Project

General

Profile

Actions

Security #5703

closed

smb: crash inside of streaming buffer Grow()

Added by Jeff Lucovsky about 2 years ago. Updated about 2 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Label:
CVE:
Git IDs:
Severity:
MODERATE
Disclosure Date:

Description

Suricata crashed following a successful Grow operation; perhaps it's because the grow value is so large?

Thread 1 (Thread 0x7f9d474ff640 (LWP 44220)):
#0  __memset_avx2_erms () at ../sysdeps/x86_64/multiarch/memset-vec-unaligned-erms.S:141
No locals.
#1  0x000055fd60aaa602 in memset (__len=<optimized out>, __ch=0, __dest=<optimized out>) at /usr/include/bits/string_fortified.h:71
No locals.
#2  Grow (sb=0x7f9c1cd34300) at util-streaming-buffer.c:504
        grow = 947912704
        ptr = 0x7f9b42000780
        diff = <optimized out>
        new_mem = <optimized out>
        grow = <optimized out>
        ptr = <optimized out>
        diff = <optimized out>
        new_mem = <optimized out>
#3  StreamingBufferAppendNoTrack (sb=0x7f9c1cd34300, data=0x7f9c15d51a88 <removed>..., data_len=590) at util-streaming-buffer.c:649
        rel_offset = <optimized out>
#4  0x000055fd60a85253 in AppendData (data_len=<optimized out>, data=<optimized out>, file=0x7f9c1cceff00) at util-file.c:610
No locals.
#5  FileAppendDataDo (data_len=<optimized out>, data=<optimized out>, ff=0x7f9c1cceff00) at util-file.c:701
        r = <optimized out>
        r = <optimized out>
#6  FileAppendDataDo (data_len=<optimized out>, data=<optimized out>, ff=0x7f9c1cceff00) at util-file.c:650
        r = <optimized out>
        r = <optimized out>
#7  FileAppendDataById (ffc=<optimized out>, track_id=<optimized out>, data=<optimized out>, data_len=<optimized out>) at util-file.c:757
        r = <optimized out>
        ff = 0x7f9c1cceff00
#8  0x000055fd60b5d561 in suricata::filecontainer::FileContainer::file_append (self=0x7f9d467ffcf0, track_id=0x7f9c1cfdc3b8, data=..., is_gap=<optimized out>) at src/filecontainer.rs:77
        c = 0x7f9b42000780
#9  suricata::filetracker::FileTransferTracker::update (self=0x7f9c1cfdc360, files=0x7f9d467ffcf0, flags=<optimized out>, data=..., gap_size=0) at src/filetracker.rs:307
        is_gap = <optimized out>
        consumed = 0
#10 0x000055fd60b1bfcc in suricata::smb::files::filetracker_newchunk (ft=0x7f9c1cfdc360, files=0x7f9d467ffcf0, flags=<optimized out>, name=<optimized out>, data=..., chunk_offset=<optimized out>, chunk_size=<optimized out>, is_last=false, xid=<optimized out>) at src/smb/files.rs:90
        sfcm = 0x0
#11 suricata::smb::smb2::smb2_write_request_record (state=0x7f9d467ffc00, r=<optimized out>) at src/smb/smb2.rs:314
        file_id = <optimized out>
        tdf = <optimized out>
        tx = <optimized out>
        files = 0x7f9d467ffcf0
        flags = <optimized out>
        set_event_fileoverlap = false
        file_name = alloc::vec::Vec<u8, alloc::alloc::Global> {buf: alloc::raw_vec::RawVec<u8, alloc::alloc::Global> {ptr: core::ptr::unique::Unique<u8> {pointer: 0x1f6a31d3, _marker: core::marker::PhantomData<u8>}, cap: 140312286593057, alloc: alloc::alloc::Global}, len: 16}
        file_guid = alloc::vec::Vec<u8, alloc::alloc::Global> {buf: alloc::raw_vec::RawVec<u8, alloc::alloc::Global> {ptr: core::ptr::unique::Unique<u8> {pointer: 0x0, _marker: core::marker::PhantomData<u8>}, cap: 140313482996472, alloc: alloc::alloc::Global}, len: 94546737347971}
        guid_key = suricata::smb::smb::SMBCommonHdr {ssn_id: <optimized out>, tree_id: <optimized out>, rec_type: 1, msg_id: <optimized out>}
        wr = suricata::smb::smb2_records::Smb2WriteRequestRecord {wr_len: <synthetic pointer>, wr_offset: <optimized out>, guid: &[u8] {data_ptr: <optimized out>, length: <optimized out>}, data: &[u8] {data_ptr: <optimized out>, length: 590}}
        max_queue_cnt = <optimized out>
        max_queue_size = <optimized out>
#12 0x000055fd60b9cea4 in suricata::smb::smb::SMBState::parse_tcp_data_ts_partial (self=0x7f9d467ffc00, input=...) at src/smb/smb.rs:1353
        smb_record = 0x0
        smb = <optimized out>
        nbss_part_hdr = <optimized out>
        output = <optimized out>
#13 0x000055fd60b9d587 in suricata::smb::smb::SMBState::parse_tcp_data_ts (self=0x7f9d467ffc00, i=...) at src/smb/smb.rs:1511
        n = <optimized out>
        needed = <error reading variable needed (Cannot access memory at address 0x0)>
        consumed = <optimized out>
        consumed = <optimized out>
        cur_i = &[u8] {data_ptr: 0x7f9c15d51a14, length: 706}
#14 0x000055fd60b9e782 in suricata::smb::smb::rs_smb_parse_request_tcp (flow=flow@entry=0x7f9c1814ac40, state=state@entry=0x7f9d467ffc00, _pstate=_pstate@entry=0x7f9c1cedc690, input=input@entry=0x7f9c15d51780, input_len=input_len@entry=1366, _data=_data@entry=0x0, flags=4) at src/smb/smb.rs:1901
        buf = &[u8] {data_ptr: 0x7f9c15d51780, length: 1366}
#15 0x000055fd6097b6bc in SMBTCPParseRequest (flags=4 '\004', local_data=0x0, input_len=1366, input=0x7f9c15d51780 <removed>, <incomplete sequence \353>..., pstate=0x7f9c1cedc690, state=0x7f9d467ffc00, f=0x7f9c1814ac40) at app-layer-smb.c:46
        res = {status = 0, consumed = 0, needed = 0}
        file_flags = <optimized out>
        res = <optimized out>
#16 SMBTCPParseRequest (f=0x7f9c1814ac40, state=0x7f9d467ffc00, pstate=0x7f9c1cedc690, input=0x7f9c15d51780 <removed>, <incomplete sequence \353>..., input_len=1366, local_data=0x0, flags=4 '\004') at app-layer-smb.c:33
        file_flags = <optimized out>
        res = <optimized out>
#17 0x000055fd6097a496 in AppLayerParserParse (tv=tv@entry=0x7f9dbbbe3200, alp_tctx=0x7f9d4627f800, f=f@entry=0x7f9c1814ac40, alproto=8, flags=4 '\004', input=input@entry=0x7f9c15d51780 <removed>, <incomplete sequence \353>..., input_len=1366) at app-layer-parser.c:1310
        res = <optimized out>
        pstate = 0x7f9c1cedc690
        p = <optimized out>
        alstate = 0x7f9d467ffc00
        p_tx_cnt = 33
        consumed = 1366
        direction = 0
        cur_tx_cnt = <optimized out>
#18 0x000055fd60953d4e in AppLayerHandleTCPData (tv=tv@entry=0x7f9dbbbe3200, ra_ctx=ra_ctx@entry=0x7f9d44b48000, p=p@entry=0x7f9d44b1a600, f=0x7f9c1814ac40, ssn=ssn@entry=0x7f9d44ec03c0, stream=stream@entry=0x7f9d474faff8, data=0x7f9c15d51780 <removed>, <incomplete sequence \353>..., data_len=1366, flags=4 '\004') at app-layer.c:724
        app_tctx = <optimized out>
        alproto = <optimized out>
        r = 0
        end = <optimized out>
        direction = 0
        failure = <optimized out>
#19 0x000055fd60a62cd9 in ReassembleUpdateAppLayer (dir=UPDATE_DIR_OPPOSING, p=0x7f9d44b1a600, stream=0x7f9d474faff8, ssn=0x7f9d44ec03c0, ra_ctx=0x7f9d44b48000, tv=0x7f9dbbbe3200) at stream-tcp-reassemble.c:1202
        flags = <optimized out>
        check_for_gap_ahead = <optimized out>
        new_app_progress = <optimized out>
        mydata = 0x7f9c15d51780 <removed>, <incomplete sequence \353>...
        mydata_len = 1366
        app_progress = 2621735586
        gap_ahead = <optimized out>
        last_was_gap = false
        app_progress = <optimized out>
        mydata = <optimized out>
        mydata_len = <optimized out>
        gap_ahead = <optimized out>
        last_was_gap = <optimized out>
        flags = <optimized out>
        check_for_gap_ahead = <optimized out>
        new_app_progress = <optimized out>
        r = <optimized out>
        no_progress_update = <optimized out>
#20 StreamTcpReassembleAppLayer (tv=tv@entry=0x7f9dbbbe3200, ra_ctx=ra_ctx@entry=0x7f9d44b48000, ssn=ssn@entry=0x7f9d44ec03c0, stream=<optimized out>, stream@entry=0x7f9d44ec0458, p=p@entry=0x7f9d44b1a600, dir=dir@entry=UPDATE_DIR_OPPOSING) at stream-tcp-reassemble.c:1265
No locals.
#21 0x000055fd60a63ba9 in StreamTcpReassembleHandleSegmentUpdateACK (p=<optimized out>, stream=<optimized out>, ssn=<optimized out>, ra_ctx=<optimized out>, tv=<optimized out>) at stream-tcp-reassemble.c:1834
No locals.
#22 StreamTcpReassembleHandleSegment (tv=tv@entry=0x7f9dbbbe3200, ra_ctx=0x7f9d44b48000, ssn=ssn@entry=0x7f9d44ec03c0, stream=0x7f9d44ec03d0, p=p@entry=0x7f9d44b1a600, pq=pq@entry=0x7f9d44b47008) at stream-tcp-reassemble.c:1883
        opposing_stream = 0x7f9d44ec0458
        reversed_before_ack_handling = <optimized out>
        reversed_after_ack_handling = <optimized out>
        dir = UPDATE_DIR_OPPOSING
#23 0x000055fd60a57252 in HandleEstablishedPacketToClient (pq=<optimized out>, stt=<optimized out>, p=<optimized out>, ssn=<optimized out>, tv=<optimized out>) at stream-tcp.c:2502
        zerowindowprobe = <optimized out>
        zerowindowprobe = <optimized out>
        ack_diff = <optimized out>
        ack_diff = <optimized out>
        ack_diff = <optimized out>
        ack_diff = <optimized out>
        sacked_size__ = <optimized out>
#24 StreamTcpPacketStateEstablished (tv=tv@entry=0x7f9dbbbe3200, p=p@entry=0x7f9d44b1a600, stt=stt@entry=0x7f9d44b47000, ssn=ssn@entry=0x7f9d44ec03c0, pq=0x7f9d44b47008) at stream-tcp.c:2735
No locals.
#25 0x000055fd60a5ce31 in StreamTcpStateDispatch (state=<optimized out>, pq=0x7f9d44b47008, ssn=0x7f9d44ec03c0, stt=0x7f9d44b47000, p=0x7f9d44b1a600, tv=0x7f9dbbbe3200) at stream-tcp.c:4744
No locals.


Subtasks 1 (0 open1 closed)

Security #5710: smb: crash inside of streaming buffer Grow() (6.0.x backport)ClosedVictor JulienActions

Related issues 5 (0 open5 closed)

Related to Suricata - Security #5700: SCRealloc of large chunk crashes SuricataClosedVictor JulienActions
Related to Suricata - Bug #4863: suricata segfault on smb packetRejectedActions
Related to Suricata - Security #5712: tcp: crafted packets lead to resource starvationClosedVictor JulienActions
Related to Suricata - Optimization #5782: smb: set defaults for file chunk limitsClosedVictor JulienActions
Related to Suricata - Bug #5781: smb: unbounded file chunk queuing after gapClosedVictor JulienActions
Actions

Also available in: Atom PDF