diff mbox series

[meta-security,scarthgap] suricata: Fix CVE-2024-55605

Message ID 20250401084743.77141-1-hprajapati@mvista.com
State New
Headers show
Series [meta-security,scarthgap] suricata: Fix CVE-2024-55605 | expand

Commit Message

Hitendra Prajapati April 1, 2025, 8:47 a.m. UTC 
Upstream-Status: Backport from https://github.com/OISF/suricata/commit/f80ebd5a30b02db5915f749f0c067c7adefbbe76 && https://github.com/OISF/suricata/commit/c3a6abf60134c2993ee3802ee52206e9fdbf55ba

Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
---
 .../suricata/files/CVE-2024-55605.patch       | 205 ++++++++++++++++++
 recipes-ids/suricata/suricata_7.0.0.bb        |   1 +
 2 files changed, 206 insertions(+)
 create mode 100644 recipes-ids/suricata/files/CVE-2024-55605.patch
diff mbox series

Patch

diff --git a/recipes-ids/suricata/files/CVE-2024-55605.patch b/recipes-ids/suricata/files/CVE-2024-55605.patch
new file mode 100644
index 0000000..c8bfead
--- /dev/null
+++ b/recipes-ids/suricata/files/CVE-2024-55605.patch
@@ -0,0 +1,205 @@ 
+From f80ebd5a30b02db5915f749f0c067c7adefbbe76 Mon Sep 17 00:00:00 2001
+From: Philippe Antoine <pantoine@oisf.net>
+Date: Thu, 7 Nov 2024 17:49:45 +0100
+Subject: [PATCH] detect/transforms: write directly in inspect buffer
+
+instead of writing to a temporary buffer and then copying,
+to save the cost of copying.
+
+Ticket: 7229
+
+Upstream-Status: Backport [https://github.com/OISF/suricata/commit/f80ebd5a30b02db5915f749f0c067c7adefbbe76 && https://github.com/OISF/suricata/commit/c3a6abf60134c2993ee3802ee52206e9fdbf55ba]
+CVE: CVE-2024-55605
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ src/detect-engine.c                        | 23 ++++++++++++++++++++--
+ src/detect-engine.h                        |  3 ++-
+ src/detect-transform-compress-whitespace.c |  8 ++++++--
+ src/detect-transform-dotprefix.c           | 10 +++++++---
+ src/detect-transform-strip-whitespace.c    |  8 ++++++--
+ src/detect-transform-urldecode.c           |  8 ++++++--
+ src/detect-transform-xor.c                 |  7 +++++--
+ 7 files changed, 53 insertions(+), 14 deletions(-)
+
+diff --git a/src/detect-engine.c b/src/detect-engine.c
+index 141b48a..cdb24d8 100644
+--- a/src/detect-engine.c
++++ b/src/detect-engine.c
+@@ -1647,11 +1647,13 @@ void InspectionBufferFree(InspectionBuffer *buffer)
+ /**
+  * \brief make sure that the buffer has at least 'min_size' bytes
+  * Expand the buffer if necessary
++ *
++ * \retval pointer to inner buffer to use, or NULL if realloc failed
+  */
+-void InspectionBufferCheckAndExpand(InspectionBuffer *buffer, uint32_t min_size)
++uint8_t *InspectionBufferCheckAndExpand(InspectionBuffer *buffer, uint32_t min_size)
+ {
+     if (likely(buffer->size >= min_size))
+-        return;
++        return buffer->buf;
+ 
+     uint32_t new_size = (buffer->size == 0) ? 4096 : buffer->size;
+     while (new_size < min_size) {
+@@ -1662,7 +1664,24 @@ void InspectionBufferCheckAndExpand(InspectionBuffer *buffer, uint32_t min_size)
+     if (ptr != NULL) {
+         buffer->buf = ptr;
+         buffer->size = new_size;
++    } else {
++        return NULL;
+     }
++    return buffer->buf;
++}
++
++/**
++ * \brief set inspect length of inspect buffer
++ * The inspect buffer may have been overallocated (by strip_whitespace for example)
++ * so, this sets the final length
++ */
++void InspectionBufferTruncate(InspectionBuffer *buffer, uint32_t buf_len)
++{
++    DEBUG_VALIDATE_BUG_ON(buffer->buf == NULL);
++    DEBUG_VALIDATE_BUG_ON(buf_len > buffer->size);
++    buffer->inspect = buffer->buf;
++    buffer->inspect_len = buf_len;
++    buffer->initialized = true;
+ }
+ 
+ void InspectionBufferCopy(InspectionBuffer *buffer, uint8_t *buf, uint32_t buf_len)
+diff --git a/src/detect-engine.h b/src/detect-engine.h
+index 7617e66..04713a7 100644
+--- a/src/detect-engine.h
++++ b/src/detect-engine.h
+@@ -31,7 +31,8 @@ void InspectionBufferInit(InspectionBuffer *buffer, uint32_t initial_size);
+ void InspectionBufferSetup(DetectEngineThreadCtx *det_ctx, const int list_id,
+         InspectionBuffer *buffer, const uint8_t *data, const uint32_t data_len);
+ void InspectionBufferFree(InspectionBuffer *buffer);
+-void InspectionBufferCheckAndExpand(InspectionBuffer *buffer, uint32_t min_size);
++uint8_t *InspectionBufferCheckAndExpand(InspectionBuffer *buffer, uint32_t min_size);
++void InspectionBufferTruncate(InspectionBuffer *buffer, uint32_t buf_len);
+ void InspectionBufferCopy(InspectionBuffer *buffer, uint8_t *buf, uint32_t buf_len);
+ void InspectionBufferApplyTransforms(InspectionBuffer *buffer,
+         const DetectEngineTransforms *transforms);
+diff --git a/src/detect-transform-compress-whitespace.c b/src/detect-transform-compress-whitespace.c
+index 5cbf0fd..cc78c7e 100644
+--- a/src/detect-transform-compress-whitespace.c
++++ b/src/detect-transform-compress-whitespace.c
+@@ -111,7 +111,11 @@ static void TransformCompressWhitespace(InspectionBuffer *buffer, void *options)
+         return;
+     }
+ 
+-    uint8_t output[input_len]; // we can only shrink
++    // we can only shrink
++    uint8_t *output = InspectionBufferCheckAndExpand(buffer, input_len);
++    if (output == NULL) {
++        return;
++    }
+     uint8_t *oi = output, *os = output;
+ 
+     //PrintRawDataFp(stdout, input, input_len);
+@@ -132,7 +136,7 @@ static void TransformCompressWhitespace(InspectionBuffer *buffer, void *options)
+     uint32_t output_size = oi - os;
+     //PrintRawDataFp(stdout, output, output_size);
+ 
+-    InspectionBufferCopy(buffer, os, output_size);
++    InspectionBufferTruncate(buffer, output_size);
+ }
+ 
+ #ifdef UNITTESTS
+diff --git a/src/detect-transform-dotprefix.c b/src/detect-transform-dotprefix.c
+index 52a2633..d58e1d4 100644
+--- a/src/detect-transform-dotprefix.c
++++ b/src/detect-transform-dotprefix.c
+@@ -110,11 +110,15 @@ static void TransformDotPrefix(InspectionBuffer *buffer, void *options)
+     const size_t input_len = buffer->inspect_len;
+ 
+     if (input_len) {
+-        uint8_t output[input_len + 1]; // For the leading '.'
++        // For the leading '.'
++        uint8_t *output = InspectionBufferCheckAndExpand(buffer, input_len + 1);
++        if (output == NULL) {
++            return;
++        }
+ 
++        memmove(&output[1], buffer->inspect, input_len);
+         output[0] = '.';
+-        memcpy(&output[1], buffer->inspect, input_len);
+-        InspectionBufferCopy(buffer, output, input_len + 1);
++        InspectionBufferTruncate(buffer, input_len + 1);
+     }
+ }
+ 
+diff --git a/src/detect-transform-strip-whitespace.c b/src/detect-transform-strip-whitespace.c
+index 32fb96f..6040592 100644
+--- a/src/detect-transform-strip-whitespace.c
++++ b/src/detect-transform-strip-whitespace.c
+@@ -106,7 +106,11 @@ static void TransformStripWhitespace(InspectionBuffer *buffer, void *options)
+     if (input_len == 0) {
+         return;
+     }
+-    uint8_t output[input_len]; // we can only shrink
++    // we can only shrink
++    uint8_t *output = InspectionBufferCheckAndExpand(buffer, input_len);
++    if (output == NULL) {
++        return;
++    }
+     uint8_t *oi = output, *os = output;
+ 
+     //PrintRawDataFp(stdout, input, input_len);
+@@ -119,7 +123,7 @@ static void TransformStripWhitespace(InspectionBuffer *buffer, void *options)
+     uint32_t output_size = oi - os;
+     //PrintRawDataFp(stdout, output, output_size);
+ 
+-    InspectionBufferCopy(buffer, os, output_size);
++    InspectionBufferTruncate(buffer, output_size);
+ }
+ 
+ #ifdef UNITTESTS
+diff --git a/src/detect-transform-urldecode.c b/src/detect-transform-urldecode.c
+index 13ef033..a4e9655 100644
+--- a/src/detect-transform-urldecode.c
++++ b/src/detect-transform-urldecode.c
+@@ -125,12 +125,16 @@ static void TransformUrlDecode(InspectionBuffer *buffer, void *options)
+     if (input_len == 0) {
+         return;
+     }
+-    uint8_t output[input_len]; // we can only shrink
++    // we can only shrink
++    uint8_t *output = InspectionBufferCheckAndExpand(buffer, input_len);
++    if (output == NULL) {
++        return;
++    }
+ 
+     changed = BufferUrlDecode(input, input_len, output, &output_size);
+ 
+     if (changed) {
+-        InspectionBufferCopy(buffer, output, output_size);
++        InspectionBufferTruncate(buffer, output_size);
+     }
+ }
+ 
+diff --git a/src/detect-transform-xor.c b/src/detect-transform-xor.c
+index e42700f..18f96df 100644
+--- a/src/detect-transform-xor.c
++++ b/src/detect-transform-xor.c
+@@ -133,12 +133,15 @@ static void DetectTransformXor(InspectionBuffer *buffer, void *options)
+     if (input_len == 0) {
+         return;
+     }
+-    uint8_t output[input_len];
++    uint8_t *output = InspectionBufferCheckAndExpand(buffer, input_len);
++    if (output == NULL) {
++        return;
++    }
+ 
+     for (uint32_t i = 0; i < input_len; i++) {
+         output[i] = input[i] ^ pxd->key[i % pxd->length];
+     }
+-    InspectionBufferCopy(buffer, output, input_len);
++    InspectionBufferTruncate(buffer, input_len);
+ }
+ 
+ #ifdef UNITTESTS
+-- 
+2.25.1
+
diff --git a/recipes-ids/suricata/suricata_7.0.0.bb b/recipes-ids/suricata/suricata_7.0.0.bb
index e5d6ed1..1cb02f4 100644
--- a/recipes-ids/suricata/suricata_7.0.0.bb
+++ b/recipes-ids/suricata/suricata_7.0.0.bb
@@ -18,6 +18,7 @@  SRC_URI += " \
     file://fixup.patch \
     file://CVE-2024-45795.patch \
     file://CVE-2024-45796.patch \
+    file://CVE-2024-55605.patch \
     "
 
 inherit autotools pkgconfig python3native systemd ptest cargo cargo-update-recipe-crates