https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=16375
Bug ID: 16375
Summary: [oss-fuzz] Direct-leak in g_malloc
(dissect_dhcpopt_sip_servers)
Product: Wireshark
Version: Git
Hardware: All
OS: All
Status: UNCONFIRMED
Severity: Major
Priority: Low
Component: Dissection engine (libwireshark)
Assignee: bugzilla-ad...@wireshark.org
Reporter: ger...@wireshark.org
Target Milestone: ---
Created attachment 17616
--> https://bugs.wireshark.org/bugzilla/attachment.cgi?id=17616&action=edit
Reproducer testcase
Build Information:
Paste the COMPLETE build information from "Help->About Wireshark", "wireshark
-v", or "tshark -v".
--
OSS-Fuzz found an issue in the DHCP dissector:
[Environment]
ASAN_OPTIONS="alloc_dealloc_mismatch=0:allocator_may_return_null=1:allocator_release_to_os_interval_ms=500:allow_user_segv_handler=0:check_malloc_usable_size=0:detect_leaks=1:detect_odr_violation=0:detect_stack_use_after_return=1:fast_unwind_on_fatal=0:handle_abort=1:handle_segv=1:handle_sigbus=1:handle_sigfpe=1:handle_sigill=1:max_uar_stack_size_log=16:print_scariness=1:print_summary=1:print_suppressions=0:quarantine_size_mb=64:redzone=16:strict_memcmp=1:strip_path_prefix=/workspace/:symbolize=0:use_sigaltstack=1"
+----------------------------------------Release Build
Stacktrace----------------------------------------+
oss-fuzzshark: disabling: ip
oss-fuzzshark: disabling: udp
oss-fuzzshark: disabling: udplite
oss-fuzzshark: disabling: ospf
oss-fuzzshark: disabling: bgp
oss-fuzzshark: disabling: json
oss-fuzzshark: disabling: snort
oss-fuzzshark: configured for dissector: dhcp in table: udp.port
INFO: Seed: 2269737193
INFO: Loaded 1 modules (352024 inline 8-bit counters): 352024
[0xde25fb0, 0xde7bec8),
INFO: Loaded 1 PC tables (352024 PCs): 352024 [0xde7bec8,0xe3db048),
INFO: -fork=1: fuzzing in separate process(s)
INFO: -fork=1: 3316 seed inputs, starting to fuzz in
/tmp/libFuzzerTemp.1.dir
#13: cov: 1756 ft: 10898 corp: 3316 exec/s 0 oom/timeout/crash: 0/0/0
time: 7s job: 1 dft_time: 0
INFO: log from the inner process:
oss-fuzzshark: disabling: ip
oss-fuzzshark: disabling: udp
oss-fuzzshark: disabling: udplite
oss-fuzzshark: disabling: ospf
oss-fuzzshark: disabling: bgp
oss-fuzzshark: disabling: json
oss-fuzzshark: disabling: snort
oss-fuzzshark: configured for dissector: dhcp in table: udp.port
INFO: Seed: 2277012495
INFO: Loaded 1 modules (352024 inline 8-bit counters): 352024
[0xde25fb0, 0xde7bec8),
INFO: Loaded 1 PC tables (352024 PCs): 352024 [0xde7bec8,0xe3db048),
INFO: 0 files found in /tmp/libFuzzerTemp.1.dir/C1
INFO: seed corpus: files: 57 min: 243b max: 972b total: 22780b rss:
273Mb
=================================================================
==19==ERROR: LeakSanitizer: detected memory leaks
Direct leak of 80 byte(s) in 1 object(s) allocated from:
#0 0x523ecd in __interceptor_malloc
/src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:145:3
#1 0x2815b48 in g_malloc
#2 0x2737559 in tvb_new_composite
/src/wireshark/epan/tvbuff_composite.c:198:18
#3 0xe38f2b in dissect_dhcpopt_sip_servers
/src/wireshark/epan/dissectors/packet-dhcp.c:2849:38
#4 0x6d3a22 in call_dissector_through_handle
/src/wireshark/epan/packet.c:706:9
#5 0x6d3a22 in call_dissector_work
/src/wireshark/epan/packet.c:799:9
#6 0x6d34b9 in dissector_try_uint_new
/src/wireshark/epan/packet.c:1399:8
#7 0xe424c2 in dhcp_option
/src/wireshark/epan/dissectors/packet-dhcp.c:2060:7
#8 0xe34282 in dissect_dhcpopt_option_overload
/src/wireshark/epan/dissectors/packet-dhcp.c:2173:18
#9 0x6d3a22 in call_dissector_through_handle
/src/wireshark/epan/packet.c:706:9
#10 0x6d3a22 in call_dissector_work
/src/wireshark/epan/packet.c:799:9
#11 0x6d34b9 in dissector_try_uint_new
/src/wireshark/epan/packet.c:1399:8
#12 0xe424c2 in dhcp_option
/src/wireshark/epan/dissectors/packet-dhcp.c:2060:7
#13 0xe32718 in dissect_dhcp
/src/wireshark/epan/dissectors/packet-dhcp.c:7037:18
#14 0x6d3a22 in call_dissector_through_handle
/src/wireshark/epan/packet.c:706:9
#15 0x6d3a22 in call_dissector_work
/src/wireshark/epan/packet.c:799:9
#16 0x6dc961 in call_dissector_only
/src/wireshark/epan/packet.c:3208:8
#17 0x6dc961 in call_all_postdissectors
/src/wireshark/epan/packet.c:3583:3
#18 0xffcf9c in dissect_frame
/src/wireshark/epan/dissectors/packet-frame.c:737:5
#19 0x6d3a22 in call_dissector_through_handle
/src/wireshark/epan/packet.c:706:9
#20 0x6d3a22 in call_dissector_work
/src/wireshark/epan/packet.c:799:9
#21 0x6d038b in call_dissector_only
/src/wireshark/epan/packet.c:3208:8
#22 0x6d038b in call_dissector_with_data
/src/wireshark/epan/packet.c:3221:8
#23 0x6cfb2f in dissect_record /src/wireshark/epan/packet.c:580:3
#24 0x6c33f3 in epan_dissect_run /src/wireshark/epan/epan.c:584:2
#25 0x557b4d in LLVMFuzzerTestOneInput
/src/wireshark/fuzz/fuzzshark.c:381:2
#26 0x45c331 in fuzzer::Fuzzer::ExecuteCallback(unsigned char
const*, unsigned long)
/src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:556:15
#27 0x45ba55 in fuzzer::Fuzzer::RunOne(unsigned char const*,
unsigned long, bool, fuzzer::InputInfo*, bool*)
/src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:470:3
#28 0x45e487 in
fuzzer::Fuzzer::ReadAndExecuteSeedCorpora(std::__Fuzzer::vector<fuzzer::SizedFile,
fuzzer::fuzzer_allocator<fuzzer::SizedFile> >&)
/src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:765:7
#29 0x45e7f9 in
fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<fuzzer::SizedFile,
fuzzer::fuzzer_allocator<fuzzer::SizedFile> >&)
/src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:792:3
#30 0x44cc08 in fuzzer::FuzzerDriver(int*, char***, int
(*)(unsigned char const*, unsigned long))
/src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:824:6
#31 0x476a32 in main
/src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:19:10
#32 0x7fde94f5682f in __libc_start_main
/build/glibc-LK5gWL/glibc-2.23/csu/libc-start.c:291
================================================================================
The following leaks are not necessarily related to the first leak.
Indirect leak of 16 byte(s) in 1 object(s) allocated from:
#0 0x523ecd in __interceptor_malloc
/src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:145:3
#1 0x2815b48 in g_malloc
SUMMARY: AddressSanitizer: 96 byte(s) leaked in 2 allocation(s).
INFO: a leak has been found in the initial corpus.
INFO: to ignore leaks on libFuzzer side use -detect_leaks=0.
MS: 0 ; base unit: 0000000000000000000000000000000000000000
0x3,0x2b,0x2,0x0,0x0,0x0,0x21,0x0,0x5,0x0,0x0,0x0,0x0,0x7d,0xac,0x30,0x0,0x40,0x0,0x0,0x0,0x0,0x11,0x8b,0x97,0x1,0x6,0xb,0x2a,0x0,0x9,0x9,0x9,0x9,0x0,0x5,0x0,0x0,0x20,0x0,0x0,0xff,0xff,0xff,0xff,0x3,0x3,0x3,0x3,0x3,0x3,0x1,0x3,0x0,0x21,0x0,0x0,0x0,0x5,0x0,0xff,0xff,0xff,0x31,0x0,0x0,0x5,0x0,0x0,0x0,0x5,0x0,0x5,0x25,0x1,0x0,0x1,0x0,0x5,0x0,0x0,0x0,0x5,0x0,0x0,0x0,0x5,0x0,0x0,0x5,0x0,0x0,0x0,0x0,0x3,0x1,0x40,0x1,0x1,0x1,0x1,0x3,0x0,0x0,0x2b,0x0,0x1,0x0,0x19,0x0,0x5a,0xb,0x1,0x1,0xb3,0x0,0x19,0x0,0x1,0x1,0x0,0x0,0x0,0x0,0x5a,0xb,0x1,0xbf,0xfe,0xff,0xff,0xff,0xff,0xfe,0xa5,0x0,0x40,0x0,0x0,0x19,0xb,0x1,0x1,0x1,0x1,0x1,0x0,0x1,0x0,0x2b,0x0,0x2b,0x0,0x2b,0x0,0x2b,0x0,0x2b,0x0,0x0,0xa5,0x0,0x75,0x3,0x0,0x6,0x1,0x92,0x0,0x6,0x1,0x92,0x0,0x7b,0x10,0x0,0x6f,0x1,0x27,0x9c,0x0,0x0,0x5,0x1,0x0,0x0,0x78,0x1,0x0,0x78,0x1,0x0,0x78,0x1,0x0,0x0,0x2b,0x2b,0x0,0x2b,0x0,0x0,0xbc,0x0,0x4,0x0,0x0,0x0,0x0,0x0,0x2b,0x2b,0x0,0x2b,0x0,0x5a,0x0,0x0,0x2b,0x0,0x0,0x21,0x21,0x0,0x0,0x33,0x0,0x21,0x21,0x21,0x5b,0x21,0x21,0x21,0x0,0x0,0x63,0x82,0x53,0x63,0x34,0x1,0x3,0x35,0x1,0x2b,
\x03+\x02\x00\x00\x00!\x00\x05\x00\x00\x00\x00}\xac0\x00@\x00\x00\x00\x00\x11\x8b\x97\x01\x06\x0b*\x00\x09\x09\x09\x09\x00\x05\x00\x00
\x00\x00\xff\xff\xff\xff\x03\x03\x03\x03\x03\x03\x01\x03\x00!\x00\x00\x00\x05\x00\xff\xff\xff1\x00\x00\x05\x00\x00\x00\x05\x00\x05%\x01\x00\x01\x00\x05\x00\x00\x00\x05\x00\x00\x00\x05\x00\x00\x05\x00\x00\x00\x00\x03\x01@\x01\x01\x01\x01\x03\x00\x00+\x00\x01\x00\x19\x00Z\x0b\x01\x01\xb3\x00\x19\x00\x01\x01\x00\x00\x00\x00Z\x0b\x01\xbf\xfe\xff\xff\xff\xff\xfe\xa5\x00@\x00\x00\x19\x0b\x01\x01\x01\x01\x01\x00\x01\x00+\x00+\x00+\x00+\x00+\x00\x00\xa5\x00u\x03\x00\x06\x01\x92\x00\x06\x01\x92\x00{\x10\x00o\x01'\x9c\x00\x00\x05\x01\x00\x00x\x01\x00x\x01\x00x\x01\x00\x00++\x00+\x00\x00\xbc\x00\x04\x00\x00\x00\x00\x00++\x00+\x00Z\x00\x00+\x00\x00!!\x00\x003\x00!!![!!!\x00\x00c\x82Sc4\x01\x035\x01+
artifact_prefix='/fuzzer-testcases/'; Test unit written to
/fuzzer-testcases/leak-615c401ad2f1af241e557fbd4f01370ed9a19989
Base64:
AysCAAAAIQAFAAAAAH2sMABAAAAAABGLlwEGCyoACQkJCQAFAAAgAAD/////AwMDAwMDAQMAIQAAAAUA////MQAABQAAAAUABSUBAAEABQAAAAUAAAAFAAAFAAAAAAMBQAEBAQEDAAArAAEAGQBaCwEBswAZAAEBAAAAAFoLAb/+//////6lAEAAABkLAQEBAQEAAQArACsAKwArACsAAKUAdQMABgGSAAYBkgB7EABvASecAAAFAQAAeAEAeAEAeAEAACsrACsAALwABAAAAAAAKysAKwBaAAArAAAhIQAAMwAhISFbISEhAABjglNjNAEDNQEr
stat::number_of_executed_units: 13
stat::average_exec_per_sec: 0
stat::new_units_added: 0
stat::slowest_unit_time_sec: 0
stat::peak_rss_mb: 304
INFO: exiting: 77 time: 7s
+----------------------------------------Release Build Unsymbolized
Stacktrace (diff)----------------------------------------+
Direct leak of 80 byte(s) in 1 object(s) allocated from:
#0 0x523ecd
(/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_wireshark_9de6374568df96eba97b9288a3fce517c93d2636/revisions/fuzzshark_udp_port-dhcp+0x523ecd)
#1 0x2815b48
(/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_wireshark_9de6374568df96eba97b9288a3fce517c93d2636/revisions/fuzzshark_udp_port-dhcp+0x2815b48)
#2 0x2737559
(/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_wireshark_9de6374568df96eba97b9288a3fce517c93d2636/revisions/fuzzshark_udp_port-dhcp+0x2737559)
#3 0xe38f2b
(/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_wireshark_9de6374568df96eba97b9288a3fce517c93d2636/revisions/fuzzshark_udp_port-dhcp+0xe38f2b)
#4 0x6d3a22
(/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_wireshark_9de6374568df96eba97b9288a3fce517c93d2636/revisions/fuzzshark_udp_port-dhcp+0x6d3a22)
#5 0x6d34b9
(/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_wireshark_9de6374568df96eba97b9288a3fce517c93d2636/revisions/fuzzshark_udp_port-dhcp+0x6d34b9)
#6 0xe424c2
(/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_wireshark_9de6374568df96eba97b9288a3fce517c93d2636/revisions/fuzzshark_udp_port-dhcp+0xe424c2)
#7 0xe34282
(/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_wireshark_9de6374568df96eba97b9288a3fce517c93d2636/revisions/fuzzshark_udp_port-dhcp+0xe34282)
#8 0x6d3a22
(/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_wireshark_9de6374568df96eba97b9288a3fce517c93d2636/revisions/fuzzshark_udp_port-dhcp+0x6d3a22)
#9 0x6d34b9
(/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_wireshark_9de6374568df96eba97b9288a3fce517c93d2636/revisions/fuzzshark_udp_port-dhcp+0x6d34b9)
#10 0xe424c2
(/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_wireshark_9de6374568df96eba97b9288a3fce517c93d2636/revisions/fuzzshark_udp_port-dhcp+0xe424c2)
#11 0xe32718
(/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_wireshark_9de6374568df96eba97b9288a3fce517c93d2636/revisions/fuzzshark_udp_port-dhcp+0xe32718)
#12 0x6d3a22
(/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_wireshark_9de6374568df96eba97b9288a3fce517c93d2636/revisions/fuzzshark_udp_port-dhcp+0x6d3a22)
#13 0x6dc961
(/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_wireshark_9de6374568df96eba97b9288a3fce517c93d2636/revisions/fuzzshark_udp_port-dhcp+0x6dc961)
#14 0xffcf9c
(/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_wireshark_9de6374568df96eba97b9288a3fce517c93d2636/revisions/fuzzshark_udp_port-dhcp+0xffcf9c)
#15 0x6d3a22
(/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_wireshark_9de6374568df96eba97b9288a3fce517c93d2636/revisions/fuzzshark_udp_port-dhcp+0x6d3a22)
#16 0x6d038b
(/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_wireshark_9de6374568df96eba97b9288a3fce517c93d2636/revisions/fuzzshark_udp_port-dhcp+0x6d038b)
#17 0x6cfb2f
(/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_wireshark_9de6374568df96eba97b9288a3fce517c93d2636/revisions/fuzzshark_udp_port-dhcp+0x6cfb2f)
#18 0x6c33f3
(/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_wireshark_9de6374568df96eba97b9288a3fce517c93d2636/revisions/fuzzshark_udp_port-dhcp+0x6c33f3)
#19 0x557b4d
(/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_wireshark_9de6374568df96eba97b9288a3fce517c93d2636/revisions/fuzzshark_udp_port-dhcp+0x557b4d)
#20 0x45c331
(/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_wireshark_9de6374568df96eba97b9288a3fce517c93d2636/revisions/fuzzshark_udp_port-dhcp+0x45c331)
#21 0x45ba55
(/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_wireshark_9de6374568df96eba97b9288a3fce517c93d2636/revisions/fuzzshark_udp_port-dhcp+0x45ba55)
#22 0x45e487
(/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_wireshark_9de6374568df96eba97b9288a3fce517c93d2636/revisions/fuzzshark_udp_port-dhcp+0x45e487)
#23 0x45e7f9
(/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_wireshark_9de6374568df96eba97b9288a3fce517c93d2636/revisions/fuzzshark_udp_port-dhcp+0x45e7f9)
#24 0x44cc08
(/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_wireshark_9de6374568df96eba97b9288a3fce517c93d2636/revisions/fuzzshark_udp_port-dhcp+0x44cc08)
#25 0x476a32
(/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_wireshark_9de6374568df96eba97b9288a3fce517c93d2636/revisions/fuzzshark_udp_port-dhcp+0x476a32)
#26 0x7fde94f5682f (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
Indirect leak of 16 byte(s) in 1 object(s) allocated from:
#0 0x523ecd
(/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_wireshark_9de6374568df96eba97b9288a3fce517c93d2636/revisions/fuzzshark_udp_port-dhcp+0x523ecd)
#1 0x2815b48
(/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_wireshark_9de6374568df96eba97b9288a3fce517c93d2636/revisions/fuzzshark_udp_port-dhcp+0x2815b48)
--
You are receiving this mail because:
You are watching all bug changes.
___________________________________________________________________________
Sent via: Wireshark-bugs mailing list <wireshark-bugs@wireshark.org>
Archives: https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs
mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe