Wireshark-bugs: [Wireshark-bugs] [Bug 8198] New: RTPS dissector crash

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: bugzilla-daemon@xxxxxxxxxxxxx
Date: Sat, 12 Jan 2013 13:12:09 +0000
Bug ID 8198
Summary RTPS dissector crash
Classification Unclassified
Product Wireshark
Version 1.8.4
Hardware x86-64
OS All
Status UNCONFIRMED
Severity Major
Priority Low
Component TShark
Assignee [email protected]
Reporter [email protected] 

Created attachment 9802 [details]
Capture that crashes

Build Information:
1.8.4
--
--
Hi,

Here is a PCAP file triggering an SIGABRT that could enable (at least) a remote
party to trigger a denial of service.

This file was generated thanks to a fuzz testing campaign.

Laurent Butti.

--

Program received signal SIGABRT, Aborted.
0x00007ffff2e9e425 in raise () from /lib/x86_64-linux-gnu/libc.so.6
(gdb) bt
#0  0x00007ffff2e9e425 in raise () from /lib/x86_64-linux-gnu/libc.so.6
#1  0x00007ffff2ea1b8b in abort () from /lib/x86_64-linux-gnu/libc.so.6
#2  0x00007ffff2edc39e in ?? () from /lib/x86_64-linux-gnu/libc.so.6
#3  0x00007ffff2f72807 in __fortify_fail () from
/lib/x86_64-linux-gnu/libc.so.6
#4  0x00007ffff2f727d0 in __stack_chk_fail () from
/lib/x86_64-linux-gnu/libc.so.6
#5  0x00007ffff514bc02 in rtps_util_add_bitmap (tree=0x7ffff7fefff0,
tvb=0x15eade0, offset=112, little_endian=<optimized out>, label=0x7ffff604d5d7
"gapList")
    at packet-rtps.c:2819
#6  0x00007ffff56a32a8 in dissect_GAP (tree=0x7ffff7fefff0,
octects_to_next_header=60760, little_endian=0, flags=<optimized out>,
offset=36, tvb=0x15eade0)
    at packet-rtps.c:5083
#7  dissect_rtps (tvb=0x15eade0, pinfo=0x7fffffffd510, tree=0x7ffff7fef000) at
packet-rtps.c:5792
#8  0x00007ffff517ee4c in dissector_try_heuristic (sub_dissectors=<optimized
out>, tvb=0x15eade0, pinfo=0x7fffffffd510, tree=0x7ffff7fef000) at
packet.c:1781
#9  0x00007ffff579b2fb in decode_udp_ports (tvb=<optimized out>,
offset=<optimized out>, pinfo=0x7fffffffd510, tree=0x7ffff7fef000,
uh_sport=58018, 
    uh_dport=7401, uh_ulen=132) at packet-udp.c:281
#10 0x00007ffff579b9c3 in dissect (tvb=0x15fc860, pinfo=0x7fffffffd510,
tree=0x7ffff7fef000, ip_proto=<optimized out>) at packet-udp.c:595
#11 0x00007ffff517d180 in call_dissector_through_handle (handle=0x1207a70,
tvb=0x15fc860, pinfo=0x7fffffffd510, tree=0x7ffff7fef000) at packet.c:433
#12 0x00007ffff517d865 in call_dissector_work (handle=0x1207a70, tvb=0x15fc860,
pinfo_arg=0x7fffffffd510, tree=0x7ffff7fef000, add_proto_name=1)
    at packet.c:524
#13 0x00007ffff517e08e in dissector_try_uint_new (sub_dissectors=<optimized
out>, uint_val=17, tvb=0x15fc860, pinfo=0x7fffffffd510, tree=0x7ffff7fef000, 
    add_proto_name=1) at packet.c:943
#14 0x00007ffff54bfe6b in dissect_ip (tvb=0x15fc760, pinfo=<optimized out>,
parent_tree=0x7ffff7fef000) at packet-ip.c:2396
#15 0x00007ffff517d180 in call_dissector_through_handle (handle=0xb99b30,
tvb=0x15fc760, pinfo=0x7fffffffd510, tree=0x7ffff7fef000) at packet.c:433
#16 0x00007ffff517d865 in call_dissector_work (handle=0xb99b30, tvb=0x15fc760,
pinfo_arg=0x7fffffffd510, tree=0x7ffff7fef000, add_proto_name=1)
    at packet.c:524
#17 0x00007ffff517e08e in dissector_try_uint_new (sub_dissectors=<optimized
out>, uint_val=2048, tvb=0x15fc760, pinfo=0x7fffffffd510, tree=0x7ffff7fef000, 
    add_proto_name=1) at packet.c:943
#18 0x00007ffff53adffa in ethertype (etype=2048, tvb=0x15fc400,
offset_after_etype=14, pinfo=0x7fffffffd510, tree=0x7ffff7fef000,
fh_tree=0x7ffff7fef6c0, 
    etype_id=21641, trailer_id=21645, fcs_len=-1) at packet-ethertype.c:270
#19 0x00007ffff53acabc in dissect_eth_common (tvb=0x15fc400,
pinfo=0x7fffffffd510, parent_tree=0x7ffff7fef000, fcs_len=-1) at
packet-eth.c:403
#20 0x00007ffff517d180 in call_dissector_through_handle (handle=0x9e2820,
tvb=0x15fc400, pinfo=0x7fffffffd510, tree=0x7ffff7fef000) at packet.c:433
#21 0x00007ffff517d865 in call_dissector_work (handle=0x9e2820, tvb=0x15fc400,
pinfo_arg=0x7fffffffd510, tree=0x7ffff7fef000, add_proto_name=1)
    at packet.c:524
#22 0x00007ffff517e08e in dissector_try_uint_new (sub_dissectors=<optimized
out>, uint_val=1, tvb=0x15fc400, pinfo=0x7fffffffd510, tree=0x7ffff7fef000, 
    add_proto_name=1) at packet.c:943
#23 0x00007ffff53dfc1b in dissect_frame (tvb=0x15fc400, pinfo=0x7fffffffd510,
parent_tree=0x7ffff7fef000) at packet-frame.c:383
#24 0x00007ffff517d180 in call_dissector_through_handle (handle=0xa2a740,
tvb=0x15fc400, pinfo=0x7fffffffd510, tree=0x7ffff7fef000) at packet.c:433
#25 0x00007ffff517d865 in call_dissector_work (handle=0xa2a740, tvb=0x15fc400,
pinfo_arg=0x7fffffffd510, tree=0x7ffff7fef000, add_proto_name=1)
    at packet.c:524
#26 0x00007ffff517f5a1 in call_dissector (handle=<optimized out>,
tvb=0x15fc400, pinfo=0x7fffffffd510, tree=0x7ffff7fef000) at packet.c:2050
#27 0x00007ffff517f9b4 in dissect_packet (edt=0x7fffffffd500,
pseudo_header=0x0, pd=0x15d43b0 "\001", fd=0x7fffffffd6a0, cinfo=0x0) at
packet.c:364
#28 0x000000000041ad8b in ?? ()
#29 0x00000000015fc400 in ?? ()
#30 0x00007ffff7fef000 in ?? ()
#31 0x00007ffff604d501 in ?? () from
/home/laurent/fuzzing/bin/wireshark-1.8.4/lib/libwireshark.so.2
#32 0x0000000000000000 in ?? ()
(gdb) python import exploitable
(gdb) exploitable -v
'exploitable' version 1.04
Linux nitro 3.2.0-30-generic #48-Ubuntu SMP Fri Aug 24 16:52:48 UTC 2012 x86_64
Signal si_signo: 6 Signal si_addr: 0x3e800000ba8
Nearby code:
   0x00007ffff2e9e415 <+37>:    movsxd rdx,edi
   0x00007ffff2e9e418 <+40>:    movsxd rsi,esi
   0x00007ffff2e9e41b <+43>:    movsxd rdi,eax
   0x00007ffff2e9e41e <+46>:    mov    eax,0xea
   0x00007ffff2e9e423 <+51>:    syscall 
=> 0x00007ffff2e9e425 <+53>:    cmp    rax,0xfffffffffffff000
   0x00007ffff2e9e42b <+59>:    ja     0x7ffff2e9e43f <raise+79>
   0x00007ffff2e9e42d <+61>:    repz ret 
   0x00007ffff2e9e42f <+63>:    nop
   0x00007ffff2e9e430 <+64>:    test   eax,eax
Stack trace:
#  0 raise at 0x7ffff2e9e425 in /lib/x86_64-linux-gnu/libc-2.15.so (BL)
#  1 abort at 0x7ffff2ea1b8b in /lib/x86_64-linux-gnu/libc-2.15.so (BL)
#  2 None at 0x7ffff2edc39e in /lib/x86_64-linux-gnu/libc-2.15.so (BL)
#  3 __fortify_fail at 0x7ffff2f72807 in /lib/x86_64-linux-gnu/libc-2.15.so
(BL)
#  4 __stack_chk_fail at 0x7ffff2f727d0 in /lib/x86_64-linux-gnu/libc-2.15.so
(BL)
#  5 rtps_util_add_bitmap at 0x7ffff514bc02 in
/home/laurent/fuzzing/bin/wireshark-1.8.4/lib/libwireshark.so.2.0.4
#  6 dissect_GAP at 0x7ffff56a32a8 in
/home/laurent/fuzzing/bin/wireshark-1.8.4/lib/libwireshark.so.2.0.4
#  7 dissect_rtps at 0x7ffff56a32a8 in
/home/laurent/fuzzing/bin/wireshark-1.8.4/lib/libwireshark.so.2.0.4
#  8 dissector_try_heuristic at 0x7ffff517ee4c in
/home/laurent/fuzzing/bin/wireshark-1.8.4/lib/libwireshark.so.2.0.4
#  9 decode_udp_ports at 0x7ffff579b2fb in
/home/laurent/fuzzing/bin/wireshark-1.8.4/lib/libwireshark.so.2.0.4
# 10 dissect at 0x7ffff579b9c3 in
/home/laurent/fuzzing/bin/wireshark-1.8.4/lib/libwireshark.so.2.0.4
# 11 call_dissector_through_handle at 0x7ffff517d180 in
/home/laurent/fuzzing/bin/wireshark-1.8.4/lib/libwireshark.so.2.0.4
# 12 call_dissector_work at 0x7ffff517d865 in
/home/laurent/fuzzing/bin/wireshark-1.8.4/lib/libwireshark.so.2.0.4
# 13 dissector_try_uint_new at 0x7ffff517e08e in
/home/laurent/fuzzing/bin/wireshark-1.8.4/lib/libwireshark.so.2.0.4
# 14 dissect_ip at 0x7ffff54bfe6b in
/home/laurent/fuzzing/bin/wireshark-1.8.4/lib/libwireshark.so.2.0.4
# 15 call_dissector_through_handle at 0x7ffff517d180 in
/home/laurent/fuzzing/bin/wireshark-1.8.4/lib/libwireshark.so.2.0.4
# 16 call_dissector_work at 0x7ffff517d865 in
/home/laurent/fuzzing/bin/wireshark-1.8.4/lib/libwireshark.so.2.0.4
# 17 dissector_try_uint_new at 0x7ffff517e08e in
/home/laurent/fuzzing/bin/wireshark-1.8.4/lib/libwireshark.so.2.0.4
# 18 ethertype at 0x7ffff53adffa in
/home/laurent/fuzzing/bin/wireshark-1.8.4/lib/libwireshark.so.2.0.4
# 19 dissect_eth_common at 0x7ffff53acabc in
/home/laurent/fuzzing/bin/wireshark-1.8.4/lib/libwireshark.so.2.0.4
# 20 call_dissector_through_handle at 0x7ffff517d180 in
/home/laurent/fuzzing/bin/wireshark-1.8.4/lib/libwireshark.so.2.0.4
# 21 call_dissector_work at 0x7ffff517d865 in
/home/laurent/fuzzing/bin/wireshark-1.8.4/lib/libwireshark.so.2.0.4
# 22 dissector_try_uint_new at 0x7ffff517e08e in
/home/laurent/fuzzing/bin/wireshark-1.8.4/lib/libwireshark.so.2.0.4
# 23 dissect_frame at 0x7ffff53dfc1b in
/home/laurent/fuzzing/bin/wireshark-1.8.4/lib/libwireshark.so.2.0.4
# 24 call_dissector_through_handle at 0x7ffff517d180 in
/home/laurent/fuzzing/bin/wireshark-1.8.4/lib/libwireshark.so.2.0.4
# 25 call_dissector_work at 0x7ffff517d865 in
/home/laurent/fuzzing/bin/wireshark-1.8.4/lib/libwireshark.so.2.0.4
# 26 call_dissector at 0x7ffff517f5a1 in
/home/laurent/fuzzing/bin/wireshark-1.8.4/lib/libwireshark.so.2.0.4
# 27 dissect_packet at 0x7ffff517f9b4 in
/home/laurent/fuzzing/bin/wireshark-1.8.4/lib/libwireshark.so.2.0.4
# 28 None at 0x41ad8b in /home/laurent/fuzzing/bin/wireshark-1.8.4/bin/tshark
# 29 None at 0x15fc400 in [heap]
# 30 None at 0x7ffff7fef000 in 
# 31 None at 0x7ffff604d501 in
/home/laurent/fuzzing/bin/wireshark-1.8.4/lib/libwireshark.so.2.0.4
# 32 None at 0x0 in None
Faulting frame: #  5 rtps_util_add_bitmap at 0x7ffff514bc02 in
/home/laurent/fuzzing/bin/wireshark-1.8.4/lib/libwireshark.so.2.0.4
Description: Stack buffer overflow
Short description: StackBufferOverflow (5/21)
Hash: 846d6bbc9997ffd09a83ce66fdf69d1b.deb14667b1f25fb8189efe42a51ef331
Exploitability Classification: EXPLOITABLE
Explanation: The target stopped while handling a signal that was generated by
libc due to detection of a stack buffer overflow. Stack buffer overflows are
generally considered exploitable.
Other tags: PossibleStackCorruption (6/21), AbortSignal (19/21)

You are receiving this mail because:
  • You are watching all bug changes.