Wireshark-bugs: [Wireshark-bugs] [Bug 10901] New: Clang ASAN: heap-use-after-free via Statistics

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: bugzilla-daemon@xxxxxxxxxxxxx
Date: Thu, 29 Jan 2015 10:55:26 +0000
Bug ID 10901
Summary Clang ASAN: heap-use-after-free via Statistics -> Conversations List -> TCP
Product Wireshark
Version 1.99.x (Experimental)
Hardware x86
OS All
Status UNCONFIRMED
Severity Major
Priority Low
Component GTK+ UI
Assignee [email protected]
Reporter [email protected] 

Build Information:
(wireshark-gtk v1.99.2rc0-893-g678cf27 + unrelated pgsql patch.)
Wireshark 1.99.2 (v1.99.2rc0-894-g4f3ffb8 from unknown)

Copyright 1998-2015 Gerald Combs <[email protected]> and contributors.
License GPLv2+: GNU GPL version 2 or later
<http://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (64-bit) with GTK+ 3.14.7, with Cairo 1.14.0, with Pango 1.36.8, with
libpcap, with POSIX capabilities (Linux), with libnl 3, with libz 1.2.8, with
GLib 2.42.1, without SMI, without c-ares, without ADNS, with Lua 5.2, with
GnuTLS 3.3.12, with Gcrypt 1.6.2, with MIT Kerberos, with GeoIP, with PortAudio
V19-devel (built Jan 31 2014 21:19:35), without AirPcap.

Running on Linux 3.18.1-1-ARCH, with locale en_US.UTF-8, with libpcap version
1.6.2, with libz 1.2.8, with GnuTLS 3.3.12, with Gcrypt 1.6.2.
Intel(R) Core(TM) i5 CPU       M 560  @ 2.67GHz (with SSE4.2)

Built using gcc 4.9.2 20141224 (prerelease).
--
On a private capture, I somehow triggered an ASAN violation with

Statistics -> Conversations List -> TCP

Could be memory pressure, needs further investigation.

=================================================================
==29539==ERROR: AddressSanitizer: heap-use-after-free on address 0x602000295c70
at pc 0x7f997d8f0de0 bp 0x7fffceb5ae40 sp 0x7fffceb5ae10
READ of size 3 at 0x602000295c70 thread T0
    #0 0x7f997d8f0ddf in __interceptor_strlen (/usr/lib/libasan.so.1+0x32ddf)
    #1 0x7f997bea7d63 in g_strdup (/usr/lib/libglib-2.0.so.0+0x69d63)
    #2 0x7f997c186323 (/usr/lib/libgobject-2.0.so.0+0x3a323)
    #3 0x7f997d1fb8f7 (/usr/lib/libgtk-3.so.0+0x1f58f7)
    #4 0x7f997d1fd54e in gtk_list_store_insert_with_values
(/usr/lib/libgtk-3.so.0+0x1f754e)
    #5 0x651f52 in draw_ct_table_data ui/gtk/conversations_table.c:1727
    #6 0x6526e5 in draw_ct_table_data_cb ui/gtk/conversations_table.c:1781
    #7 0x7f99710fc4f3 in draw_tap_listeners epan/tap.c:415
    #8 0x4857d9 in tap_update_cb ui/gtk/main.c:1307
    #9 0x7f997be89823 (/usr/lib/libglib-2.0.so.0+0x4b823)
    #10 0x7f997be88d4d in g_main_context_dispatch
(/usr/lib/libglib-2.0.so.0+0x4ad4d)
    #11 0x7f997be89127 (/usr/lib/libglib-2.0.so.0+0x4b127)
    #12 0x7f997be891de in g_main_context_iteration
(/usr/lib/libglib-2.0.so.0+0x4b1de)
    #13 0x7f997d1ffc34 in gtk_main_iteration (/usr/lib/libgtk-3.so.0+0x1f9c34)
    #14 0x4e4be4 in delayed_create_progress_dlg ui/gtk/progress_dlg.c:294
    #15 0x43d99e in process_specified_records file.c:2252
    #16 0x43e18c in cf_retap_packets file.c:2382
    #17 0x6566b5 in init_conversation_table ui/gtk/conversations_table.c:2303
    #18 0x7f997101b597 in dissector_conversation_init
epan/conversation_table.c:87
    #19 0x65858f in conversation_endpoint_cb ui/gtk/conversations_table.c:2592
    #20 0x493038 in menu_endpoints_cb ui/gtk/main_menubar.c:2700
    #21 0x7f997c15c431 in g_closure_invoke
(/usr/lib/libgobject-2.0.so.0+0x10431)
    #22 0x7f997c16eafb (/usr/lib/libgobject-2.0.so.0+0x22afb)
    #23 0x7f997c177787 in g_signal_emit_valist
(/usr/lib/libgobject-2.0.so.0+0x2b787)
    #24 0x7f997c1779ee in g_signal_emit (/usr/lib/libgobject-2.0.so.0+0x2b9ee)
    #25 0x7f997d0a6520 (/usr/lib/libgtk-3.so.0+0xa0520)
    #26 0x7f997c15c431 in g_closure_invoke
(/usr/lib/libgobject-2.0.so.0+0x10431)
    #27 0x7f997c16e403 (/usr/lib/libgobject-2.0.so.0+0x22403)
    #28 0x7f997c177787 in g_signal_emit_valist
(/usr/lib/libgobject-2.0.so.0+0x2b787)
    #29 0x7f997c1779ee in g_signal_emit (/usr/lib/libgobject-2.0.so.0+0x2b9ee)
    #30 0x7f997d33ba5f in gtk_widget_activate (/usr/lib/libgtk-3.so.0+0x335a5f)
    #31 0x7f997d2208c5 in gtk_menu_shell_activate_item
(/usr/lib/libgtk-3.so.0+0x21a8c5)
    #32 0x7f997d220c7e (/usr/lib/libgtk-3.so.0+0x21ac7e)
    #33 0x7f997d2013c0 (/usr/lib/libgtk-3.so.0+0x1fb3c0)
    #34 0x7f997c15c431 in g_closure_invoke
(/usr/lib/libgobject-2.0.so.0+0x10431)
    #35 0x7f997c16e9ef (/usr/lib/libgobject-2.0.so.0+0x229ef)
    #36 0x7f997c177294 in g_signal_emit_valist
(/usr/lib/libgobject-2.0.so.0+0x2b294)
    #37 0x7f997c1779ee in g_signal_emit (/usr/lib/libgobject-2.0.so.0+0x2b9ee)
    #38 0x7f997d33cbab (/usr/lib/libgtk-3.so.0+0x336bab)
    #39 0x7f997d1fec7e (/usr/lib/libgtk-3.so.0+0x1f8c7e)
    #40 0x7f997d20093d in gtk_main_do_event (/usr/lib/libgtk-3.so.0+0x1fa93d)
    #41 0x7f997cd9d5a9 (/usr/lib/libgdk-3.so.0+0x515a9)
    #42 0x7f997be88e2b in g_main_context_dispatch
(/usr/lib/libglib-2.0.so.0+0x4ae2b)
    #43 0x7f997be89127 (/usr/lib/libglib-2.0.so.0+0x4b127)
    #44 0x7f997be89471 in g_main_loop_run (/usr/lib/libglib-2.0.so.0+0x4b471)
    #45 0x7f997d1ffb8c in gtk_main (/usr/lib/libgtk-3.so.0+0x1f9b8c)
    #46 0x48aa46 in main ui/gtk/main.c:3247
    #47 0x7f9968d4d03f in __libc_start_main (/usr/lib/libc.so.6+0x2003f)
    #48 0x424058 (/tmp/wsbuild/run/wireshark-gtk+0x424058)

0x602000295c70 is located 0 bytes inside of 11-byte region
[0x602000295c70,0x602000295c7b)
freed by thread T0 here:
    #0 0x7f997d91551f in __interceptor_free (/usr/lib/libasan.so.1+0x5751f)
    #1 0x7f99711a45e4 in wmem_free epan/wmem/wmem_core.c:77
    #2 0x651fa9 in draw_ct_table_data ui/gtk/conversations_table.c:1747
    #3 0x6526e5 in draw_ct_table_data_cb ui/gtk/conversations_table.c:1781
    #4 0x7f99710fc4f3 in draw_tap_listeners epan/tap.c:415
    #5 0x4857d9 in tap_update_cb ui/gtk/main.c:1307
    #6 0x7f997be89823 (/usr/lib/libglib-2.0.so.0+0x4b823)
    #7 0x7f997be88d4d in g_main_context_dispatch
(/usr/lib/libglib-2.0.so.0+0x4ad4d)
    #8 0x7f997be89127 (/usr/lib/libglib-2.0.so.0+0x4b127)
    #9 0x7f997be891de in g_main_context_iteration
(/usr/lib/libglib-2.0.so.0+0x4b1de)
    #10 0x7f997d1ffc34 in gtk_main_iteration (/usr/lib/libgtk-3.so.0+0x1f9c34)
    #11 0x4e4be4 in delayed_create_progress_dlg ui/gtk/progress_dlg.c:294
    #12 0x43d99e in process_specified_records file.c:2252
    #13 0x43e18c in cf_retap_packets file.c:2382
    #14 0x6566b5 in init_conversation_table ui/gtk/conversations_table.c:2303
    #15 0x7f997101b597 in dissector_conversation_init
epan/conversation_table.c:87
    #16 0x65858f in conversation_endpoint_cb ui/gtk/conversations_table.c:2592
    #17 0x493038 in menu_endpoints_cb ui/gtk/main_menubar.c:2700
    #18 0x7f997c15c431 in g_closure_invoke
(/usr/lib/libgobject-2.0.so.0+0x10431)
    #19 0x7f997c16eafb (/usr/lib/libgobject-2.0.so.0+0x22afb)
    #20 0x7f997c177787 in g_signal_emit_valist
(/usr/lib/libgobject-2.0.so.0+0x2b787)
    #21 0x7f997c1779ee in g_signal_emit (/usr/lib/libgobject-2.0.so.0+0x2b9ee)
    #22 0x7f997d0a6520 (/usr/lib/libgtk-3.so.0+0xa0520)
    #23 0x7f997c15c431 in g_closure_invoke
(/usr/lib/libgobject-2.0.so.0+0x10431)
    #24 0x7f997c16e403 (/usr/lib/libgobject-2.0.so.0+0x22403)
    #25 0x7f997c177787 in g_signal_emit_valist
(/usr/lib/libgobject-2.0.so.0+0x2b787)
    #26 0x7f997c1779ee in g_signal_emit (/usr/lib/libgobject-2.0.so.0+0x2b9ee)
    #27 0x7f997d33ba5f in gtk_widget_activate (/usr/lib/libgtk-3.so.0+0x335a5f)
    #28 0x7f997d2208c5 in gtk_menu_shell_activate_item
(/usr/lib/libgtk-3.so.0+0x21a8c5)
    #29 0x7f997d220c7e (/usr/lib/libgtk-3.so.0+0x21ac7e)

previously allocated by thread T0 here:
    #0 0x7f997d915797 in malloc (/usr/lib/libasan.so.1+0x57797)
    #1 0x7f997be8ecf1 in g_malloc (/usr/lib/libglib-2.0.so.0+0x50cf1)
    #2 0x7f997bea7d6f in g_strdup (/usr/lib/libglib-2.0.so.0+0x69d6f)
    #3 0x7f9970fe1252 in add_service_name epan/addr_resolv.c:479
    #4 0x7f9970fe1810 in add_serv_port_cb epan/addr_resolv.c:574
    #5 0x7f99710ccbe0 in range_foreach epan/range.c:319
    #6 0x7f9970fe177c in parse_service_line epan/addr_resolv.c:564
    #7 0x7f9970fe184f in parse_services_file epan/addr_resolv.c:593
    #8 0x7f9970fe1f7f in initialize_services epan/addr_resolv.c:726
    #9 0x7f9970fec770 in addr_resolv_init epan/addr_resolv.c:3397
    #10 0x7f9971026fbe in epan_init epan/epan.c:102
    #11 0x488700 in main ui/gtk/main.c:2508
    #12 0x7f9968d4d03f in __libc_start_main (/usr/lib/libc.so.6+0x2003f)

SUMMARY: AddressSanitizer: heap-use-after-free ??:0 __interceptor_strlen
Shadow bytes around the buggy address:
  0x0c048004ab30: fa fa 04 fa fa fa fd fd fa fa 00 03 fa fa 04 fa
  0x0c048004ab40: fa fa fd fd fa fa 00 06 fa fa fd fa fa fa fd fd
  0x0c048004ab50: fa fa 00 06 fa fa 04 fa fa fa fd fd fa fa 04 fa
  0x0c048004ab60: fa fa fd fa fa fa fd fd fa fa 04 fa fa fa 04 fa
  0x0c048004ab70: fa fa fd fd fa fa 00 fa fa fa 04 fa fa fa fd fd
=>0x0c048004ab80: fa fa 00 03 fa fa fd fa fa fa fd fd fa fa[fd]fd
  0x0c048004ab90: fa fa 04 fa fa fa fd fd fa fa 00 06 fa fa fd fa
  0x0c048004aba0: fa fa fd fd fa fa 00 06 fa fa 04 fa fa fa fd fd
  0x0c048004abb0: fa fa 06 fa fa fa fd fa fa fa fd fd fa fa 06 fa
  0x0c048004abc0: fa fa 04 fa fa fa fd fd fa fa 07 fa fa fa fd fa
  0x0c048004abd0: fa fa fd fd fa fa 07 fa fa fa 04 fa fa fa fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Contiguous container OOB:fc
  ASan internal:           fe
==29539==ABORTING

You are receiving this mail because:
  • You are watching all bug changes.