suricata icon indicating copy to clipboard operation
suricata copied to clipboard

Published 20 hours ago verified publisher icon OISF

eve/stats: Fix ASAN-detected overflow

Open jlucovsky opened this issue 2 years ago • 5 comments

Continuation of #7222

Link to redmine ticket: 5198

The buffer overflow occurred due to the stats output not being set up with a valid context useful for threaded output. The stats output is created by the main thread - before the stats thread or any other Suricata thread is created.

The hash table was introduced to provide unique mappings for the thread to thread-slot relationship to guarantee that any thread using LogFileEnsureExists uses the proper slot.

Describe changes:

  • Hashtable for thread/file slot mappings
  • Ensure slot exists for stats thread

Updates

  • Rebase

suricata-verify-pr: 927 #suricata-verify-repo: #suricata-verify-branch: #suricata-update-pr: #suricata-update-repo: #suricata-update-branch: #libhtp-pr: #libhtp-repo: #libhtp-branch:

jlucovsky avatar Jun 03 '22 13:06 jlucovsky

Codecov Report

Merging #7475 (e30ee69) into master (42a661f) will decrease coverage by 0.03%. The diff coverage is 8.86%.

@@            Coverage Diff             @@
##           master    #7475      +/-   ##
==========================================
- Coverage   75.75%   75.71%   -0.04%     
==========================================
  Files         655      655              
  Lines      188393   188431      +38     
==========================================
- Hits       142717   142673      -44     
- Misses      45676    45758      +82
Flag Coverage Δ
fuzzcorpus 60.06% <3.79%> (-0.03%) :arrow_down:
suricata-verify 52.17% <10.29%> (-0.09%) :arrow_down:
unittests 60.88% <0.00%> (-0.02%) :arrow_down:

Flags with carried forward coverage won't be shown. Click here to find out more.

codecov[bot] avatar Jun 03 '22 14:06 codecov[bot]

ERROR:

ERROR: QA failed on tlpw1_files_sha256.

ERROR: QA failed on tlpr1_alerts_cmp.

ERROR: QA failed on ips_afp_drop_chk.

Pipeline 7682

suricata-qa avatar Jun 03 '22 17:06 suricata-qa

If I remember correctly, there was something specific about stats output (in comparison to other outputs), is it related to this ?

catenacyber avatar Aug 24 '22 12:08 catenacyber

ERROR:

ERROR: QA failed on tlpw1_files_sha256.

ERROR: QA failed on tlpr1_alerts_cmp.

ERROR: QA failed on ips_afp_drop_chk.

Pipeline 7682

suricata-qa avatar Sep 01 '22 18:09 suricata-qa

If I remember correctly, there was something specific about stats output (in comparison to other outputs), is it related to this ?

The stats context isn't setup correctly without this change iff the process is unable to open the output file. E.g., if the output file is /path/to/restricted/directory/eve.json.

jlucovsky avatar Sep 02 '22 13:09 jlucovsky

ERROR:

ERROR: QA failed on tlpw1_files_sha256.

ERROR: QA failed on tlpr1_alerts_cmp.

ERROR: QA failed on ips_afp_drop_chk.

Pipeline 7682

suricata-qa avatar Dec 20 '22 21:12 suricata-qa

Continued in #8356

jlucovsky avatar Jan 09 '23 15:01 jlucovsky