Wireshark-bugs: [Wireshark-bugs] [Bug 12754] New: AddressSanitizer: heap-buffer-overflow on addr
Date: Tue, 16 Aug 2016 21:27:57 +0000
Bug ID | 12754 |
---|---|
Summary | AddressSanitizer: heap-buffer-overflow on address 0x61d0001a3e80 |
Product | Wireshark |
Version | Git |
Hardware | x86-64 |
OS | Ubuntu |
Status | UNCONFIRMED |
Severity | Major |
Priority | Low |
Component | TShark |
Assignee | [email protected] |
Reporter | [email protected] |
Created attachment 14819 [details] PoC Build Information: TShark (Wireshark) 2.3.0 (v2.3.0rc0-312-g13d0d10 from master) Copyright 1998-2016 Gerald Combs <[email protected]> and contributors. License GPLv2+: GNU GPL version 2 or later <http://www.gnu.org/licenses/old-licenses/gpl-2.0.html> This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. Compiled (64-bit) without libpcap, with GLib 2.40.2, with zlib 1.2.8, without SMI, without c-ares, without Lua, with GnuTLS 2.12.23, with Gcrypt 1.5.3, with MIT Kerberos, without GeoIP. Running on Linux 4.2.0-27-generic, with locale LC_CTYPE=en_US.UTF-8, LC_NUMERIC=pl_PL.UTF-8, LC_TIME=pl_PL.UTF-8, LC_COLLATE=en_US.UTF-8, LC_MONETARY=pl_PL.UTF-8, LC_MESSAGES=en_US.UTF-8, LC_PAPER=pl_PL.UTF-8, LC_NAME=pl_PL.UTF-8, LC_ADDRESS=pl_PL.UTF-8, LC_TELEPHONE=pl_PL.UTF-8, LC_MEASUREMENT=pl_PL.UTF-8, LC_IDENTIFICATION=pl_PL.UTF-8, with GnuTLS 2.12.23, with Gcrypt 1.5.3, with zlib 1.2.8. Intel(R) Core(TM) i7 CPU 860 @ 2.80GHz (with SSE4.2) Built using clang 4.2.1 Compatible Clang 3.9.0 (trunk 274369). -- ================================================================= ==31475==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61d0001a3e80 at pc 0x55581cfc0cd0 bp 0x7ffde7c40430 sp 0x7ffde7c3fbd8 READ of size 1320512526 at 0x61d0001a3e80 thread T0 #0 0x55581cfc0ccf in memcpy (/media/Fuzzing/Targets/wireshark/run/tshark+0xd0ccf) #1 0x7f0f454b3ece in g_array_append_vals (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x1dece) #2 0x7f0f454b4ff8 in g_byte_array_append (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x1eff8) #3 0x7f0f4ddda974 in proto_tree_set_bytes /media/Fuzzing/Targets/wireshark/epan/proto.c:3007:3 #4 0x7f0f4ddd6ced in proto_tree_set_bytes_tvb /media/Fuzzing/Targets/wireshark/epan/proto.c:3016:2 #5 0x7f0f4ddd6ced in proto_tree_new_item /media/Fuzzing/Targets/wireshark/epan/proto.c:1863 #6 0x7f0f4ddd899b in proto_tree_add_item_new /media/Fuzzing/Targets/wireshark/epan/proto.c:2517:9 #7 0x7f0f4e289bb3 in dissect_data /media/Fuzzing/Targets/wireshark/epan/dissectors/packet-data.c:85:4 #8 0x7f0f4dd882fd in call_dissector_through_handle /media/Fuzzing/Targets/wireshark/epan/packet.c:649:8 #9 0x7f0f4dd882fd in call_dissector_work /media/Fuzzing/Targets/wireshark/epan/packet.c:724 #10 0x7f0f4eb5f1c8 in dissect_ppp /media/Fuzzing/Targets/wireshark/epan/dissectors/packet-ppp.c:5278:5 #11 0x7f0f4eb5f1c8 in dissect_mp /media/Fuzzing/Targets/wireshark/epan/dissectors/packet-ppp.c:5261 #12 0x7f0f4dd882fd in call_dissector_through_handle /media/Fuzzing/Targets/wireshark/epan/packet.c:649:8 #13 0x7f0f4dd882fd in call_dissector_work /media/Fuzzing/Targets/wireshark/epan/packet.c:724 #14 0x7f0f4dd8869d in dissector_try_uint_new /media/Fuzzing/Targets/wireshark/epan/packet.c:1188:9 #15 0x7f0f4dd8869d in dissector_try_uint /media/Fuzzing/Targets/wireshark/epan/packet.c:1214 #16 0x7f0f4eb63b09 in dissect_ppp_common /media/Fuzzing/Targets/wireshark/epan/dissectors/packet-ppp.c:4323:10 #17 0x7f0f4eb5ec44 in dissect_ppp_hdlc /media/Fuzzing/Targets/wireshark/epan/dissectors/packet-ppp.c:5356:5 #18 0x7f0f4dd882fd in call_dissector_through_handle /media/Fuzzing/Targets/wireshark/epan/packet.c:649:8 #19 0x7f0f4dd882fd in call_dissector_work /media/Fuzzing/Targets/wireshark/epan/packet.c:724 #20 0x7f0f4dd858c8 in call_dissector_only /media/Fuzzing/Targets/wireshark/epan/packet.c:2780:8 #21 0x7f0f4dd858c8 in call_dissector_with_data /media/Fuzzing/Targets/wireshark/epan/packet.c:2793 #22 0x7f0f4e0176b6 in dissect_ascend /media/Fuzzing/Targets/wireshark/epan/dissectors/packet-ascend.c:107:7 #23 0x7f0f4dd882fd in call_dissector_through_handle /media/Fuzzing/Targets/wireshark/epan/packet.c:649:8 #24 0x7f0f4dd882fd in call_dissector_work /media/Fuzzing/Targets/wireshark/epan/packet.c:724 #25 0x7f0f4dd87ea1 in dissector_try_uint_new /media/Fuzzing/Targets/wireshark/epan/packet.c:1188:9 #26 0x7f0f4e509165 in dissect_frame /media/Fuzzing/Targets/wireshark/epan/dissectors/packet-frame.c:507:11 #27 0x7f0f4dd882fd in call_dissector_through_handle /media/Fuzzing/Targets/wireshark/epan/packet.c:649:8 #28 0x7f0f4dd882fd in call_dissector_work /media/Fuzzing/Targets/wireshark/epan/packet.c:724 #29 0x7f0f4dd858c8 in call_dissector_only /media/Fuzzing/Targets/wireshark/epan/packet.c:2780:8 #30 0x7f0f4dd858c8 in call_dissector_with_data /media/Fuzzing/Targets/wireshark/epan/packet.c:2793 #31 0x7f0f4dd84ecb in dissect_record /media/Fuzzing/Targets/wireshark/epan/packet.c:532:3 #32 0x7f0f4dd67388 in epan_dissect_run_with_taps /media/Fuzzing/Targets/wireshark/epan/epan.c:379:2 #33 0x55581d00c435 in process_packet /media/Fuzzing/Targets/wireshark/tshark.c:3433:5 #34 0x55581d00c435 in load_cap_file /media/Fuzzing/Targets/wireshark/tshark.c:3189 #35 0x55581d00c435 in main /media/Fuzzing/Targets/wireshark/tshark.c:1893 #36 0x7f0f44ab6f44 in __libc_start_main /build/eglibc-oGUzwX/eglibc-2.19/csu/libc-start.c:287 #37 0x55581cf38d15 in _start (/media/Fuzzing/Targets/wireshark/run/tshark+0x48d15) 0x61d0001a3e80 is located 0 bytes to the right of 2048-byte region [0x61d0001a3680,0x61d0001a3e80) allocated by thread T0 here: #0 0x55581cfd6cbc in malloc (/media/Fuzzing/Targets/wireshark/run/tshark+0xe6cbc) #1 0x7f0f454e4610 in g_malloc (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4e610) SUMMARY: AddressSanitizer: heap-buffer-overflow (/media/Fuzzing/Targets/wireshark/run/tshark+0xd0ccf) in memcpy Shadow bytes around the buggy address: 0x0c3a8002c780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c3a8002c790: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c3a8002c7a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c3a8002c7b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c3a8002c7c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0c3a8002c7d0:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c3a8002c7e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c3a8002c7f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c3a8002c800: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c3a8002c810: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c3a8002c820: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==31475==ABORTING
You are receiving this mail because:
- You are watching all bug changes.
- Follow-Ups:
- [Wireshark-bugs] [Bug 12754] AddressSanitizer: heap-buffer-overflow on address 0x61d0001a3e80
- From: bugzilla-daemon
- [Wireshark-bugs] [Bug 12754] AddressSanitizer: heap-buffer-overflow on address 0x61d0001a3e80
- From: bugzilla-daemon
- [Wireshark-bugs] [Bug 12754] AddressSanitizer: heap-buffer-overflow on address 0x61d0001a3e80
- From: bugzilla-daemon
- [Wireshark-bugs] [Bug 12754] AddressSanitizer: heap-buffer-overflow on address 0x61d0001a3e80
- From: bugzilla-daemon
- [Wireshark-bugs] [Bug 12754] AddressSanitizer: heap-buffer-overflow on address 0x61d0001a3e80
- From: bugzilla-daemon
- [Wireshark-bugs] [Bug 12754] AddressSanitizer: heap-buffer-overflow on address 0x61d0001a3e80
- From: bugzilla-daemon
- [Wireshark-bugs] [Bug 12754] AddressSanitizer: heap-buffer-overflow on address 0x61d0001a3e80
- From: bugzilla-daemon
- [Wireshark-bugs] [Bug 12754] AddressSanitizer: heap-buffer-overflow on address 0x61d0001a3e80
- Prev by Date: [Wireshark-bugs] [Bug 12752] Stack overflow in Catapult DCT2000 dissector
- Next by Date: [Wireshark-bugs] [Bug 12750] Buffer overflow in Catapult DCT2000 dissector
- Previous by thread: [Wireshark-bugs] [Bug 12753] Buildbot crash output: fuzz-2016-08-16-22686.pcap
- Next by thread: [Wireshark-bugs] [Bug 12754] AddressSanitizer: heap-buffer-overflow on address 0x61d0001a3e80
- Index(es):
- Get Wireshark
- Download
- Code of Conduct