Project

General

Profile

Actions

Bug #6865

open

BUG_ON triggered from AdjustToAcked

Added by Ivan Kapranov 8 months ago. Updated 8 months ago.

Status:
New
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

Hello there! I found failed assertions in AdjustToAcked function during fuzz testing with sydr-fuzz.

Example of trace:

NFO: Running with entropic power schedule (0xFF, 100).
INFO: Seed: 1892362162
./src/fuzz_predefpcap_aware: Running 1 inputs 1 time(s) each.
Running: /fuzz/fuzz_predefpcap_aware-afl++-out/crashes/crash-7eeb77a587ea16a678ecc9875676db1f8a77514a
fuzz_predefpcap_aware: stream-tcp-reassemble.c:1199: uint32_t AdjustToAcked(const Packet *, const TcpSession *, const TcpStream *, const uint64_t, const uint32_t): Assertion `!((app_progress > last_ack_abs))' failed.
==158020== ERROR: libFuzzer: deadly signal
    #0 0x54b3f4 in __sanitizer_print_stack_trace /llvm-project-llvmorg-14.0.6/compiler-rt/lib/ubsan/ubsan_diag_standalone.cpp:31:3
    #1 0x5220a7 in fuzzer::PrintStackTrace() /llvm-project-llvmorg-14.0.6/compiler-rt/lib/fuzzer/FuzzerUtil.cpp:210:5
    #2 0x508223 in fuzzer::Fuzzer::CrashCallback() /llvm-project-llvmorg-14.0.6/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:233:3
    #3 0x7ffff7c0941f  (/lib/x86_64-linux-gnu/libpthread.so.0+0x1441f) (BuildId: 0c044ba611aeeeaebb8374e660061f341ebc0bac)
    #4 0x7ffff79eb00a in raise (/lib/x86_64-linux-gnu/libc.so.6+0x4300a) (BuildId: eebe5d5f4b608b8a53ec446b63981bba373ca0ca)
    #5 0x7ffff79ca858 in abort (/lib/x86_64-linux-gnu/libc.so.6+0x22858) (BuildId: eebe5d5f4b608b8a53ec446b63981bba373ca0ca)
    #6 0x7ffff79ca728  (/lib/x86_64-linux-gnu/libc.so.6+0x22728) (BuildId: eebe5d5f4b608b8a53ec446b63981bba373ca0ca)
    #7 0x7ffff79dbfd5 in __assert_fail (/lib/x86_64-linux-gnu/libc.so.6+0x33fd5) (BuildId: eebe5d5f4b608b8a53ec446b63981bba373ca0ca)
    #8 0x5acbaa in AdjustToAcked /root/suricata/src/stream-tcp-reassemble.c:1199:13
    #9 0x5acbaa in ReassembleUpdateAppLayer /root/suricata/src/stream-tcp-reassemble.c:1248:22
    #10 0x5acbaa in StreamTcpReassembleAppLayer /root/suricata/src/stream-tcp-reassemble.c:1389:12
    #11 0x5ad656 in StreamTcpReassembleHandleSegment /root/suricata/src/stream-tcp-reassemble.c:2053:13
    #12 0x5a2316 in StreamTcpStateDispatch /root/suricata/src/stream-tcp.c
    #13 0x5a0889 in StreamTcpPacket /root/suricata/src/stream-tcp.c:5433:13
    #14 0x5a60ec in StreamTcp /root/suricata/src/stream-tcp.c:5745:11
    #15 0x57e62c in FlowWorkerStreamTCPUpdate /root/suricata/src/flow-worker.c:371:5
    #16 0x57ddc2 in FlowWorker /root/suricata/src/flow-worker.c:587:13
    #17 0x54cf62 in LLVMFuzzerTestOneInput /root/suricata/src/tests/fuzz/fuzz_predefpcap_aware.c:140:13
    #18 0x509761 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /llvm-project-llvmorg-14.0.6/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:611:15
    #19 0x4f361c in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /llvm-project-llvmorg-14.0.6/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:324:6
    #20 0x4f939b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /llvm-project-llvmorg-14.0.6/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:860:9
    #21 0x5229e2 in main /llvm-project-llvmorg-14.0.6/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
    #22 0x7ffff79cc082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: eebe5d5f4b608b8a53ec446b63981bba373ca0ca)
    #23 0x4edebd in _start (/root/suricata/src/fuzz_predefpcap_aware+0x4edebd)

NOTE: libFuzzer has rudimentary signal handlers.
      Combine libFuzzer with AddressSanitizer or similar for better crash reports.
SUMMARY: libFuzzer: deadly signal

Build info:

This is Suricata version 8.0.0-dev (ff8597d50 2024-03-16)
Features: DEBUG_VALIDATION PCAP_SET_BUFF AF_PACKET HAVE_PACKET_FANOUT LIBCAP_NG LIBNET1.1 HAVE_HTP_URI_NORMALIZE_HOOK PCRE_JIT HAVE_NSS HTTP2_DECOMPRESSION HAVE_LIBJANSSON TLS TLS_C11 MAGIC RUST POPCNT64 
SIMD support: SSE_2 
Atomic intrinsics: 1 2 4 8 byte(s)
64-bits, Little-endian architecture
GCC version Clang 14.0.6, C version 201112
compiled with _FORTIFY_SOURCE=0
L1 cache line size (CLS)=64
thread local storage method: _Thread_local
compiled with LibHTP v0.5.46, linked against LibHTP v0.5.46

Suricata Configuration:
  AF_PACKET support:                       yes
  AF_XDP support:                          no
  DPDK support:                            no
  eBPF support:                            no
  XDP support:                             no
  PF_RING support:                         no
  NFQueue support:                         no
  NFLOG support:                           no
  IPFW support:                            no
  Netmap support:                          no 
  DAG enabled:                             no
  Napatech enabled:                        no
  WinDivert enabled:                       no

  Unix socket enabled:                     yes
  Detection enabled:                       yes

  Libmagic support:                        yes
  libjansson support:                      yes
  hiredis support:                         no
  hiredis async with libevent:             no
  PCRE jit:                                yes
  LUA support:                             no
  libluajit:                               no
  GeoIP2 support:                          no
  Non-bundled htp:                         no
  Hyperscan support:                       no
  Libnet support:                          yes
  liblz4 support:                          no
  Landlock support:                        no

  Rust support:                            yes
  Rust strict mode:                        no
  Rust compiler path:                      /root/.cargo/bin/rustc
  Rust compiler version:                   rustc 1.76.0 (07dca489a 2024-02-04)
  Cargo path:                              /root/.cargo/bin/cargo
  Cargo version:                           cargo 1.76.0 (c84b36747 2024-01-18)

  Python support:                          yes
  Python path:                             /usr/bin/python3
  Install suricatactl:                     yes
  Install suricatasc:                      yes
  Install suricata-update:                 no, not bundled

  Profiling enabled:                       no
  Profiling locks enabled:                 no
  Profiling rules enabled:                 no

  Plugin support (experimental):           yes
  DPDK Bond PMD:                           no

Development settings:
  Coccinelle / spatch:                     no
  Unit tests enabled:                      no
  Debug output enabled:                    no
  Debug validation enabled:                yes
  Fuzz targets enabled:                    yes

Generic build parameters:
  Installation prefix:                     /usr/local
  Configuration directory:                 /usr/local/etc/suricata/
  Log directory:                           /usr/local/var/log/suricata/

  --prefix                                 /usr/local
  --sysconfdir                             /usr/local/etc
  --localstatedir                          /usr/local/var
  --datarootdir                            /usr/local/share

  Host:                                    x86_64-pc-linux-gnu
  Compiler:                                clang (exec name) / clang++ (real)
  GCC Protect enabled:                     no
  GCC march native enabled:                no
  GCC Profile enabled:                     no
  Position Independent Executable enabled: no
  CFLAGS                                   -g -O2 -fPIC -std=c11 -I${srcdir}/../rust/gen -I${srcdir}/../rust/dist
  PCAP_CFLAGS                               
  SECCFLAGS                                


Files

Actions #1

Updated by Victor Julien 8 months ago

  • Target version changed from 7.0.3 to 8.0.0-beta1

This assertion is only present in debug validation mode, so considering a bug but not a sec issue.

Actions #2

Updated by Victor Julien 8 months ago

Is it possible to turn the crash input into a pcap?

Actions

Also available in: Atom PDF