Wireshark-bugs: [Wireshark-bugs] [Bug 12914] New: Buildbot crash output: fuzz-2016-09-17-25060.p

Date: Sat, 17 Sep 2016 17:00:03 +0000
Bug ID 12914
Summary Buildbot crash output: fuzz-2016-09-17-25060.pcap
Product Wireshark
Version unspecified
Hardware x86-64
URL https://www.wireshark.org/download/automated/captures/fuzz-2016-09-17-25060.pcap
OS Ubuntu
Status CONFIRMED
Severity Major
Priority High
Component Dissection engine (libwireshark)
Assignee [email protected]
Reporter [email protected]

Problems have been found with the following capture file:

https://www.wireshark.org/download/automated/captures/fuzz-2016-09-17-25060.pcap

stderr:
Input file: /home/wireshark/menagerie/menagerie/11007-packet-loss.pcap

Build host information:
Linux wsbb04 4.4.0-34-generic #53-Ubuntu SMP Wed Jul 27 16:06:39 UTC 2016
x86_64 x86_64 x86_64 GNU/Linux
Distributor ID:    Ubuntu
Description:    Ubuntu 16.04.1 LTS
Release:    16.04
Codename:    xenial

Buildbot information:
BUILDBOT_REPOSITORY=ssh://[email protected]:29418/wireshark
BUILDBOT_WORKERNAME=clang-code-analysis
BUILDBOT_BUILDNUMBER=3691
BUILDBOT_URL=http://buildbot.wireshark.org/wireshark-master/
BUILDBOT_BUILDERNAME=Clang Code Analysis
BUILDBOT_GOT_REVISION=22257e8cf5a497cd16dd7336a9b8dd224285ee39

Return value:  1

Dissector bug:  0

Valgrind error count:  0



Git commit
commit 22257e8cf5a497cd16dd7336a9b8dd224285ee39
Author: Pascal Quantin <[email protected]>
Date:   Fri Sep 16 22:15:57 2016 +0200

    p_XXX_proto_data: only allow the use of pinfo and file scopes

    Those are the only ones meaningful. Let's convert the buggy dissectors
    and add an assert to avoid the misuse of the pool parameter in the future

    Change-Id: I65f470b757f163f11a25cd352ffe168d1f8a86d3
    Reviewed-on: https://code.wireshark.org/review/17748
    Petri-Dish: Pascal Quantin <[email protected]>
    Tested-by: Petri Dish Buildbot <[email protected]>
    Reviewed-by: Pascal Quantin <[email protected]>


=================================================================
==31686==ERROR: AddressSanitizer: stack-buffer-overflow on address
0x7ffe404c2c51 at pc 0x000000440f03 bp 0x7ffe404c2950 sp 0x7ffe404c2100
READ of size 7 at 0x7ffe404c2c51 thread T0
    #0 0x440f02 
(/home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/install/bin/tshark+0x440f02)
    #1 0x7fb8a1bea4f2  (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x684f2)
    #2 0x7fb8a9f02dd3 
(/home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/install/lib/libwireshark.so.0+0x7a04dd3)
    #3 0x7fb8a9e36ba7 
(/home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/install/lib/libwireshark.so.0+0x7938ba7)
    #4 0x7fb8a9e370ea 
(/home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/install/lib/libwireshark.so.0+0x79390ea)
    #5 0x7fb8aa31758d 
(/home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/install/lib/libwireshark.so.0+0x7e1958d)
    #6 0x7fb8a9df183c 
(/home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/install/lib/libwireshark.so.0+0x78f383c)
    #7 0x7fb8a9def6ac 
(/home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/install/lib/libwireshark.so.0+0x78f16ac)
    #8 0x7fb89a881882 
(/home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/install/lib/wireshark/plugins/2.3.0/wimax.so+0x138882)
    #9 0x7fb89a86e0a3 
(/home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/install/lib/wireshark/plugins/2.3.0/wimax.so+0x1250a3)
    #10 0x7fb8a9df183c 
(/home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/install/lib/libwireshark.so.0+0x78f383c)
    #11 0x7fb8a9df1b08 
(/home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/install/lib/libwireshark.so.0+0x78f3b08)
    #12 0x7fb89a8624c4 
(/home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/install/lib/wireshark/plugins/2.3.0/wimax.so+0x1194c4)
    #13 0x7fb8a9df183c 
(/home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/install/lib/libwireshark.so.0+0x78f383c)
    #14 0x7fb8a9def6ac 
(/home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/install/lib/libwireshark.so.0+0x78f16ac)
    #15 0x7fb89a86096f 
(/home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/install/lib/wireshark/plugins/2.3.0/wimax.so+0x11796f)
    #16 0x7fb8a9df183c 
(/home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/install/lib/libwireshark.so.0+0x78f383c)
    #17 0x7fb8a9def6ac 
(/home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/install/lib/libwireshark.so.0+0x78f16ac)
    #18 0x7fb89a85e1a2 
(/home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/install/lib/wireshark/plugins/2.3.0/wimax.so+0x1151a2)
    #19 0x7fb8a9df183c 
(/home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/install/lib/libwireshark.so.0+0x78f383c)
    #20 0x7fb8a9def6ac 
(/home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/install/lib/libwireshark.so.0+0x78f16ac)
    #21 0x7fb89abe7ac0 
(/home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/install/lib/wireshark/plugins/2.3.0/m2m.so+0x6ac0)
    #22 0x7fb8a9df183c 
(/home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/install/lib/libwireshark.so.0+0x78f383c)
    #23 0x7fb8a9df1b08 
(/home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/install/lib/libwireshark.so.0+0x78f3b08)
    #24 0x7fb8aa355838 
(/home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/install/lib/libwireshark.so.0+0x7e57838)
    #25 0x7fb8a9df183c 
(/home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/install/lib/libwireshark.so.0+0x78f383c)
    #26 0x7fb8a9def6ac 
(/home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/install/lib/libwireshark.so.0+0x78f16ac)
    #27 0x7fb8aa353e48 
(/home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/install/lib/libwireshark.so.0+0x7e55e48)
    #28 0x7fb8aa352770 
(/home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/install/lib/libwireshark.so.0+0x7e54770)
    #29 0x7fb8a9df183c 
(/home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/install/lib/libwireshark.so.0+0x78f383c)
    #30 0x7fb8a9df150a 
(/home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/install/lib/libwireshark.so.0+0x78f350a)
    #31 0x7fb8aa39d7af 
(/home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/install/lib/libwireshark.so.0+0x7e9f7af)
    #32 0x7fb8a9df183c 
(/home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/install/lib/libwireshark.so.0+0x78f383c)
    #33 0x7fb8a9def6ac 
(/home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/install/lib/libwireshark.so.0+0x78f16ac)
    #34 0x7fb8a9deee7a 
(/home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/install/lib/libwireshark.so.0+0x78f0e7a)
    #35 0x7fb8a9dd506e 
(/home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/install/lib/libwireshark.so.0+0x78d706e)
    #36 0x50ea04 
(/home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/install/bin/tshark+0x50ea04)
    #37 0x5090d5 
(/home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/install/bin/tshark+0x5090d5)
    #38 0x7fb89fdb682f  (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #39 0x423328 
(/home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/install/bin/tshark+0x423328)

Address 0x7ffe404c2c51 is located in stack of thread T0 at offset 49 in frame
    #0 0x7fb8aa316d3f 
(/home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/install/lib/libwireshark.so.0+0x7e18d3f)

  This frame has 3 object(s):
    [32, 33) 'eap_identity_prefix.i'
    [48, 49) 'eap_identity_prefix' <== Memory access at offset 49 overflows
this variable
    [64, 72) 'frag_tree_item'
HINT: this may be a false positive if your program uses some custom stack
unwind mechanism or swapcontext
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow
(/home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/install/bin/tshark+0x440f02) 
Shadow bytes around the buggy address:
  0x100048090530: 00 00 00 00 f1 f1 f1 f1 04 f2 04 f3 00 00 00 00
  0x100048090540: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100048090550: f1 f1 f1 f1 00 00 00 f3 f3 f3 f3 f3 00 00 00 00
  0x100048090560: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100048090570: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x100048090580: 00 00 00 00 f1 f1 f1 f1 01 f2[01]f2 00 f3 f3 f3
  0x100048090590: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000480905a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000480905b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000480905c0: f1 f1 f1 f1 00 04 f3 f3 00 00 00 00 00 00 00 00
  0x1000480905d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==31686==ABORTING

[ no debug trace ]


You are receiving this mail because:
  • You are watching all bug changes.