[Wireshark-bugs] [Bug 14675] New: [oss-fuzz] ASAN: heap-buffer-overflow (run/tshark+0xffbb1) in __interceptor_memcpy.part.40

bugzilla-daemon Sat, 12 May 2018 03:45:38 -0700

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14675


            Bug ID: 14675
           Summary: [oss-fuzz] ASAN: heap-buffer-overflow
                    (run/tshark+0xffbb1) in __interceptor_memcpy.part.40
           Product: Wireshark
           Version: Git
          Hardware: x86-64
               URL: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=
                    7166
                OS: Linux
            Status: CONFIRMED
          Severity: Major
          Priority: High
         Component: Dissection engine (libwireshark)
          Assignee: bugzilla-ad...@wireshark.org
          Reporter: pe...@lekensteyn.nl
  Target Milestone: ---

Build Information:
TShark (Wireshark) 2.9.0 (v2.9.0rc0-492-g16a52bff)

Copyright 1998-2018 Gerald Combs <ger...@wireshark.org> and contributors.
License GPLv2+: GNU GPL version 2 or later
<http://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (64-bit) with libpcap, with POSIX capabilities (Linux), with libnl 3,
with GLib 2.56.0, with zlib 1.2.11, without SMI, with c-ares 1.13.0, with Lua
5.2.4, with GnuTLS 3.5.18, with Gcrypt 1.8.2, with MIT Kerberos, with MaxMind
DB
resolver, with nghttp2 1.31.1, with LZ4, with Snappy, with libxml2 2.9.8.

Running on Linux 4.15.15-1-ARCH, with Intel(R) Core(TM) i7-6700HQ CPU @ 2.60GHz
(with SSE4.2), with 31988 MB of physical memory, with locale C, with libpcap
version 1.8.1, with GnuTLS 3.5.18, with Gcrypt 1.8.2, with zlib 1.2.11, binary
plugins supported (13 loaded).

Built using clang 4.2.1 Compatible Clang 6.0.0 (tags/RELEASE_600/final).
--
A problem was found by the oss-fuzz project:
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=7166

Attached is the sample that triggers this error which can be reproduced with an
ASAN+UBSAN build of Wireshark:
tshark -Vxr
clusterfuzz-testcase-minimized-fuzzshark_ip_proto-udp-5182835867516928.pcap
--
=================================================================
==398==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000457855
at pc 0x56299a2c7bb2 bp 0x7ffc9db49710 sp 0x7ffc9db48ec0
READ of size 32768 at 0x602000457855 thread T0
    #0 0x56299a2c7bb1 in __interceptor_memcpy.part.40 (run/tshark+0xffbb1)
    #1 0x7f35d9b05b2a in inflate (/usr/lib/libz.so.1+0x8b2a)
    #2 0x7f35e6ecd50f in tvb_uncompress epan/tvbuff_zlib.c:103:9
    #3 0x7f35e44555a3 in mcpe_dissect_login
epan/dissectors/packet-mcpe.c:230:21
    #4 0x7f35e6ca1c1b in call_dissector_through_handle epan/packet.c:692:9
    #5 0x7f35e6c8c1f7 in call_dissector_work epan/packet.c:777:9
    #6 0x7f35e6c9ac07 in call_dissector_only epan/packet.c:3090:8
    #7 0x7f35e4454dc2 in dissect_mcpe_heur epan/dissectors/packet-mcpe.c:456:16
    #8 0x7f35e44543e0 in dissect_mcpe epan/dissectors/packet-mcpe.c:493:13
    #9 0x7f35e6ca1c1b in call_dissector_through_handle epan/packet.c:692:9
    #10 0x7f35e6c8c1f7 in call_dissector_work epan/packet.c:777:9
    #11 0x7f35e6c9ac07 in call_dissector_only epan/packet.c:3090:8
    #12 0x7f35e4af8c04 in raknet_dissect_common_message
epan/dissectors/packet-raknet.c:1180:13
    #13 0x7f35e4af6373 in raknet_dissect_connected_message
epan/dissectors/packet-raknet.c:1365:25
    #14 0x7f35e4af4e51 in dissect_raknet epan/dissectors/packet-raknet.c:1414:9
    #15 0x7f35e6ca1c1b in call_dissector_through_handle epan/packet.c:692:9
    #16 0x7f35e6c8c1f7 in call_dissector_work epan/packet.c:777:9
    #17 0x7f35e6c8b255 in dissector_try_uint_new epan/packet.c:1359:8
    #18 0x7f35e6c8caa9 in dissector_try_uint epan/packet.c:1383:9
    #19 0x7f35e53cbb8f in decode_udp_ports epan/dissectors/packet-udp.c:671:7
    #20 0x7f35e53df268 in dissect epan/dissectors/packet-udp.c:1127:5
    #21 0x7f35e53d085f in dissect_udp epan/dissectors/packet-udp.c:1133:3
    #22 0x7f35e6ca1c1b in call_dissector_through_handle epan/packet.c:692:9
    #23 0x7f35e6c8c1f7 in call_dissector_work epan/packet.c:777:9
    #24 0x7f35e6c8b255 in dissector_try_uint_new epan/packet.c:1359:8
    #25 0x7f35e3a0279e in dissect_exported_pdu
epan/dissectors/packet-exported_pdu.c:366:17
    #26 0x7f35e6ca1c1b in call_dissector_through_handle epan/packet.c:692:9
    #27 0x7f35e6c8c1f7 in call_dissector_work epan/packet.c:777:9
    #28 0x7f35e6c8b255 in dissector_try_uint_new epan/packet.c:1359:8
    #29 0x7f35e3b28c4d in dissect_frame epan/dissectors/packet-frame.c:579:11
    #30 0x7f35e6ca1c1b in call_dissector_through_handle epan/packet.c:692:9
    #31 0x7f35e6c8c1f7 in call_dissector_work epan/packet.c:777:9
    #32 0x7f35e6c9ac07 in call_dissector_only epan/packet.c:3090:8
    #33 0x7f35e6c83cc1 in call_dissector_with_data epan/packet.c:3103:8
    #34 0x7f35e6c82ff9 in dissect_record epan/packet.c:566:3
    #35 0x7f35e6c31ee8 in epan_dissect_run_with_taps epan/epan.c:542:2
    #36 0x56299a3d61b9 in process_packet_single_pass tshark.c:3541:5
    #37 0x56299a3cf50c in process_cap_file tshark.c:3367:11
    #38 0x56299a3c6e40 in main tshark.c:2051:17
    #39 0x7f35d7e9f06a in __libc_start_main (/usr/lib/libc.so.6+0x2306a)
    #40 0x56299a2a89e9 in _start (run/tshark+0xe09e9)

0x602000457855 is located 1 bytes to the right of 4-byte region
[0x602000457850,0x602000457854)
allocated by thread T0 here:
    #0 0x56299a36c191 in malloc (run/tshark+0x1a4191)
    #1 0x7f35d88c7ac9 in g_malloc /build/src/glib/glib/gmem.c:99
    #2 0x7f35e6eaf10e in tvb_memdup epan/tvbuff.c:890:10
    #3 0x7f35e6ecce4c in tvb_uncompress epan/tvbuff_zlib.c:62:20
    #4 0x7f35e44555a3 in mcpe_dissect_login
epan/dissectors/packet-mcpe.c:230:21
    #5 0x7f35e6ca1c1b in call_dissector_through_handle epan/packet.c:692:9
    #6 0x7f35e6c8c1f7 in call_dissector_work epan/packet.c:777:9
    #7 0x7f35e6c9ac07 in call_dissector_only epan/packet.c:3090:8
    #8 0x7f35e4454dc2 in dissect_mcpe_heur epan/dissectors/packet-mcpe.c:456:16
    #9 0x7f35e44543e0 in dissect_mcpe epan/dissectors/packet-mcpe.c:493:13
    #10 0x7f35e6ca1c1b in call_dissector_through_handle epan/packet.c:692:9
    #11 0x7f35e6c8c1f7 in call_dissector_work epan/packet.c:777:9
    #12 0x7f35e6c9ac07 in call_dissector_only epan/packet.c:3090:8
    #13 0x7f35e4af8c04 in raknet_dissect_common_message
epan/dissectors/packet-raknet.c:1180:13
    #14 0x7f35e4af6373 in raknet_dissect_connected_message
epan/dissectors/packet-raknet.c:1365:25
    #15 0x7f35e4af4e51 in dissect_raknet epan/dissectors/packet-raknet.c:1414:9
    #16 0x7f35e6ca1c1b in call_dissector_through_handle epan/packet.c:692:9
    #17 0x7f35e6c8c1f7 in call_dissector_work epan/packet.c:777:9
    #18 0x7f35e6c8b255 in dissector_try_uint_new epan/packet.c:1359:8
    #19 0x7f35e6c8caa9 in dissector_try_uint epan/packet.c:1383:9
    #20 0x7f35e53cbb8f in decode_udp_ports epan/dissectors/packet-udp.c:671:7
    #21 0x7f35e53df268 in dissect epan/dissectors/packet-udp.c:1127:5
    #22 0x7f35e53d085f in dissect_udp epan/dissectors/packet-udp.c:1133:3
    #23 0x7f35e6ca1c1b in call_dissector_through_handle epan/packet.c:692:9
    #24 0x7f35e6c8c1f7 in call_dissector_work epan/packet.c:777:9
    #25 0x7f35e6c8b255 in dissector_try_uint_new epan/packet.c:1359:8
    #26 0x7f35e3a0279e in dissect_exported_pdu
epan/dissectors/packet-exported_pdu.c:366:17
    #27 0x7f35e6ca1c1b in call_dissector_through_handle epan/packet.c:692:9
    #28 0x7f35e6c8c1f7 in call_dissector_work epan/packet.c:777:9
    #29 0x7f35e6c8b255 in dissector_try_uint_new epan/packet.c:1359:8

SUMMARY: AddressSanitizer: heap-buffer-overflow (run/tshark+0xffbb1) in
__interceptor_memcpy.part.40
Shadow bytes around the buggy address:
  0x0c0480082eb0: fa fa 04 fa fa fa 00 fa fa fa 00 02 fa fa 00 05
  0x0c0480082ec0: fa fa 00 05 fa fa 00 05 fa fa fd fa fa fa 00 00
  0x0c0480082ed0: fa fa 00 00 fa fa 06 fa fa fa 00 00 fa fa 00 05
  0x0c0480082ee0: fa fa 00 01 fa fa 00 01 fa fa 00 00 fa fa 00 00
  0x0c0480082ef0: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
=>0x0c0480082f00: fa fa 00 00 fa fa 00 fa fa fa[04]fa fa fa fa fa
  0x0c0480082f10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0480082f20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0480082f30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0480082f40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0480082f50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==398==ABORTING

-- 
You are receiving this mail because:
You are watching all bug changes.

___________________________________________________________________________
Sent via:    Wireshark-bugs mailing list <wireshark-bugs@wireshark.org>
Archives:    https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs
             mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe

[Wireshark-bugs] [Bug 14675] New: [oss-fuzz] ASAN: heap-buffer-overflow (run/tshark+0xffbb1) in __interceptor_memcpy.part.40

Reply via email to