based on the above bt.
Updated by Victor Julien about 5 years ago
Possibly related: disk was full when this happened.
Updated by Victor Julien about 5 years ago
Thread 14 "W#12" received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7fffdb757700 (LWP 31841)]
0x0000000000631fc6 in FTPParseRequest (f=0x6130042cc940, ftp_state=0x60c00278ddc0, pstate=0x604001d9be90, input=0x61d00300b728 "RETR\r\n", input_len=6, local_data=0x6020007a7b10, flags=4 '\004')
at app-layer-ftp.c:641
641 data->file_name[state->current_line_len - 5] = 0;
(gdb) bt
#0 0x0000000000631fc6 in FTPParseRequest (f=0x6130042cc940, ftp_state=0x60c00278ddc0, pstate=0x604001d9be90, input=0x61d00300b728 "RETR\r\n", input_len=6, local_data=0x6020007a7b10,
flags=4 '\004') at app-layer-ftp.c:641
#1 0x0000000000676f2c in AppLayerParserParse (tv=0x612000da4040, alp_tctx=0x61a000fb6a80, f=0x6130042cc940, alproto=2, flags=4 '\004', input=0x61d00300b728 "RETR\r\n", input_len=6)
at app-layer-parser.c:1225
#2 0x0000000000531994 in AppLayerHandleTCPData (tv=0x612000da4040, ra_ctx=0x6030026d5350, p=0x61e01a08ec80, f=0x6130042cc940, ssn=0x612001360840, stream=0x7fffdb753e60,
data=0x61d00300b728 "RETR\r\n", data_len=6, flags=4 '\004') at app-layer.c:660
#3 0x0000000000d18546 in ReassembleUpdateAppLayer (tv=0x612000da4040, ra_ctx=0x6030026d5350, ssn=0x612001360840, stream=0x7fffdb753e60, p=0x61e01a08ec80, dir=UPDATE_DIR_OPPOSING)
at stream-tcp-reassemble.c:1066
#4 0x0000000000d17141 in StreamTcpReassembleAppLayer (tv=0x612000da4040, ra_ctx=0x6030026d5350, ssn=0x612001360840, stream=0x6120013608d0, p=0x61e01a08ec80, dir=UPDATE_DIR_OPPOSING)
at stream-tcp-reassemble.c:1123
#5 0x0000000000d1df1b in StreamTcpReassembleHandleSegmentUpdateACK (tv=0x612000da4040, ra_ctx=0x6030026d5350, ssn=0x612001360840, stream=0x6120013608d0, p=0x61e01a08ec80)
at stream-tcp-reassemble.c:1689
#6 0x0000000000d1dbd8 in StreamTcpReassembleHandleSegment (tv=0x612000da4040, ra_ctx=0x6030026d5350, ssn=0x612001360840, stream=0x612001360850, p=0x61e01a08ec80, pq=0x60e0017d2fc8)
at stream-tcp-reassemble.c:1732
#7 0x0000000000cf3971 in HandleEstablishedPacketToClient (tv=0x612000da4040, ssn=0x612001360840, p=0x61e01a08ec80, stt=0x60e0017d2fc0, pq=0x60e0017d2fc8) at stream-tcp.c:2408
#8 0x0000000000cb5bb3 in StreamTcpPacketStateEstablished (tv=0x612000da4040, p=0x61e01a08ec80, stt=0x60e0017d2fc0, ssn=0x612001360840, pq=0x60e0017d2fc8) at stream-tcp.c:2645
#9 0x0000000000c9396d in StreamTcpStateDispatch (tv=0x612000da4040, p=0x61e01a08ec80, stt=0x60e0017d2fc0, ssn=0x612001360840, pq=0x60e0017d2fc8, state=4 '\004') at stream-tcp.c:4650
#10 0x0000000000c8a301 in StreamTcpPacket (tv=0x612000da4040, p=0x61e01a08ec80, stt=0x60e0017d2fc0, pq=0x60e0016fc668) at stream-tcp.c:4838
#11 0x0000000000c94a0a in StreamTcp (tv=0x612000da4040, p=0x61e01a08ec80, data=0x60e0017d2fc0, pq=0x60e0016fc668, postpq=0x0) at stream-tcp.c:5174
#12 0x0000000000a7e0df in FlowWorker (tv=0x612000da4040, p=0x61e01a08ec80, data=0x60e0016fc640, preq=0x612001017980, unused=0x6120010179f0) at flow-worker.c:233
#13 0x0000000000d5ef39 in TmThreadsSlotVarRun (tv=0x612000da4040, p=0x61e01a08ec80, slot=0x612001017940) at tm-threads.c:128
#14 0x0000000000d70549 in TmThreadsSlotVar (td=0x612000da4040) at tm-threads.c:585
#15 0x00007ffff69836db in start_thread (arg=0x7fffdb757700) at pthread_create.c:463
#16 0x00007ffff44a888f in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95
(gdb) print data->file_name
$1 = (uint8_t *) 0x602001205170 "\247\002"
(gdb) print state->current_line_len
$2 = 4
(gdb)
Updated by Jeff Lucovsky about 5 years ago
This also occurred while fuzzing:
11ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000150 (pc 0x00000056158f bp 0x7fff505a1260 sp 0x7fff505a1210 T11)11The signal is caused by a READ memory access.
11Hint: address points to the zero page.
#0 0x56158e in FTPDataParse /src/suricata/src/app-layer-ftp.c #1 0x59426b in AppLayerParserParse /src/suricata/src/app-layer-parser.c:1225:13 #2 0x4c7632 in LLVMFuzzerTestOneInput /src/suricata/src/tests/fuzz/fuzz_applayerparserparse.c:122:16 #3 0x456561 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm/projects/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:556:15 #4 0x455c85 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool*) /src/llvm/projects/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:470:3 #5 0x458027 in fuzzer::Fuzzer::MutateAndTestOne() /src/llvm/projects/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:698:19 #6 0x458db5 in fuzzer::Fuzzer::Loop(std::Fuzzer::vector<fuzzer::SizedFile, fuzzer::fuzzer_allocator<fuzzer::SizedFile> >&) /src/llvm/projects/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:830:5 #7 0x446f38 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm/projects/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:824:6 #8 0x470fb2 in main /src/llvm/projects/compiler-rt/lib/fuzzer/FuzzerMain.cpp:19:10 #9 0x7f625460582f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) #10 0x41a538 in _start (/out/fuzz_applayerparserparse+0x41a538)
Updated by Jeff Lucovsky about 5 years ago
This is occurs because the code presumes there are at least 6 characters in
state->current_line(exclusive of the trailing
\r\n
https://github.com/OISF/suricata/blob/master/src/app-layer-ftp.c#L641:L642
Updated by Victor Julien about 5 years ago
- Status changed from Assigned to Closed
- Priority changed from High to Normal
Updated by Victor Julien about 5 years ago
- Copied to Bug #3272: ftp: ASAN error (4.1.x) added
Actions