Http1 removetx 5921 v9

[catenacyber]

https://redmine.openinfosecfoundation.org/issues/5921

Optimizations after 2fa8691

[victorjulien]

I see this consistently trigger a double free condition, but only in Suricata in unix mode. Trying to get more details.

[catenacyber]

Waiting for the details then :-)

[victorjulien]

=================================================================
==24931==ERROR: AddressSanitizer: heap-use-after-free on address 0x61400072f060 at pc 0x7f18ce4e3027 bp 0x7f18aa67bca0 sp 0x7f18aa67bc90
READ of size 8 at 0x61400072f060 thread T136611 (W#30)
    #0 0x7f18ce4e3026 in htp_tx_get_user_data /builds/inliniac/suricata-ci/suricata/libhtp/htp/htp_transaction.c:228
    #1 0x5568609d1840 in HTPStateFree (/builds/inliniac/suricata-ci/suricata/src/.libs/suricata+0x2c4840)
    #2 0x5568609f58d1 in AppLayerParserStateProtoCleanup (/builds/inliniac/suricata-ci/suricata/src/.libs/suricata+0x2e88d1)
    #3 0x5568609f599c in AppLayerParserStateCleanup (/builds/inliniac/suricata-ci/suricata/src/.libs/suricata+0x2e899c)
    #4 0x556860bb22a3 in FlowCleanupAppLayer (/builds/inliniac/suricata-ci/suricata/src/.libs/suricata+0x4a52a3)
    #5 0x556860bb97e6 in FlowClearMemory (/builds/inliniac/suricata-ci/suricata/src/.libs/suricata+0x4ac7e6)
    #6 0x556860bdcc0a in CheckWorkQueue (/builds/inliniac/suricata-ci/suricata/src/.libs/suricata+0x4cfc0a)
    #7 0x556860bdeee9 in FlowWorkerProcessLocalFlows (/builds/inliniac/suricata-ci/suricata/src/.libs/suricata+0x4d1ee9)
    #8 0x556860be097f in FlowWorker (/builds/inliniac/suricata-ci/suricata/src/.libs/suricata+0x4d397f)
    #9 0x556860960801 in TmThreadsSlotVarRun (/builds/inliniac/suricata-ci/suricata/src/.libs/suricata+0x253801)
    #10 0x556860962ae3 in TmThreadsSlotVar (/builds/inliniac/suricata-ci/suricata/src/.libs/suricata+0x255ae3)
    #11 0x7f18ce060ac2  (/lib/x86_64-linux-gnu/libc.so.6+0x94ac2)
    #12 0x7f18ce0f1a03 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x125a03)

0x61400072f060 is located 32 bytes inside of 400-byte region [0x61400072f040,0x61400072f1d0)
freed by thread T136611 (W#30) here:
    #0 0x7f18ce5c5537 in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:127
    #1 0x7f18ce4e7c27 in htp_tx_destroy /builds/inliniac/suricata-ci/suricata/libhtp/htp/htp_transaction.c:122
    #2 0x7f18ce4e7c27 in htp_tx_destroy /builds/inliniac/suricata-ci/suricata/libhtp/htp/htp_transaction.c:117
    #3 0x5568609d1a70 in HTPStateTransactionFree (/builds/inliniac/suricata-ci/suricata/src/.libs/suricata+0x2c4a70)
    #4 0x5568609f2195 in AppLayerParserTransactionsCleanup (/builds/inliniac/suricata-ci/suricata/src/.libs/suricata+0x2e5195)
    #5 0x556860bde7e2 in FlowWorkerFlowTimeout (/builds/inliniac/suricata-ci/suricata/src/.libs/suricata+0x4d17e2)
    #6 0x556860bdc48e in FlowFinish (/builds/inliniac/suricata-ci/suricata/src/.libs/suricata+0x4cf48e)
    #7 0x556860bdc8f1 in CheckWorkQueue (/builds/inliniac/suricata-ci/suricata/src/.libs/suricata+0x4cf8f1)
    #8 0x556860bdeee9 in FlowWorkerProcessLocalFlows (/builds/inliniac/suricata-ci/suricata/src/.libs/suricata+0x4d1ee9)
    #9 0x556860be097f in FlowWorker (/builds/inliniac/suricata-ci/suricata/src/.libs/suricata+0x4d397f)
    #10 0x556860960801 in TmThreadsSlotVarRun (/builds/inliniac/suricata-ci/suricata/src/.libs/suricata+0x253801)
    #11 0x556860962ae3 in TmThreadsSlotVar (/builds/inliniac/suricata-ci/suricata/src/.libs/suricata+0x255ae3)
    #12 0x7f18ce060ac2  (/lib/x86_64-linux-gnu/libc.so.6+0x94ac2)

previously allocated by thread T136611 (W#30) here:
    #0 0x7f18ce5c5a57 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:154
    #1 0x7f18ce4e2a9f in htp_tx_create /builds/inliniac/suricata-ci/suricata/libhtp/htp/htp_transaction.c:59
    #2 0x7f18ce4c6e3c in htp_connp_tx_create /builds/inliniac/suricata-ci/suricata/libhtp/htp/htp_connection_parser.c:210
    #3 0x7f18ce4d34e9 in htp_connp_REQ_IDLE /builds/inliniac/suricata-ci/suricata/libhtp/htp/htp_request.c:950
    #4 0x7f18ce4d34e9 in htp_connp_REQ_IDLE /builds/inliniac/suricata-ci/suricata/libhtp/htp/htp_request.c:942
    #5 0x7f18ce4d6b64 in htp_connp_req_data /builds/inliniac/suricata-ci/suricata/libhtp/htp/htp_request.c:1075
    #6 0x5568609d3244 in HTPHandleRequestData (/builds/inliniac/suricata-ci/suricata/src/.libs/suricata+0x2c6244)
    #7 0x5568609f44c6 in AppLayerParserParse (/builds/inliniac/suricata-ci/suricata/src/.libs/suricata+0x2e74c6)
    #8 0x5568609b3b7d in TCPProtoDetect (/builds/inliniac/suricata-ci/suricata/src/.libs/suricata+0x2a6b7d)
    #9 0x5568609b4c6a in AppLayerHandleTCPData (/builds/inliniac/suricata-ci/suricata/src/.libs/suricata+0x2a7c6a)
    #10 0x556860cf2388 in ReassembleUpdateAppLayer (/builds/inliniac/suricata-ci/suricata/src/.libs/suricata+0x5e5388)
    #11 0x556860cf29ec in StreamTcpReassembleAppLayer (/builds/inliniac/suricata-ci/suricata/src/.libs/suricata+0x5e59ec)
    #12 0x556860cf6096 in StreamTcpReassembleHandleSegmentUpdateACK (/builds/inliniac/suricata-ci/suricata/src/.libs/suricata+0x5e9096)
    #13 0x556860cf6464 in StreamTcpReassembleHandleSegment (/builds/inliniac/suricata-ci/suricata/src/.libs/suricata+0x5e9464)
    #14 0x556860caf835 in HandleEstablishedPacketToClient (/builds/inliniac/suricata-ci/suricata/src/.libs/suricata+0x5a2835)
    #15 0x556860cb399a in StreamTcpPacketStateEstablished (/builds/inliniac/suricata-ci/suricata/src/.libs/suricata+0x5a699a)
    #16 0x556860cd1ceb in StreamTcpStateDispatch (/builds/inliniac/suricata-ci/suricata/src/.libs/suricata+0x5c4ceb)
    #17 0x556860cd3438 in StreamTcpPacket (/builds/inliniac/suricata-ci/suricata/src/.libs/suricata+0x5c6438)
    #18 0x556860cd4c95 in StreamTcp (/builds/inliniac/suricata-ci/suricata/src/.libs/suricata+0x5c7c95)
    #19 0x556860bde109 in FlowWorkerStreamTCPUpdate (/builds/inliniac/suricata-ci/suricata/src/.libs/suricata+0x4d1109)
    #20 0x556860bdfbe4 in FlowWorker (/builds/inliniac/suricata-ci/suricata/src/.libs/suricata+0x4d2be4)
    #21 0x556860960801 in TmThreadsSlotVarRun (/builds/inliniac/suricata-ci/suricata/src/.libs/suricata+0x253801)
    #22 0x556860962ae3 in TmThreadsSlotVar (/builds/inliniac/suricata-ci/suricata/src/.libs/suricata+0x255ae3)
    #23 0x7f18ce060ac2  (/lib/x86_64-linux-gnu/libc.so.6+0x94ac2)

Thread T136611 (W#30) created by T1 (US) here:
    #0 0x7f18ce569685 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cpp:216
    #1 0x5568609687d5 in TmThreadSpawn (/builds/inliniac/suricata-ci/suricata/src/.libs/suricata+0x25b7d5)
    #2 0x556860e81741 in RunModeFilePcapAutoFp (/builds/inliniac/suricata-ci/suricata/src/.libs/suricata+0x774741)
    #3 0x556860c66877 in RunModeDispatch (/builds/inliniac/suricata-ci/suricata/src/.libs/suricata+0x559877)
    #4 0x556860c6cfd4 in UnixSocketPcapFilesCheck (/builds/inliniac/suricata-ci/suricata/src/.libs/suricata+0x55ffd4)
    #5 0x55686096f097 in UnixCommandBackgroundTasks (/builds/inliniac/suricata-ci/suricata/src/.libs/suricata+0x262097)
    #6 0x556860972c00 in UnixManager (/builds/inliniac/suricata-ci/suricata/src/.libs/suricata+0x265c00)
    #7 0x55686096350a in TmThreadsManagement (/builds/inliniac/suricata-ci/suricata/src/.libs/suricata+0x25650a)
    #8 0x7f18ce060ac2  (/lib/x86_64-linux-gnu/libc.so.6+0x94ac2)

Thread T1 (US) created by T0 (Suricata-Main) here:
    #0 0x7f18ce569685 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cpp:216
    #1 0x5568609687d5 in TmThreadSpawn (/builds/inliniac/suricata-ci/suricata/src/.libs/suricata+0x25b7d5)
    #2 0x556860972cf1 in UnixManagerThreadSpawn (/builds/inliniac/suricata-ci/suricata/src/.libs/suricata+0x265cf1)
    #3 0x556860c72db0 in RunModeUnixSocketMaster (/builds/inliniac/suricata-ci/suricata/src/.libs/suricata+0x565db0)
    #4 0x556860c66877 in RunModeDispatch (/builds/inliniac/suricata-ci/suricata/src/.libs/suricata+0x559877)
    #5 0x55686095b75b in SuricataMain (/builds/inliniac/suricata-ci/suricata/src/.libs/suricata+0x24e75b)
    #6 0x55686094c9ec in main (/builds/inliniac/suricata-ci/suricata/src/.libs/suricata+0x23f9ec)
    #7 0x7f18cdff5d8f  (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f)

SUMMARY: AddressSanitizer: heap-use-after-free /builds/inliniac/suricata-ci/suricata/libhtp/htp/htp_transaction.c:228 in htp_tx_get_user_data
Shadow bytes around the buggy address:
  0x0c28800dddb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c28800dddc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c28800dddd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c28800ddde0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c28800dddf0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c28800dde00: fa fa fa fa fa fa fa fa fd fd fd fd[fd]fd fd fd
  0x0c28800dde10: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c28800dde20: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c28800dde30: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa
  0x0c28800dde40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c28800dde50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==24931==ABORTING

Still unclear why this happens only with unix socket.

[catenacyber]

Ok, this seems to prove that the hypothesis that HTPStateTransactionFree will only replace the tx by NULL when freeing it is not true.
That means the updated htp_conn_remove_tx fails to do so either by

• not nulling the right one
• not nulling anything

Could you run #417 and tell if one abort ? (before the uaf)

[catenacyber]

Replaced by #418