Security #5703: smb: crash inside of streaming buffer Grow() - Suricata - Open Information Security Foundation

Actions

#1

Updated by Jeff Lucovsky almost 2 years ago

And another

#1  0x00005608f78b8602 in memset (__len=<optimized out>, __ch=0, __dest=<optimized out>) at /usr/include/bits/string_fortified.h:71
No locals.
#2  Grow (sb=0x7f72f00f2880) at util-streaming-buffer.c:504
        grow = 1441267712
        ptr = 0x7f7040800380
        diff = <optimized out>
        new_mem = <optimized out>
        grow = <optimized out>
        ptr = <optimized out>
        diff = <optimized out>
        new_mem = <optimized out>
#3  StreamingBufferAppendNoTrack (sb=0x7f72f00f2880, data=0x7f711d789000 "", data_len=18736) at util-streaming-buffer.c:649
        rel_offset = <optimized out>
#4  0x00005608f7893253 in AppendData (data_len=<optimized out>, data=<optimized out>, file=0x7f72f00e6b00) at util-file.c:610
No locals.
#5  FileAppendDataDo (data_len=<optimized out>, data=<optimized out>, ff=0x7f72f00e6b00) at util-file.c:701
        r = <optimized out>
        r = <optimized out>
#6  FileAppendDataDo (data_len=<optimized out>, data=<optimized out>, ff=0x7f72f00e6b00) at util-file.c:650
        r = <optimized out>
        r = <optimized out>
#7  FileAppendDataById (ffc=<optimized out>, track_id=<optimized out>, data=<optimized out>, data_len=<optimized out>) at util-file.c:757
        r = <optimized out>
        ff = 0x7f72f00e6b00
#8  0x00005608f796b561 in suricata::filecontainer::FileContainer::file_append (self=0x7f72dcd446f0, track_id=0x7f72f01d90c8, data=..., is_gap=<optimized out>) at src/filecontainer.rs:77
        c = 0x7f7040800380
#9  suricata::filetracker::FileTransferTracker::update (self=0x7f72f01d9070, files=0x7f72dcd446f0, flags=<optimized out>, data=..., gap_size=0) at src/filetracker.rs:307
        is_gap = <optimized out>
        consumed = 0
#10 0x00005608f79ae8ef in suricata::smb::smb::SMBState::filetracker_update (self=<optimized out>, direction=<optimized out>, data=..., gap_size=4067404584) at src/smb/files.rs:214
        file_data = &[u8] {data_ptr: 0x7f711d789000, length: 18736}
        tdf = <optimized out>
        tx = <optimized out>
        files = 0x7f72dcd446f0
        flags = 8790
        ssn_gap = <optimized out>
        data_to_handle_len = 18736
        file_handle = alloc::vec::Vec<u8, alloc::alloc::Global> {buf: alloc::raw_vec::RawVec<u8, alloc::alloc::Global> {ptr: core::ptr::unique::Unique<u8> {pointer: 0x7f72f0129ae0, _marker: core::marker::PhantomData<u8>}, cap: 16, alloc: alloc::alloc::Global}, len: 16}
        chunk_left = <optimized out>
#11 0x00005608f79aaf7c in suricata::smb::smb::SMBState::parse_tcp_data_ts (self=0x7f72dcd44600, i=...) at src/smb/smb.rs:1388
        consumed = <optimized out>
        cur_i = &[u8] {data_ptr: 0x7f711d789000, length: 18736}
#12 0x00005608f79ac782 in suricata::smb::smb::rs_smb_parse_request_tcp (flow=flow@entry=0x7f72b0c78e80, state=state@entry=0x7f72dcd44600, _pstate=_pstate@entry=0x7f72f011a8a0, input=input@entry=0x7f711d789000, input_len=input_len@entry=18736, _data=_data@entry=0x0, flags=4) at src/smb/smb.rs:1901
        buf = &[u8] {data_ptr: 0x7f711d789000, length: 18736}
#13 0x00005608f77896bc in SMBTCPParseRequest (flags=4 '\004', local_data=0x0, input_len=18736, input=0x7f711d789000 "", pstate=0x7f72f011a8a0, state=0x7f72dcd44600, f=0x7f72b0c78e80) at app-layer-smb.c:46
        res = {status = 0, consumed = 0, needed = 1}
        file_flags = <optimized out>
        res = <optimized out>
#14 SMBTCPParseRequest (f=0x7f72b0c78e80, state=0x7f72dcd44600, pstate=0x7f72f011a8a0, input=0x7f711d789000 "", input_len=18736, local_data=0x0, flags=4 '\004') at app-layer-smb.c:33
        file_flags = <optimized out>
        res = <optimized out>
#15 0x00005608f7788496 in AppLayerParserParse (tv=tv@entry=0x7f732a1e6680, alp_tctx=0x7f72efd39800, f=f@entry=0x7f72b0c78e80, alproto=8, flags=4 '\004', input=input@entry=0x7f711d789000 "", input_len=18736) at app-layer-parser.c:1310
        res = <optimized out>
        pstate = 0x7f72f011a8a0
        p = <optimized out>
        alstate = 0x7f72dcd44600
        p_tx_cnt = 2427
        consumed = 18736
        direction = 0
        cur_tx_cnt = <optimized out>
#16 0x00005608f7761d4e in AppLayerHandleTCPData (tv=tv@entry=0x7f732a1e6680, ra_ctx=ra_ctx@entry=0x7f72f1bff040, p=p@entry=0x7f72efd1a600, f=0x7f72b0c78e80, ssn=ssn@entry=0x7f72f00b8340, stream=stream@entry=0x7f72f26faff8, data=0x7f711d789000 "", data_len=18736, flags=4 '\004') at app-layer.c:724
        app_tctx = <optimized out>
        alproto = <optimized out>
        r = 0
        end = <optimized out>
        direction = 0
        failure = <optimized out>
#17 0x00005608f7870cd9 in ReassembleUpdateAppLayer (dir=UPDATE_DIR_OPPOSING, p=0x7f72efd1a600, stream=0x7f72f26faff8, ssn=0x7f72f00b8340, ra_ctx=0x7f72f1bff040, tv=0x7f732a1e6680) at stream-tcp-reassemble.c:1202
        flags = <optimized out>
        check_for_gap_ahead = <optimized out>
        new_app_progress = <optimized out>
        mydata = 0x7f711d789000 "" 
        mydata_len = 18736
        app_progress = 3877259096
        gap_ahead = <optimized out>
        last_was_gap = false
        app_progress = <optimized out>
        mydata = <optimized out>
        mydata_len = <optimized out>
        gap_ahead = <optimized out>
        last_was_gap = <optimized out>
        flags = <optimized out>
        check_for_gap_ahead = <optimized out>
        new_app_progress = <optimized out>
        r = <optimized out>
        no_progress_update = <optimized out>
#18 StreamTcpReassembleAppLayer (tv=tv@entry=0x7f732a1e6680, ra_ctx=ra_ctx@entry=0x7f72f1bff040, ssn=ssn@entry=0x7f72f00b8340, stream=<optimized out>, stream@entry=0x7f72f00b83d8, p=p@entry=0x7f72efd1a600, dir=dir@entry=UPDATE_DIR_OPPOSING) at stream-tcp-reassemble.c:1265
No locals.
#19 0x00005608f7871ba9 in StreamTcpReassembleHandleSegmentUpdateACK (p=<optimized out>, stream=<optimized out>, ssn=<optimized out>, ra_ctx=<optimized out>, tv=<optimized out>) at stream-tcp-reassemble.c:1834
No locals.
#20 StreamTcpReassembleHandleSegment (tv=tv@entry=0x7f732a1e6680, ra_ctx=0x7f72f1bff040, ssn=ssn@entry=0x7f72f00b8340, stream=0x7f72f00b8350, p=p@entry=0x7f72efd1a600, pq=pq@entry=0x7f72f19ff048) at stream-tcp-reassemble.c:1883
        opposing_stream = 0x7f72f00b83d8
        reversed_before_ack_handling = <optimized out>
        reversed_after_ack_handling = <optimized out>
        dir = UPDATE_DIR_OPPOSING
#21 0x00005608f7865252 in HandleEstablishedPacketToClient (pq=<optimized out>, stt=<optimized out>, p=<optimized out>, ssn=<optimized out>, tv=<optimized out>) at stream-tcp.c:2502
        zerowindowprobe = <optimized out>
        zerowindowprobe = <optimized out>
        ack_diff = <optimized out>
        ack_diff = <optimized out>
        ack_diff = <optimized out>
        ack_diff = <optimized out>
        sacked_size__ = <optimized out>
#22 StreamTcpPacketStateEstablished (tv=tv@entry=0x7f732a1e6680, p=p@entry=0x7f72efd1a600, stt=stt@entry=0x7f72f19ff040, ssn=ssn@entry=0x7f72f00b8340, pq=0x7f72f19ff048) at stream-tcp.c:2735
No locals.
#23 0x00005608f786ae31 in StreamTcpStateDispatch (state=<optimized out>, pq=0x7f72f19ff048, ssn=0x7f72f00b8340, stt=0x7f72f19ff040, p=0x7f72efd1a600, tv=0x7f732a1e6680) at stream-tcp.c:4744
No locals.
#24 StreamTcpPacket (tv=0x7f732a1e6680, p=p@entry=0x7f72efd1a600, stt=stt@entry=0x7f72f19ff040, pq=0x7f72efd3d030) at stream-tcp.c:4929
        ssn = 0x7f72f00b8340
        error = <optimized out>
#25 0x00005608f786b3df in StreamTcp (tv=tv@entry=0x7f732a1e6680, p=p@entry=0x7f72efd1a600, data=0x7f72f19ff040, pq=pq@entry=0x7f72efd3d030) at stream-tcp.c:5270
        stt = 0x7f72f19ff040
#26 0x00005608f78205a0 in FlowWorkerStreamTCPUpdate (timeout=false, detect_thread=0x7f72f00d0000, p=0x7f72efd1a600, fw=0x7f72efd3d000, tv=0x7f732a1e6680) at flow-worker.c:370
        x = <optimized out>
        x = <optimized out>
#27 FlowWorker (tv=0x7f732a1e6680, p=0x7f72efd1a600, data=0x7f72efd3d000) at flow-worker.c:535
        fw = 0x7f72efd3d000
        detect_thread = 0x7f72f00d0000

Actions

Copy link

#2

Updated by Victor Julien almost 2 years ago

Related to Security #5700: SCRealloc of large chunk crashes Suricata added

Actions

Copy link

#3

Updated by Victor Julien almost 2 years ago

Related to Bug #4863: suricata segfault on smb packet added

Actions

Copy link

#4

Updated by Victor Julien almost 2 years ago

Status changed from New to Assigned
Assignee changed from OISF Dev to Victor Julien
Priority changed from Normal to High
Target version changed from TBD to 7.0.0-rc1

I can reproduce this with a (large) single flow smb pcap:

23/11/2022 -- 07:18:10 - <Info> - No packets with invalid checksum, assuming checksum offloading is NOT used
=================================================================
==1417393==ERROR: AddressSanitizer: unknown-crash on address 0x800032fde800 at pc 0x5555558dd7dc bp 0x7fffeb482f50 sp 0x7fffeb482720
WRITE of size 2948595712 at 0x800032fde800 thread T1 (W#01)
[Detaching after fork from child process 1417434]
    #0 0x5555558dd7db in __asan_memset (/home/victor/sync/devel/eidps/src/suricata+0x3897db) (BuildId: c3afc72044cbe2e282beb441b8bc569ff7102676)
    #1 0x555555ead853 in Grow /home/victor/devel/eidps/src/util-streaming-buffer.c:488:5
    #2 0x555555eae2c7 in StreamingBufferAppendNoTrack /home/victor/devel/eidps/src/util-streaming-buffer.c:623:21
    #3 0x555555e0debd in AppendData /home/victor/devel/eidps/src/util-file.c:660:9
    #4 0x555555e0c4b6 in FileAppendDataDo /home/victor/devel/eidps/src/util-file.c:753:13
    #5 0x555555e0c6a3 in FileAppendDataById /home/victor/devel/eidps/src/util-file.c:809:21
    #6 0x55555608801a in suricata::filecontainer::FileContainer::file_append::hafa9a2b52833c43d /home/victor/devel/eidps/rust/src/filecontainer.rs
    #7 0x55555608801a in suricata::filetracker::FileTransferTracker::update::h0b97404b5eb1ca72 /home/victor/devel/eidps/rust/src/filetracker.rs:296:31
    #8 0x55555614f1b7 in suricata::smb::files::_$LT$impl$u20$suricata..smb..smb..SMBState$GT$::filetracker_update::hbd6873bfb88eba3e /home/victor/devel/eidps/rust/src/smb/files.rs:173:30
    #9 0x555556130c5c in suricata::smb::smb::SMBState::parse_tcp_data_tc::h590b53b1b881a755 /home/victor/devel/eidps/rust/src/smb/smb.rs:1683:24
    #10 0x555556131db3 in rs_smb_parse_response_tcp /home/victor/devel/eidps/rust/src/smb/smb.rs:2002:5
    #11 0x5555559ef81c in AppLayerParserParse /home/victor/devel/eidps/src/app-layer-parser.c:1374:30
    #12 0x55555599b894 in AppLayerHandleTCPData /home/victor/devel/eidps/src/app-layer.c:770:17
    #13 0x555555dd83f9 in ReassembleUpdateAppLayer /home/victor/devel/eidps/src/stream-tcp-reassemble.c:1279:15
    #14 0x555555dd657c in StreamTcpReassembleAppLayer /home/victor/devel/eidps/src/stream-tcp-reassemble.c:1343:12
    #15 0x555555dddd97 in StreamTcpReassembleHandleSegmentUpdateACK /home/victor/devel/eidps/src/stream-tcp-reassemble.c:1920:9
    #16 0x555555ddd8cd in StreamTcpReassembleHandleSegment /home/victor/devel/eidps/src/stream-tcp-reassemble.c:1969:13
    #17 0x555555daf61a in HandleEstablishedPacketToServer /home/victor/devel/eidps/src/stream-tcp.c:2383:9
    #18 0x555555d77f03 in StreamTcpPacketStateEstablished /home/victor/devel/eidps/src/stream-tcp.c:2840:13
    #19 0x555555d5ab2a in StreamTcpStateDispatch /home/victor/devel/eidps/src/stream-tcp.c:4874:17
    #20 0x555555d517b3 in StreamTcpPacket /home/victor/devel/eidps/src/stream-tcp.c:5066:13
    #21 0x555555d5bb83 in StreamTcp /home/victor/devel/eidps/src/stream-tcp.c:5399:11
    #22 0x555555c6c4e1 in FlowWorkerStreamTCPUpdate /home/victor/devel/eidps/src/flow-worker.c:379:5
    #23 0x555555c6b26d in FlowWorker /home/victor/devel/eidps/src/flow-worker.c:548:9
    #24 0x55555592d68c in TmThreadsSlotVarRun /home/victor/devel/eidps/src/tm-threads.c:118:21
    #25 0x555555d4c8ff in TmThreadsSlotProcessPkt /home/victor/devel/eidps/src/./tm-threads.h:191:17
    #26 0x555555d4b8e8 in PcapFileCallbackLoop /home/victor/devel/eidps/src/source-pcap-file-helper.c:110:9
    #27 0x7ffff75ebc53  (/lib/x86_64-linux-gnu/libpcap.so.0.8+0x2bc53) (BuildId: 2703e8aa153a5848770e5e1a18b14a1493204c07)
    #28 0x555555d4a923 in PcapFileDispatch /home/victor/devel/eidps/src/source-pcap-file-helper.c:155:17
    #29 0x555555d455b5 in ReceivePcapFileLoop /home/victor/devel/eidps/src/source-pcap-file.c:180:18
    #30 0x5555559399a7 in TmThreadsSlotPktAcqLoop /home/victor/devel/eidps/src/tm-threads.c:310:13
    #31 0x7ffff73aeb42 in start_thread nptl/./nptl/pthread_create.c:442:8
    #32 0x7ffff74409ff  misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:81

Actions

Copy link

#5

Updated by Victor Julien almost 2 years ago

Subject changed from Suricata crashes inside of Grow to smb: crash inside of streaming bufffer Grow()

Actions

Copy link

#6

Updated by Jeff Lucovsky almost 2 years ago

Subject changed from smb: crash inside of streaming bufffer Grow() to smb: crash inside of streaming buffer Grow()

Actions

Copy link

#7

Updated by Victor Julien almost 2 years ago

Status changed from Assigned to In Review
Label Needs backport to 6.0 added

Actions

Copy link

#8

Updated by Victor Julien almost 2 years ago

Subtask #5710 added

Actions

Copy link

#9

Updated by Victor Julien almost 2 years ago

Rules	Affected
ET open	no
ET pro	no
-S /dev/null	yes
--disable-detection	no
at least one rule with file.data as fast_pattern	no
ruleset w/o file.data	yes
ruleset with file.data, but none are fast_pattern	yes

For file.data rules it is irrelevant if they specify alert smb, alert tcp, alert http, etc. As long as the there are rules that have file.data as fast pattern there is no issue.

Actions

Copy link

#10

Updated by Victor Julien almost 2 years ago

Related to Security #5712: tcp: crafted packets lead to resource starvation added

Actions

Copy link

#11

Updated by Victor Julien almost 2 years ago

Status changed from In Review to Resolved

https://github.com/OISF/suricata/pull/8209

Actions

Copy link

#12

Updated by Victor Julien almost 2 years ago

Status changed from Resolved to Closed

Actions

Copy link

#13

Updated by Victor Julien almost 2 years ago

Label deleted (~~Needs backport to 6.0~~)

Actions

Copy link

#14

Updated by Victor Julien almost 2 years ago

Private changed from Yes to No

Actions

Copy link

#15

Updated by Victor Julien almost 2 years ago

Related to Optimization #5782: smb: set defaults for file chunk limits added

Actions

Copy link

#16

Updated by Victor Julien almost 2 years ago

Related to Bug #5781: smb: unbounded file chunk queuing after gap added

Project

General

Profile

Suricata

Custom queries

Security #5703

smb: crash inside of streaming buffer Grow()

Updated by Jeff Lucovsky almost 2 years ago

Updated by Victor Julien almost 2 years ago

Updated by Victor Julien almost 2 years ago

Updated by Victor Julien almost 2 years ago

Updated by Victor Julien almost 2 years ago

Updated by Jeff Lucovsky almost 2 years ago

Updated by Victor Julien almost 2 years ago

Updated by Victor Julien almost 2 years ago

Updated by Victor Julien almost 2 years ago

Updated by Victor Julien almost 2 years ago

Updated by Victor Julien almost 2 years ago

Updated by Victor Julien almost 2 years ago

Updated by Victor Julien almost 2 years ago

Updated by Victor Julien almost 2 years ago

Updated by Victor Julien almost 2 years ago

Updated by Victor Julien almost 2 years ago

Related to Suricata - Security #5700: SCRealloc of large chunk crashes Suricata	Closed	Victor Julien	Actions
Related to Suricata - Bug #4863: suricata segfault on smb packet	Rejected		Actions
Related to Suricata - Security #5712: tcp: crafted packets lead to resource starvation	Closed	Victor Julien	Actions
Related to Suricata - Optimization #5782: smb: set defaults for file chunk limits	Closed	Victor Julien	Actions
Related to Suricata - Bug #5781: smb: unbounded file chunk queuing after gap	Closed	Victor Julien	Actions