[Wireshark-bugs] [Bug 16487] New: tshark live capture finishes with an out-of-bounds read

Wed, 08 Apr 2020 14:27:21 -0700 

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=16487

            Bug ID: 16487
           Summary: tshark live capture finishes with an out-of-bounds
                    read
           Product: Wireshark
           Version: 3.2.3
          Hardware: All
                OS: All
            Status: CONFIRMED
          Severity: Major
          Priority: Medium
         Component: TShark
          Assignee: bugzilla-ad...@wireshark.org
          Reporter: pe...@lekensteyn.nl
  Target Milestone: ---

Build Information:
TShark (Wireshark) 3.3.0 (v3.3.0rc0-972-g43c4e886256a)

Copyright 1998-2020 Gerald Combs <ger...@wireshark.org> and contributors.
License GPLv2+: GNU GPL version 2 or later
<https://www.gnu.org/licenses/gpl-2.0.html>
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (64-bit) with libpcap, with POSIX capabilities (Linux), with libnl 3,
with GLib 2.62.2, with zlib 1.2.11, without SMI, with c-ares 1.15.0, with Lua
5.2.4, with GnuTLS 3.6.12 and PKCS #11 support, with Gcrypt 1.8.5, with MIT
Kerberos, with MaxMind DB resolver, with nghttp2 1.39.2, with brotli, with LZ4,
with Zstandard, with Snappy, with libxml2 2.9.10.

Running on Linux 5.5.6-arch1-1, with Intel(R) Core(TM) i7-6700HQ CPU @ 2.60GHz
(with SSE4.2), with 64143 MB of physical memory, with locale en_US.UTF-8, with
libpcap version 1.9.1 (with TPACKET_V3), with GnuTLS 3.6.12, with Gcrypt 1.8.5,
with brotli 1.0.7, with zlib 1.2.11, binary plugins supported (0 loaded).

Built using clang Clang 9.0.1 .
--
On exiting tshark after a live capture, it crashes due to an out-of-bounds
read.

Steps to reproduce:
1. cmake -GNinja -DENABLE_ASAN=1
2. ninja tshark dumpcap randpktdump
3. tshark -i randpkt -c1
(This is a minimum non-interactive reproducer that does not require capture
permissions. It can also be reproduced with a real interface.)

Expected result:
Capture stops with no issues.

Actual result:
valgrind reports two invalid reads, ASAN blows up (see trace at the end).

More information:
This issue was introduced in commit v3.2.3rc0-57-g84cf682883 (fixing Bug 16457)
which has unfortunately been backported and released today. Apart from git
master, it affects 3.0.10 and 3.2.3 only. I initially triggered it on macOS and
could reproduce this regression on Linux.

ASAN trace:
$ tshark -i randpkt -c1
Capturing on 'Random packet generator: randpkt'
    1   0.000000              → 0x7ad4       IEEE 802.15.4 3595 Reserved, Dst:
0x7ad4[Malformed Packet: length of contained item exceeds length of containing
item][Malformed Packet]
1 packet captured
=================================================================
==140142==ERROR: AddressSanitizer: heap-use-after-free on address
0x604000000550 at pc 0x7efc27003dc5 bp 0x7ffeed6852c0 sp 0x7ffeed6852b8
READ of size 8 at 0x604000000550 thread T0
    #0 0x7efc27003dc4 in wtap_block_free_option wiretap/wtap_opttypes.c:200:16
    #1 0x7efc26ffa024 in wtap_block_free_options wiretap/wtap_opttypes.c:224:9
    #2 0x7efc26ff9c60 in wtap_block_free wiretap/wtap_opttypes.c:236:9
    #3 0x7efc26ffa251 in wtap_block_array_free wiretap/wtap_opttypes.c:250:9
    #4 0x7efc26ff3c37 in wtap_close wiretap/wtap.c:1254:2
    #5 0x56238f9b7fc2 in cf_close tshark.c:4248:5
    #6 0x56238f9adb35 in main tshark.c:2284:3
    #7 0x7efc265f7022 in __libc_start_main (/usr/lib/libc.so.6+0x27022)
    #8 0x56238f88602d in _start (run/tshark+0x13d02d)

0x604000000550 is located 0 bytes inside of 40-byte region
[0x604000000550,0x604000000578)
freed by thread T0 here:
    #0 0x56238f927229 in free (run/tshark+0x1de229)
    #1 0x7efc268720cd in array_free
/usr/src/debug/build/../glib/glib/garray.c:386:7
    #2 0x7efc27008c7e in wtap_opttypes_cleanup wiretap/wtap_opttypes.c:1275:17
    #3 0x7efc26ff8b9d in wtap_cleanup wiretap/wtap.c:1624:2
    #4 0x56238f9adb24 in main tshark.c:2282:3
    #5 0x7efc265f7022 in __libc_start_main (/usr/lib/libc.so.6+0x27022)
    #6 0x56238f88602d in _start (run/tshark+0x13d02d)

previously allocated by thread T0 here:
    #0 0x56238f927559 in malloc (run/tshark+0x1de559)
    #1 0x7efc26843929 in g_malloc
/usr/src/debug/build/../glib/glib/gmem.c:99:13
    #2 0x7efc268248f3 in g_slice_alloc
/usr/src/debug/build/../glib/glib/gslice.c:1024:11
    #3 0x7efc268788d4 in g_array_sized_new
/usr/src/debug/build/../glib/glib/garray.c:194:11
    #4 0x7efc270080ee in wtap_opttype_block_register
wiretap/wtap_opttypes.c:100:26
    #5 0x7efc27004f2a in wtap_opttypes_initialize
wiretap/wtap_opttypes.c:1224:5
    #6 0x7efc26ff8994 in wtap_init wiretap/wtap.c:1607:2
    #7 0x56238f9a38da in main tshark.c:916:3
    #8 0x7efc265f7022 in __libc_start_main (/usr/lib/libc.so.6+0x27022)
    #9 0x56238f88602d in _start (run/tshark+0x13d02d)

SUMMARY: AddressSanitizer: heap-use-after-free wiretap/wtap_opttypes.c:200:16
in wtap_block_free_option
Shadow bytes around the buggy address:
  0x0c087fff8050: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa
  0x0c087fff8060: fa fa fd fd fd fd fd fa fa fa 00 00 00 00 00 fa
  0x0c087fff8070: fa fa 00 00 00 00 00 fa fa fa 00 00 00 00 00 fa
  0x0c087fff8080: fa fa 00 00 00 00 00 fa fa fa fd fd fd fd fd fa
  0x0c087fff8090: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa
=>0x0c087fff80a0: fa fa fd fd fd fd fd fa fa fa[fd]fd fd fd fd fa
  0x0c087fff80b0: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa
  0x0c087fff80c0: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa
  0x0c087fff80d0: fa fa fd fd fd fd fd fa fa fa 00 00 00 00 00 fa
  0x0c087fff80e0: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
  0x0c087fff80f0: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==140142==ABORTING

-- 
You are receiving this mail because:
You are watching all bug changes.
___________________________________________________________________________
Sent via:    Wireshark-bugs mailing list <wireshark-bugs@wireshark.org>
Archives:    https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs
             mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe

Reply via email to