https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=16342
Bug ID: 16342
Summary: [oss-fuzz] Heap-use-after-free in ROS
Product: Wireshark
Version: Git
Hardware: x86-64
OS: Linux
Status: UNCONFIRMED
Severity: Major
Priority: Low
Component: Dissection engine (libwireshark)
Assignee: bugzilla-ad...@wireshark.org
Reporter: ger...@wireshark.org
Target Milestone: ---
Created attachment 17582
--> https://bugs.wireshark.org/bugzilla/attachment.cgi?id=17582&action=edit
Reproducer testcase
Build Information:
Paste the COMPLETE build information from "Help->About Wireshark", "wireshark
-v", or "tshark -v".
--
OSS-Fuzz found an issue in the ROS dissector:
[Environment]
ASAN_OPTIONS="alloc_dealloc_mismatch=0:allocator_may_return_null=1:allocator_release_to_os_interval_ms=500:allow_user_segv_handler=0:check_malloc_usable_size=0:detect_leaks=1:detect_odr_violation=0:detect_stack_use_after_return=1:fast_unwind_on_fatal=0:handle_abort=1:handle_segv=1:handle_sigbus=1:handle_sigfpe=1:handle_sigill=1:max_uar_stack_size_log=16:print_scariness=1:print_summary=1:print_suppressions=0:quarantine_size_mb=64:redzone=32:strict_memcmp=1:strip_path_prefix=/workspace/:symbolize=0:use_sigaltstack=1"
+----------------------------------------Release Build
Stacktrace----------------------------------------+
=================================================================
==1062==ERROR: AddressSanitizer: heap-use-after-free on address
0x603000134ed0 at pc 0x000000431809 bp 0x7fffffffa7b0 sp 0x7fffffff9f70
READ of size 2 at 0x603000134ed0 thread T0
SCARINESS: 42 (2-byte-read-heap-use-after-free)
#0 0x431808 in strlen
/src/llvm-project/compiler-rt/lib/sanitizer_common/sanitizer_common_interceptors.inc:370:5
#1 0x8e8234 in wmem_str_hash
/src/wireshark/epan/wmem/wmem_map.c:461:50
#2 0x8e723e in wmem_map_lookup
/src/wireshark/epan/wmem/wmem_map.c:264:23
#3 0x2610833 in ros_try_string
/work/build/asn1/ros/packet-ros-template.c:136:66
#4 0x2610833 in call_ros_oid_callback
/work/build/asn1/ros/packet-ros-template.c:199:13
#5 0xab74b8 in dissect_ber_sequence
/src/wireshark/epan/dissectors/packet-ber.c:2438:17
#6 0x21d2551 in dissect_idmp_Request
/work/build/asn1/idmp/packet-idmp-fn.c:186:12
#7 0xababae in dissect_ber_choice
/src/wireshark/epan/dissectors/packet-ber.c:2954:21
#8 0x21d2128 in dissect_idmp_IDM_PDU
/work/build/asn1/idmp/packet-idmp-fn.c:415:12
#9 0x21d2128 in dissect_idmp
/work/build/asn1/idmp/packet-idmp-template.c:213:9
#10 0x1b5471c in tcp_dissect_pdus
/src/wireshark/epan/dissectors/packet-tcp.c:3856:13
#11 0x21d1b9a in dissect_idmp_tcp
/work/build/asn1/idmp/packet-idmp-template.c:231:5
#12 0x6508a1 in call_dissector_through_handle
/src/wireshark/epan/packet.c:706:9
#13 0x6508a1 in call_dissector_work
/src/wireshark/epan/packet.c:799:9
#14 0x650309 in dissector_try_uint_new
/src/wireshark/epan/packet.c:1399:8
#15 0x1b55ee9 in decode_tcp_ports
/src/wireshark/epan/dissectors/packet-tcp.c:5868:9
#16 0x1b5b513 in process_tcp_payload
/src/wireshark/epan/dissectors/packet-tcp.c:5931:13
#17 0x1b5722a in dissect_tcp_payload
/src/wireshark/epan/dissectors/packet-tcp.c:6013:9
#18 0x1b6662d in dissect_tcp
/src/wireshark/epan/dissectors/packet-tcp.c:0
#19 0x6508a1 in call_dissector_through_handle
/src/wireshark/epan/packet.c:706:9
#20 0x6508a1 in call_dissector_work
/src/wireshark/epan/packet.c:799:9
#21 0x650309 in dissector_try_uint_new
/src/wireshark/epan/packet.c:1399:8
#22 0x125dafa in ip_try_dissect
/src/wireshark/epan/dissectors/packet-ip.c:1835:7
#23 0x125dafa in dissect_ip_v4
/src/wireshark/epan/dissectors/packet-ip.c:2295:10
#24 0x125a067 in dissect_ip
/src/wireshark/epan/dissectors/packet-ip.c:2319:5
#25 0x6508a1 in call_dissector_through_handle
/src/wireshark/epan/packet.c:706:9
#26 0x6508a1 in call_dissector_work
/src/wireshark/epan/packet.c:799:9
#27 0x659fa1 in call_dissector_only
/src/wireshark/epan/packet.c:3208:8
#28 0x659fa1 in call_all_postdissectors
/src/wireshark/epan/packet.c:3583:3
#29 0xfbc1e5 in dissect_frame
/src/wireshark/epan/dissectors/packet-frame.c:737:5
#30 0x6508a1 in call_dissector_through_handle
/src/wireshark/epan/packet.c:706:9
#31 0x6508a1 in call_dissector_work
/src/wireshark/epan/packet.c:799:9
#32 0x64cfcb in call_dissector_only
/src/wireshark/epan/packet.c:3208:8
#33 0x64cfcb in call_dissector_with_data
/src/wireshark/epan/packet.c:3221:8
#34 0x64c73a in dissect_record /src/wireshark/epan/packet.c:580:3
#35 0x63fac7 in epan_dissect_run /src/wireshark/epan/epan.c:584:2
#36 0x4cb1de in LLVMFuzzerTestOneInput
/src/wireshark/fuzz/fuzzshark.c:381:2
#37 0x292cfc9 in HonggfuzzPersistentLoop
#38 0x292cf64 in HonggfuzzMain
#39 0x7ffff6ee582f in __libc_start_main
/build/glibc-LK5gWL/glibc-2.23/csu/libc-start.c:291
#40 0x41e878 in _start
0x603000134ed1 is located 0 bytes to the right of 1-byte region
[0x603000134ed0,0x603000134ed1)
freed by thread T0 here:
#0 0x4971dd in free
/src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:123:3
#1 0x8e3e43 in wmem_simple_free_all
/src/wireshark/epan/wmem/wmem_allocator_simple.c:95:9
#2 0x8e8dce in wmem_leave_packet_scope
/src/wireshark/epan/wmem/wmem_scopes.c:69:5
#3 0x4cb1de in LLVMFuzzerTestOneInput
/src/wireshark/fuzz/fuzzshark.c:381:2
#4 0x292cfc9 in HonggfuzzPersistentLoop
previously allocated by thread T0 here:
#0 0x49745d in __interceptor_malloc
/src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:145:3
#1 0x2977a48 in g_malloc
#2 0x8eac54 in wmem_strdup
/src/wireshark/epan/wmem/wmem_strutl.c:41:28
#3 0x91aaab in oid_encoded2string /src/wireshark/epan/oids.c:1149:9
#4 0xabc7ed in dissect_ber_any_oid_str
/src/wireshark/epan/dissectors/packet-ber.c:3280:30
#5 0xabc7ed in dissect_ber_object_identifier_str
/src/wireshark/epan/dissectors/packet-ber.c:3314:12
#6 0x21d2892 in dissect_idmp_OBJECT_IDENTIFIER
/work/build/asn1/idmp/packet-idmp-fn.c:5:12
#7 0xababae in dissect_ber_choice
/src/wireshark/epan/dissectors/packet-ber.c:2954:21
#8 0x21d2d9c in dissect_idmp_Code
/work/build/asn1/idmp/packet-idmp-fn.c:157:12
#9 0xab74b8 in dissect_ber_sequence
/src/wireshark/epan/dissectors/packet-ber.c:2438:17
#10 0x21d2551 in dissect_idmp_Request
/work/build/asn1/idmp/packet-idmp-fn.c:186:12
#11 0xababae in dissect_ber_choice
/src/wireshark/epan/dissectors/packet-ber.c:2954:21
#12 0x21d2128 in dissect_idmp_IDM_PDU
/work/build/asn1/idmp/packet-idmp-fn.c:415:12
#13 0x21d2128 in dissect_idmp
/work/build/asn1/idmp/packet-idmp-template.c:213:9
#14 0x1b5471c in tcp_dissect_pdus
/src/wireshark/epan/dissectors/packet-tcp.c:3856:13
#15 0x21d1b9a in dissect_idmp_tcp
/work/build/asn1/idmp/packet-idmp-template.c:231:5
#16 0x6508a1 in call_dissector_through_handle
/src/wireshark/epan/packet.c:706:9
#17 0x6508a1 in call_dissector_work
/src/wireshark/epan/packet.c:799:9
#18 0x650309 in dissector_try_uint_new
/src/wireshark/epan/packet.c:1399:8
#19 0x1b55ee9 in decode_tcp_ports
/src/wireshark/epan/dissectors/packet-tcp.c:5868:9
#20 0x1b5b513 in process_tcp_payload
/src/wireshark/epan/dissectors/packet-tcp.c:5931:13
#21 0x1b5722a in dissect_tcp_payload
/src/wireshark/epan/dissectors/packet-tcp.c:6013:9
#22 0x1b6662d in dissect_tcp
/src/wireshark/epan/dissectors/packet-tcp.c:0
#23 0x6508a1 in call_dissector_through_handle
/src/wireshark/epan/packet.c:706:9
#24 0x6508a1 in call_dissector_work
/src/wireshark/epan/packet.c:799:9
#25 0x650309 in dissector_try_uint_new
/src/wireshark/epan/packet.c:1399:8
#26 0x125dafa in ip_try_dissect
/src/wireshark/epan/dissectors/packet-ip.c:1835:7
#27 0x125dafa in dissect_ip_v4
/src/wireshark/epan/dissectors/packet-ip.c:2295:10
#28 0x125a067 in dissect_ip
/src/wireshark/epan/dissectors/packet-ip.c:2319:5
#29 0x6508a1 in call_dissector_through_handle
/src/wireshark/epan/packet.c:706:9
#30 0x6508a1 in call_dissector_work
/src/wireshark/epan/packet.c:799:9
#31 0x659fa1 in call_dissector_only
/src/wireshark/epan/packet.c:3208:8
#32 0x659fa1 in call_all_postdissectors
/src/wireshark/epan/packet.c:3583:3
#33 0xfbc1e5 in dissect_frame
/src/wireshark/epan/dissectors/packet-frame.c:737:5
#34 0x6508a1 in call_dissector_through_handle
/src/wireshark/epan/packet.c:706:9
#35 0x6508a1 in call_dissector_work
/src/wireshark/epan/packet.c:799:9
#36 0x64cfcb in call_dissector_only
/src/wireshark/epan/packet.c:3208:8
#37 0x64cfcb in call_dissector_with_data
/src/wireshark/epan/packet.c:3221:8
#38 0x64c73a in dissect_record /src/wireshark/epan/packet.c:580:3
SUMMARY: AddressSanitizer: heap-use-after-free
(/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-honggfuzz_wireshark_9de6374568df96eba97b9288a3fce517c93d2636/revisions/fuzzshark_ip+0x431808)
Shadow bytes around the buggy address:
0x0c068001e980: fd fd fa fa fa fa fd fd fa fa fa fa fd fa fa fa
0x0c068001e990: fa fa fd fd fa fa fa fa fd fd fa fa fa fa fd fa
0x0c068001e9a0: fa fa fa fa fd fd fa fa fa fa fd fd fa fa fa fa
0x0c068001e9b0: fd fa fa fa fa fa fd fd fa fa fa fa 00 00 fa fa
0x0c068001e9c0: fa fa fd fa fa fa fa fa fd fd fa fa fa fa fd fd
=>0x0c068001e9d0: fa fa fa fa fd fa fa fa fa fa[fd]fa fa fa fa fa
0x0c068001e9e0: fd fd fa fa fa fa fd fd fa fa fa fa 00 00 fa fa
0x0c068001e9f0: fa fa 00 00 fa fa fa fa fd fd fa fa fa fa 00 00
0x0c068001ea00: fa fa fa fa fd fa fa fa fa fa fd fd fa fa fa fa
0x0c068001ea10: 04 fa fa fa fa fa fd fd fa fa fa fa 00 fa fa fa
0x0c068001ea20: fa fa 00 02 fa fa fa fa 00 02 fa fa fa fa fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==1062==ABORTING
--
You are receiving this mail because:
You are watching all bug changes.___________________________________________________________________________
Sent via: Wireshark-bugs mailing list <wireshark-bugs@wireshark.org>
Archives: https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs
mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe
