New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Heap buffer overread while parsing ipv6 packet #25

Closed
bshastry opened this Issue May 3, 2017 · 2 comments

Comments

Projects
None yet
2 participants
@bshastry

bshastry commented May 3, 2017

Hi,

There's a heap buffer overread in Codec::CheckIPV6HopOptions while parsing an IPV6 packet. Here's the stack trace:

Starting program: /home/fuzz/code/snort3/.orthrus/binaries/asan-dbg/bin/snort -r ipv6.pcap
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
[New Thread 0x7fffef8aa700 (LWP 47544)]
=================================================================
==47384==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61100003bffe at pc 0x00000093c7ad bp 0x7fffef7d55a0 sp 0x7fffef7d5590
READ of size 1 at 0x61100003bffe thread T1
    #0 0x93c7ac in Codec::CheckIPV6HopOptions(RawData const&, CodecData&) /home/fuzz/code/snort3/src/framework/codec.cc:131
    #1 0x5b6315 in decode /home/fuzz/code/snort3/src/codecs/ip/cd_hop_opts.cc:86
    #2 0x9de83f in PacketManager::decode(Packet*, _daq_pkthdr const*, unsigned char const*, bool) /home/fuzz/code/snort3/src/protocols/packet_manager.cc:153
    #3 0x59c0c7 in Snort::process_packet(Packet*, _daq_pkthdr const*, unsigned char const*, bool) /home/fuzz/code/snort3/src/main/snort.cc:772
    #4 0x59c855 in Snort::packet_callback(void*, _daq_pkthdr const*, unsigned char const*) /home/fuzz/code/snort3/src/main/snort.cc:883
    #5 0xa15edc in pcap_process_loop /home/fuzz/code/daq-2.2.1/os-daq-modules/daq_pcap.c:370
    #6 0x7ffff6c40ac3  (/usr/lib/x86_64-linux-gnu/libpcap.so.0.8+0x1eac3)
    #7 0xa1594c in pcap_daq_acquire /home/fuzz/code/daq-2.2.1/os-daq-modules/daq_pcap.c:388
    #8 0x9ad261 in SFDAQInstance::acquire(int, DAQ_Verdict (*)(void*, _daq_pkthdr const*, unsigned char const*)) /home/fuzz/code/snort3/src/packet_io/sfdaq.cc:487
    #9 0x58b56d in Analyzer::analyze() /home/fuzz/code/snort3/src/main/analyzer.cc:160
    #10 0x58b0a5 in Analyzer::operator()(Swapper*) /home/fuzz/code/snort3/src/main/analyzer.cc:98
    #11 0x54d311 in std::enable_if<((!std::is_member_pointer<Analyzer>::value)&&(!std::is_function<Analyzer>::value))&&(!std::is_function<std::remove_pointer<Analyzer>::type>::value), std::result_of<Analyzer& (Swapper*&&)>::type>::type std::__invoke<Analyzer, Swapper*>(Analyzer&, Swapper*&&) (/home/fuzz/code/snort3/.orthrus/binaries/asan-dbg/bin/snort+0x54d311)
    #12 0x54d286 in std::result_of<Analyzer& (Swapper*&&)>::type std::reference_wrapper<Analyzer>::operator()<Swapper*>(Swapper*&&) const (/home/fuzz/code/snort3/.orthrus/binaries/asan-dbg/bin/snort+0x54d286)
    #13 0x54d248 in void std::_Bind_simple<std::reference_wrapper<Analyzer> (Swapper*)>::_M_invoke<0ul>(std::_Index_tuple<0ul>) (/home/fuzz/code/snort3/.orthrus/binaries/asan-dbg/bin/snort+0x54d248)
    #14 0x54d10d in std::_Bind_simple<std::reference_wrapper<Analyzer> (Swapper*)>::operator()() (/home/fuzz/code/snort3/.orthrus/binaries/asan-dbg/bin/snort+0x54d10d)
    #15 0x54d09d in std::thread::_Impl<std::_Bind_simple<std::reference_wrapper<Analyzer> (Swapper*)> >::_M_run() (/home/fuzz/code/snort3/.orthrus/binaries/asan-dbg/bin/snort+0x54d09d)
    #16 0x7ffff62f6c7f  (/usr/lib/x86_64-linux-gnu/libstdc++.so.6+0xb8c7f)
    #17 0x7ffff5d1f6b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9)
    #18 0x7ffff583f82c in clone (/lib/x86_64-linux-gnu/libc.so.6+0x10682c)

0x61100003bffe is located 0 bytes to the right of 254-byte region [0x61100003bf00,0x61100003bffe)
allocated by thread T1 here:
    #0 0x513fa2 in __interceptor_malloc (/home/fuzz/code/snort3/.orthrus/binaries/asan-dbg/bin/snort+0x513fa2)
    #1 0x7ffff6c4152e  (/usr/lib/x86_64-linux-gnu/libpcap.so.0.8+0x1f52e)

Thread T1 created by T0 here:
    #0 0x4b1b33 in __interceptor_pthread_create (/home/fuzz/code/snort3/.orthrus/binaries/asan-dbg/bin/snort+0x4b1b33)
    #1 0x7ffff62f6dc2 in std::thread::_M_start_thread(std::shared_ptr<std::thread::_Impl_base>, void (*)()) (/usr/lib/x86_64-linux-gnu/libstdc++.so.6+0xb8dc2)

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/fuzz/code/snort3/src/framework/codec.cc:131 Codec::CheckIPV6HopOptions(RawData const&, CodecData&)
Shadow bytes around the buggy address:
  0x0c227ffff7a0: 00 00 00 00 00 00 00 00 00 00 00 fa fa fa fa fa
  0x0c227ffff7b0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c227ffff7c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c227ffff7d0: 00 00 00 fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c227ffff7e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c227ffff7f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00[06]
  0x0c227ffff800: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c227ffff810: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c227ffff820: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c227ffff830: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c227ffff840: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==47384==ABORTING
--------------------------------------------------
o")~   Snort++ 3.0.0-a4-231
--------------------------------------------------
--------------------------------------------------
pcap DAQ configured to read-file.
Commencing packet processing
++ [0] ipv6.pcap

Thread 2 "snort" received signal SIGABRT, Aborted.
[Switching to Thread 0x7fffef8aa700 (LWP 47544)]
0x00007ffff576e428 in __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:54
54      ../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
#0  0x00007ffff576e428 in __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:54
#1  0x00007ffff577002a in __GI_abort () at abort.c:89
#2  0x000000000052f2a9 in __sanitizer::Abort() ()
#3  0x000000000051c109 in __asan::AsanDie() ()
#4  0x0000000000523162 in __sanitizer::Die() ()
#5  0x000000000051b086 in __asan_report_error ()
#6  0x000000000051c4b3 in __asan_report_load1 ()
#7  0x000000000093c7ad in Codec::CheckIPV6HopOptions (this=0x602000005410, raw=..., codec=...) at codec.cc:131
#8  0x00000000005b6316 in (anonymous namespace)::Ipv6HopOptsCodec::decode (this=0x602000005410, raw=..., codec=...) at cd_hop_opts.cc:86
#9  0x00000000009de840 in PacketManager::decode (p=0x610000017f40, pkthdr=0x7fffef7d5a20, pkt=0x61100003bf00 "", cooked=false) at packet_manager.cc:153
#10 0x000000000059c0c8 in Snort::process_packet (p=0x610000017f40, pkthdr=0x7fffef7d5a20, pkt=0x61100003bf00 "", is_frag=false) at snort.cc:772
#11 0x000000000059c856 in Snort::packet_callback (pkthdr=0x7fffef7d5a20, pkt=0x61100003bf00 "") at snort.cc:883
#12 0x0000000000a15edd in pcap_process_loop (user=0x61500002fb00 "", pkth=<optimized out>, data=<optimized out>) at daq_pcap.c:370
#13 0x00007ffff6c40ac4 in ?? () from /usr/lib/x86_64-linux-gnu/libpcap.so.0.8
#14 0x0000000000a1594d in pcap_daq_acquire (handle=0x61500002fb00, cnt=0, callback=<optimized out>, metaback=<optimized out>, user=<optimized out>) at daq_pcap.c:388
#15 0x00000000009ad262 in SFDAQInstance::acquire (this=0x60e000006f60, max=0, callback=0x59c632 <Snort::packet_callback(void*, _daq_pkthdr const*, unsigned char const*)>) at sfdaq.cc:487
#16 0x000000000058b56e in Analyzer::analyze (this=0x61200000b740) at analyzer.cc:160
#17 0x000000000058b0a6 in Analyzer::operator() (this=0x61200000b740, ps=0x603000013bd0) at analyzer.cc:98
#18 0x000000000054d312 in std::__invoke<Analyzer, Swapper*>(Analyzer&, Swapper*&&) (__f=...) at /usr/include/c++/5/functional:201
#19 0x000000000054d287 in std::reference_wrapper<Analyzer>::operator()<Swapper*>(Swapper*&&) const (this=0x606000010d30) at /usr/include/c++/5/functional:428
#20 0x000000000054d249 in std::_Bind_simple<std::reference_wrapper<Analyzer> (Swapper*)>::_M_invoke<0ul>(std::_Index_tuple<0ul>) (this=0x606000010d28) at /usr/include/c++/5/functional:1531
#21 0x000000000054d10e in std::_Bind_simple<std::reference_wrapper<Analyzer> (Swapper*)>::operator()() (this=0x606000010d28) at /usr/include/c++/5/functional:1520
#22 0x000000000054d09e in std::thread::_Impl<std::_Bind_simple<std::reference_wrapper<Analyzer> (Swapper*)> >::_M_run() (this=0x606000010d10) at /usr/include/c++/5/thread:115
#23 0x00007ffff62f6c80 in ?? () from /usr/lib/x86_64-linux-gnu/libstdc++.so.6
#24 0x00007ffff5d1f6ba in start_thread (arg=0x7fffef8aa700) at pthread_create.c:333
#25 0x00007ffff583f82d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:109
@snortadmin

This comment has been minimized.

Show comment
Hide comment
@snortadmin

snortadmin May 3, 2017

Collaborator

Thanks. This is the same as issue #22. I will close this when that is closed.

Collaborator

snortadmin commented May 3, 2017

Thanks. This is the same as issue #22. I will close this when that is closed.

@snortadmin

This comment has been minimized.

Show comment
Hide comment
@snortadmin

snortadmin May 4, 2017

Collaborator

Fixed, see #22.

Collaborator

snortadmin commented May 4, 2017

Fixed, see #22.

@snortadmin snortadmin closed this May 4, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment