Bug 11820 - Wireshark stack-based buffer overflow in file_read (wtap_read_bytes_or_eof/mp2t_find_next_pcr)
Summary: Wireshark stack-based buffer overflow in file_read (wtap_read_bytes_or_eof/mp...
Status: RESOLVED FIXED
Alias: None
Product: Wireshark
Classification: Unclassified
Component: Capture file support (libwiretap) (show other bugs)
Version: Git
Hardware: All All
: Low Major (vote)
Target Milestone: ---
Assignee: Bugzilla Administrator
URL:
Depends on:
Blocks:
 
Reported: 2015-11-30 14:27 UTC by Mateusz Jurczyk
Modified: 2015-12-03 05:20 UTC (History)
0 users

See Also:

Attachments
Reproducers. (1.61 KB, application/zip)
2015-11-30 14:27 UTC, Mateusz Jurczyk 		Details
unzip file 1 (2.93 KB, application/octet-stream)
2015-12-03 02:09 UTC, Michael Mann 		Details
unzip file 2 (13.65 KB, application/octet-stream)
2015-12-03 02:11 UTC, Michael Mann 		Details
Show Obsolete (1) Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Mateusz Jurczyk 2015-11-30 14:27:07 UTC 
Created attachment 14080 [details]
Reproducers.

Build Information:
Wireshark git master.
--
The following crash due to a stack-based buffer overflow can be observed in an ASAN build of Wireshark (current git master), by feeding a malformed file to tshark ("$ ./tshark -nVxr /path/to/file"):

Attached are two files which trigger the crash.

--- cut ---
==3325==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fff80063d1c at pc 0x0000004aaf56 bp 0x7fff80063a50 sp 0x7fff80063200
WRITE of size 202 at 0x7fff80063d1c thread T0
    #0 0x4aaf55 in __asan_memcpy llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:393
    #1 0x7fb265728fad in file_read wireshark/wiretap/file_wrappers.c:1222:13
    #2 0x7fb2658ae866 in wtap_read_bytes_or_eof wireshark/wiretap/wtap.c:1363:15
    #3 0x7fb265783fac in mp2t_find_next_pcr wireshark/wiretap/mp2t.c:178:14
    #4 0x7fb265782bfa in mp2t_bits_per_second wireshark/wiretap/mp2t.c:236:10
    #5 0x7fb2657823a0 in mp2t_open wireshark/wiretap/mp2t.c:363:14
    #6 0x7fb265716911 in wtap_open_offline wireshark/wiretap/file_access.c:1042:13
    #7 0x51bd1d in cf_open wireshark/tshark.c:4195:9
    #8 0x51584e in main wireshark/tshark.c:2188:9

Address 0x7fff80063d1c is located in stack of thread T0 at offset 220 in frame
    #0 0x7fb265783cdf in mp2t_find_next_pcr wireshark/wiretap/mp2t.c:170

  This frame has 1 object(s):
    [32, 220) 'buffer' <== Memory access at offset 220 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:393 in __asan_memcpy
Shadow bytes around the buggy address:
  0x100070004750: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100070004760: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100070004770: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100070004780: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 00 00 00
  0x100070004790: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x1000700047a0: 00 00 00[04]f3 f3 f3 f3 f3 f3 f3 f3 00 00 00 00
  0x1000700047b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000700047c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000700047d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000700047e0: f1 f1 f1 f1 00 f2 f2 f2 00 f2 f2 f2 02 f2 02 f2
  0x1000700047f0: 04 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==3325==ABORTING
--- cut ---

This bug is subject to a 90 day disclosure deadline. If 90 days elapse without a broadly available patch, then the bug report will automatically become visible to the public.
Comment 1 Michael Mann 2015-12-03 02:09:59 UTC 
Created attachment 14115 [details]
unzip file 1
Comment 2 Michael Mann 2015-12-03 02:11:08 UTC 
Created attachment 14116 [details]
unzip file 2

Unzipped for the fuzzbots
Comment 3 Michael Mann 2015-12-03 02:12:46 UTC 
Made public for the Gerrit hooks.
Comment 4 Gerrit Code Review 2015-12-03 02:13:38 UTC 
Change 12393 had a related patch set uploaded by Michael Mann:
[MP2T] Reading buffer should have MP2T_SIZE+TRAILER_LEN_MAX space to give room for non-zero trailer.

https://code.wireshark.org/review/12393
Comment 5 Gerrit Code Review 2015-12-03 05:19:58 UTC 
Change 12393 merged by Anders Broman:
[MP2T] Reading buffer should have MP2T_SIZE+TRAILER_LEN_MAX space to give room for non-zero trailer.

https://code.wireshark.org/review/12393
Comment 6 Gerrit Code Review 2015-12-03 05:20:32 UTC 
Change 12399 had a related patch set uploaded by Anders Broman:
[MP2T] Reading buffer should have MP2T_SIZE+TRAILER_LEN_MAX space to give room for non-zero trailer.

https://code.wireshark.org/review/12399
Comment 7 Gerrit Code Review 2015-12-03 05:20:55 UTC 
Change 12399 merged by Anders Broman:
[MP2T] Reading buffer should have MP2T_SIZE+TRAILER_LEN_MAX space to give room for non-zero trailer.

https://code.wireshark.org/review/12399