Project

General

Profile

Actions

Bug #5016

closed

pgsql: fix possible unsigned integer overflow

Added by Juliana Fajardini Reichow almost 3 years ago. Updated about 2 years ago.

Status:
Closed
Priority:
Normal
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

In parser::pgsql_parse_response, when we call take(pseudo_header.1 + 1) may cause an integer overflow.

let (i, pseudo_header) = peek(tuple((be_u8, be_u32)))(i)?;
  let (i, message) = map_parser(
    take(pseudo_header.1 + 1),

(Fixing isn't too trivial due to how underlying nom parsers currently.)

Actions #1

Updated by Philippe Antoine almost 3 years ago

Some more info from fuzzing

thread '<unnamed>' panicked at 'attempt to add with overflow', src/pgsql/parser.rs:1115:33
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace
fatal runtime error: failed to initiate panic, error 5
AddressSanitizer:DEADLYSIGNAL
=================================================================
==1894==ERROR: AddressSanitizer: ABRT on unknown address 0x000000000766 (pc 0x7fc0ca90018b bp 0x000000000001 sp 0x7ffe6904d180 T0)
SCARINESS: 10 (signal)
    #0 0x7fc0ca90018b in raise (/lib/x86_64-linux-gnu/libc.so.6+0x4618b)
    #1 0x7fc0ca8df858 in abort (/lib/x86_64-linux-gnu/libc.so.6+0x25858)
    #2 0x2bc2066 in std::sys::unix::abort_internal::h7127d741bc006c5f /rustc/bd3cb52565faab2755ff1bdb54d88bc91f47b4b9/library/std/src/sys/unix/mod.rs:259:14
    #3 0x2bb67cf in rust_panic /rustc/bd3cb52565faab2755ff1bdb54d88bc91f47b4b9/library/std/src/panicking.rs:735:5
    #4 0x2bb6559 in std::panicking::rust_panic_with_hook::hd156dff710da39af /rustc/bd3cb52565faab2755ff1bdb54d88bc91f47b4b9/library/std/src/panicking.rs:703:5
    #5 0x2bb60b1 in std::panicking::begin_panic_handler::_$u7b$$u7b$closure$u7d$$u7d$::hf8e6e87872422eb2 /rustc/bd3cb52565faab2755ff1bdb54d88bc91f47b4b9/library/std/src/panicking.rs:579:13
    #6 0x2bb1943 in std::sys_common::backtrace::__rust_end_short_backtrace::h1dca537b9cc9d050 /rustc/bd3cb52565faab2755ff1bdb54d88bc91f47b4b9/library/std/src/sys_common/backtrace.rs:139:18
    #7 0x2bb5e18 in rust_begin_unwind /rustc/bd3cb52565faab2755ff1bdb54d88bc91f47b4b9/library/std/src/panicking.rs:577:5
    #8 0x53c0c0 in core::panicking::panic_fmt::h1734b56c73d3bf02 /rustc/bd3cb52565faab2755ff1bdb54d88bc91f47b4b9/library/core/src/panicking.rs:110:14
    #9 0x53c00c in core::panicking::panic::h382af5c6fcd0fc86 /rustc/bd3cb52565faab2755ff1bdb54d88bc91f47b4b9/library/core/src/panicking.rs:48:5
    #10 0x1674b87 in suricata::pgsql::parser::pgsql_parse_response::_$u7b$$u7b$closure$u7d$$u7d$::h61b20f2f9e374274 /src/suricata/rust/src/pgsql/parser.rs:1115:33
    #11 0x1674b87 in nom::combinator::map_parser::_$u7b$$u7b$closure$u7d$$u7d$::hc2050c65c4f54d16 /rust/registry/src/github.com-1ecc6299db9ec823/nom-5.1.2/src/combinator/mod.rs:209:23
    #12 0x1674b87 in nom::combinator::map_parserc::hcd11a49db00487c5 /rust/registry/src/github.com-1ecc6299db9ec823/nom-5.1.2/src/combinator/mod.rs:222:3
    #13 0x1674b87 in suricata::pgsql::parser::pgsql_parse_response::h1992d53df13ed68b /rust/registry/src/github.com-1ecc6299db9ec823/nom-5.1.2/src/combinator/macros.rs:124:13
    #14 0x1349d16 in suricata::pgsql::pgsql::PgsqlState::state_based_resp_parsing::h7e0f8fbaac2ab827 /src/suricata/rust/src/pgsql/pgsql.rs:406:13
    #15 0x1349d16 in suricata::pgsql::pgsql::PgsqlState::parse_response::h81d275217d46cb30 /src/suricata/rust/src/pgsql/pgsql.rs:429:19
    #16 0x134d060 in rs_pgsql_parse_response /src/suricata/rust/src/pgsql/pgsql.rs:627:16
    #17 0x682a32 in AppLayerParserParse /src/suricata/src/app-layer-parser.c:1304:30
    #18 0x67cf17 in LLVMFuzzerTestOneInput /src/suricata/src/tests/fuzz/fuzz_applayerparserparse.c:221:16
    #19 0x573233 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) cxa_noexception.cpp
    #20 0x572a1a in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool, bool*) cxa_noexception.cpp
    #21 0x573fc9 in fuzzer::Fuzzer::MutateAndTestOne() cxa_noexception.cpp
    #22 0x574c95 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<fuzzer::SizedFile, std::__Fuzzer::allocator<fuzzer::SizedFile> >&) cxa_noexception.cpp
    #23 0x5645af in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) cxa_noexception.cpp
    #24 0x58d492 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
    #25 0x7fc0ca8e10b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
    #26 0x53d5fd in _start (/builds/122582/build-out/fuzz_applayerparserparse_pgsql+0x53d5fd)

DEDUP_TOKEN: raise--abort--std::sys::unix::abort_internal::h7127d741bc006c5f
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: ABRT (/lib/x86_64-linux-gnu/libc.so.6+0x4618b) in raise
==1894==ABORTING
MS: 3 ChangeBinInt-InsertByte-CMP- DE: "\001\325\312z"-; base unit: 88029764fbb891b6eb60aa311678b61302a44c65
0x1,0x6,0x3,0x0,0xff,0x0,0x0,0xff,0xff,0xff,0x1,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0x1,0xd5,0xca,0x7a,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xee,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xdf,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,
\001\006\003\000\377\000\000\377\377\377\001\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\001\325\312z\377\377\377\377\377\377\377\377\377\377\377\377\356\377\377\377\377\377\377\377\377\377\377\377\377\337\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377
artifact_prefix='/tmp/tmph8yap2ox/'; Test unit written to /tmp/tmph8yap2ox/crash-2bc10bc18cce64112f4899f7177ab17c92088c0f
Base64: AQYDAP8AAP///wH/////////////////////AdXKev///////////////+7////////////////f//////////////////////////8=
Actions #2

Updated by Juliana Fajardini Reichow over 2 years ago

  • Status changed from New to In Review
Actions #4

Updated by Victor Julien about 2 years ago

  • Target version set to 7.0.0-beta1
  • Affected Versions git master added
  • Affected Versions deleted (7.0.0-beta1)
Actions

Also available in: Atom PDF