Project

General

Profile

Actions
Copy link

Bug #5211

closed

detect/frames: crash with detect.profiling.grouping.dump-to-disk

Added by Victor Julien over 2 years ago. Updated about 1 year ago.

Status:
Closed
Priority:
Normal
Assignee:
Jeff Lucovsky
Target version:
7.0.2
Affected Versions:
Effort:
Difficulty:
Label:

Description

Enabling detect.profiling.grouping.dump-to-disk (may or may not require --enable-profiling) leads to a ASAN error in sip-body-frames:

[987240] 29/3/2022 -- 15:29:43 - (suricata.c:1142) <Notice> (LogVersion) -- This is Suricata version 7.0.0-dev (9537d119b 2022-03-29) running in USER mode
=================================================================
==987240==ERROR: AddressSanitizer: dynamic-stack-buffer-overflow on address 0x7fffa918e900 at pc 0x000000ee4a42 bp 0x7fffa91692b0 sp 0x7fffa91692a8
READ of size 4 at 0x7fffa918e900 thread T0 (Suricata-Main)
    #0 0xee4a41 in RulesGroupPrintSghStats /home/victor/devel/eidps/src/detect-engine-build.c:731:38
    #1 0xee1520 in RulesDumpGrouping /home/victor/devel/eidps/src/detect-engine-build.c:914:25
    #2 0xee0e02 in SigAddressPrepareStage4 /home/victor/devel/eidps/src/detect-engine-build.c:1856:9
    #3 0xee205b in SigGroupBuild /home/victor/devel/eidps/src/detect-engine-build.c:1977:9
    #4 0xf6378d in SigLoadSignatures /home/victor/devel/eidps/src/detect-engine-loader.c:373:9
    #5 0x9ec5dd in LoadSignatures /home/victor/devel/eidps/src/suricata.c:2329:9
    #6 0x9ec169 in PostConfLoadedDetectSetup /home/victor/devel/eidps/src/suricata.c:2481:17
    #7 0x9efbe7 in SuricataMain /home/victor/devel/eidps/src/suricata.c:2916:5
    #8 0x9eb1ae in main /home/victor/devel/eidps/src/main.c:22:12
    #9 0x7fc6a43840b2 in __libc_start_main /build/glibc-sMfBJT/glibc-2.31/csu/../csu/libc-start.c:308:16
    #10 0x93eedd in _start (/home/victor/sync/devel/eidps/src/suricata+0x93eedd)

Address 0x7fffa918e900 is located in stack of thread T0 (Suricata-Main)
SUMMARY: AddressSanitizer: dynamic-stack-buffer-overflow /home/victor/devel/eidps/src/detect-engine-build.c:731:38 in RulesGroupPrintSghStats
Shadow bytes around the buggy address:
  0x100075229cd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100075229ce0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100075229cf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100075229d00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100075229d10: 00 00 00 00 00 00 00 00 00 00 00 00 cb cb cb cb
=>0x100075229d20:[ca]ca ca ca 00 00 00 00 00 00 00 00 00 00 00 00
  0x100075229d30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100075229d40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100075229d50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100075229d60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100075229d70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==987240==ABORTING
Actions
Copy link

Also available in: Atom PDF