Bug 12106 - Buildbot crash output: fuzz-2016-02-09-3681.pcap
Summary: Buildbot crash output: fuzz-2016-02-09-3681.pcap
Status: RESOLVED FIXED
Alias: None
Product: Wireshark
Classification: Unclassified
Component: Dissection engine (libwireshark) (show other bugs)
Version: unspecified
Hardware: x86-64 Ubuntu
: High Major (vote)
Target Milestone: ---
Assignee: Bugzilla Administrator
URL: https://www.wireshark.org/download/au...
: 11796 (view as bug list)
Depends on:
Blocks:
 
Reported: 2016-02-10 14:00 UTC by Buildbot Builder
Modified: 2016-05-02 23:08 UTC (History)
2 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Buildbot Builder 2016-02-10 14:00:02 UTC 
Problems have been found with the following capture file:

https://www.wireshark.org/download/automated/captures/fuzz-2016-02-09-3681.pcap

stderr:
Input file: /home/wireshark/menagerie/menagerie/892-detail-M3UA.cap

Build host information:
Linux wsbb04 3.13.0-74-generic #118-Ubuntu SMP Thu Dec 17 22:52:10 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
Distributor ID:	Ubuntu
Description:	Ubuntu 14.04.3 LTS
Release:	14.04
Codename:	trusty

Buildbot information:
BUILDBOT_REPOSITORY=ssh://wireshark-buildbot@code.wireshark.org:29418/wireshark
BUILDBOT_BUILDNUMBER=3497
BUILDBOT_URL=http://buildbot.wireshark.org/wireshark-master/
BUILDBOT_BUILDERNAME=Clang Code Analysis
BUILDBOT_SLAVENAME=clang-code-analysis
BUILDBOT_GOT_REVISION=093514eb49a7b2780f49cccae905c7d963301180

Return value:  1

Dissector bug:  0

Valgrind error count:  0



Git commit
commit 093514eb49a7b2780f49cccae905c7d963301180
Author: Stig Bjørlykke <stig@bjorlykke.org>
Date:   Tue Feb 9 00:02:33 2016 +0100

    Lua: Check out-of-bounds before tvb_strsize()
    
    Add a check for out-of-bounds before calling tvb_strsize() because
    this will THROW an exception if not finding a terminating NUL.
    
    Unhandled exceptions will mess up Lua luaL_error() handling and
    will end up in a crash.
    
    Change-Id: Ieafef59a3858656e0d8c79904828b631657b4cbc
    Reviewed-on: https://code.wireshark.org/review/13842
    Petri-Dish: Stig Bjørlykke <stig@bjorlykke.org>
    Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
    Reviewed-by: Anders Broman <a.broman58@gmail.com>


Command and args: /home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/install/bin/tshark -nVxr

=================================================================
==31975==ERROR: AddressSanitizer: global-buffer-overflow on address 0x7f351a4b76b8 at pc 0x7f35172fe395 bp 0x7ffd86e647f0 sp 0x7ffd86e647e8
READ of size 8 at 0x7f351a4b76b8 thread T0
    #0 0x7f35172fe394  (/home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/install/lib/libwireshark.so.0+0x753a394)
    #1 0x7f351800a9bf  (/home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/install/lib/libwireshark.so.0+0x82469bf)
    #2 0x7f35172febcc  (/home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/install/lib/libwireshark.so.0+0x753abcc)
    #3 0x7f351800a941  (/home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/install/lib/libwireshark.so.0+0x8246941)
    #4 0x7f35172fbefb  (/home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/install/lib/libwireshark.so.0+0x7537efb)
    #5 0x7f351800a89f  (/home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/install/lib/libwireshark.so.0+0x824689f)
    #6 0x7f35172febcc  (/home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/install/lib/libwireshark.so.0+0x753abcc)
    #7 0x7f351800a7a1  (/home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/install/lib/libwireshark.so.0+0x82467a1)
    #8 0x7f3517300f05  (/home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/install/lib/libwireshark.so.0+0x753cf05)
    #9 0x7f3517301765  (/home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/install/lib/libwireshark.so.0+0x753d765)
    #10 0x7f351800a75f  (/home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/install/lib/libwireshark.so.0+0x824675f)
    #11 0x7f35172f40cb  (/home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/install/lib/libwireshark.so.0+0x75300cb)
    #12 0x7f351800a71d  (/home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/install/lib/libwireshark.so.0+0x824671d)
    #13 0x7f35172fbefb  (/home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/install/lib/libwireshark.so.0+0x7537efb)
    #14 0x7f3518009924  (/home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/install/lib/libwireshark.so.0+0x8245924)
    #15 0x7f35172febcc  (/home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/install/lib/libwireshark.so.0+0x753abcc)
    #16 0x7f35180097ad  (/home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/install/lib/libwireshark.so.0+0x82457ad)
    #17 0x7f35170f5621  (/home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/install/lib/libwireshark.so.0+0x7331621)
    #18 0x7f35170f36fc  (/home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/install/lib/libwireshark.so.0+0x732f6fc)
    #19 0x7f3518377025  (/home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/install/lib/libwireshark.so.0+0x85b3025)
    #20 0x7f35170f5621  (/home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/install/lib/libwireshark.so.0+0x7331621)
    #21 0x7f35170f52ba  (/home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/install/lib/libwireshark.so.0+0x73312ba)
    #22 0x7f3517be33b9  (/home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/install/lib/libwireshark.so.0+0x7e1f3b9)
    #23 0x7f3517be2977  (/home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/install/lib/libwireshark.so.0+0x7e1e977)
    #24 0x7f3517be2dbd  (/home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/install/lib/libwireshark.so.0+0x7e1edbd)
    #25 0x7f3517bdf6b2  (/home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/install/lib/libwireshark.so.0+0x7e1b6b2)
    #26 0x7f35170f5621  (/home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/install/lib/libwireshark.so.0+0x7331621)
    #27 0x7f35170f58c8  (/home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/install/lib/libwireshark.so.0+0x73318c8)
    #28 0x7f35178d1fcd  (/home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/install/lib/libwireshark.so.0+0x7b0dfcd)
    #29 0x7f35178ce480  (/home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/install/lib/libwireshark.so.0+0x7b0a480)
    #30 0x7f35170f5621  (/home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/install/lib/libwireshark.so.0+0x7331621)
    #31 0x7f35170f52ba  (/home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/install/lib/libwireshark.so.0+0x73312ba)
    #32 0x7f3517c1b566  (/home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/install/lib/libwireshark.so.0+0x7e57566)
    #33 0x7f3517c14057  (/home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/install/lib/libwireshark.so.0+0x7e50057)
    #34 0x7f3517c10de1  (/home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/install/lib/libwireshark.so.0+0x7e4cde1)
    #35 0x7f3517c101a5  (/home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/install/lib/libwireshark.so.0+0x7e4c1a5)
    #36 0x7f3517c0dceb  (/home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/install/lib/libwireshark.so.0+0x7e49ceb)
    #37 0x7f35170f5621  (/home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/install/lib/libwireshark.so.0+0x7331621)
    #38 0x7f35170f52ba  (/home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/install/lib/libwireshark.so.0+0x73312ba)
    #39 0x7f35177b5933  (/home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/install/lib/libwireshark.so.0+0x79f1933)
    #40 0x7f35177b8941  (/home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/install/lib/libwireshark.so.0+0x79f4941)
    #41 0x7f35170f5621  (/home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/install/lib/libwireshark.so.0+0x7331621)
    #42 0x7f35170f58c8  (/home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/install/lib/libwireshark.so.0+0x73318c8)
    #43 0x7f35175db9c9  (/home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/install/lib/libwireshark.so.0+0x78179c9)
    #44 0x7f35170f5621  (/home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/install/lib/libwireshark.so.0+0x7331621)
    #45 0x7f35170f36fc  (/home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/install/lib/libwireshark.so.0+0x732f6fc)
    #46 0x7f35175da441  (/home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/install/lib/libwireshark.so.0+0x7816441)
    #47 0x7f35175d9220  (/home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/install/lib/libwireshark.so.0+0x7815220)
    #48 0x7f35170f5621  (/home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/install/lib/libwireshark.so.0+0x7331621)
    #49 0x7f35170f52ba  (/home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/install/lib/libwireshark.so.0+0x73312ba)
    #50 0x7f3517623c25  (/home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/install/lib/libwireshark.so.0+0x785fc25)
    #51 0x7f35170f5621  (/home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/install/lib/libwireshark.so.0+0x7331621)
    #52 0x7f35170f36fc  (/home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/install/lib/libwireshark.so.0+0x732f6fc)
    #53 0x7f35170f2f18  (/home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/install/lib/libwireshark.so.0+0x732ef18)
    #54 0x7f35170d367e  (/home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/install/lib/libwireshark.so.0+0x730f67e)
    #55 0x501145  (/home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/install/bin/tshark+0x501145)
    #56 0x4fb96b  (/home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/install/bin/tshark+0x4fb96b)
    #57 0x7f350ca02ec4  (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
    #58 0x43fc26  (/home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/install/bin/tshark+0x43fc26)

0x7f351a4b76b8 is located 8 bytes to the left of global variable 'T_paramSequence_sequence' defined in '../../asn1/ansi_tcap/ansi_tcap.cnf:170:29' (0x7f351a4b76c0) of size 32
0x7f351a4b76b8 is located 24 bytes to the right of global variable 'T_paramSet_set' defined in '../../asn1/ansi_tcap/ansi_tcap.cnf:183:29' (0x7f351a4b7680) of size 32
Shadow bytes around the buggy address:
  0x0fe72348ee80: f9 f9 f9 f9 00 00 05 f9 f9 f9 f9 f9 00 00 00 03
  0x0fe72348ee90: f9 f9 f9 f9 00 00 06 f9 f9 f9 f9 f9 00 00 00 00
  0x0fe72348eea0: 01 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00
  0x0fe72348eeb0: 00 04 f9 f9 f9 f9 f9 f9 00 02 f9 f9 f9 f9 f9 f9
  0x0fe72348eec0: 07 f9 f9 f9 f9 f9 f9 f9 00 00 00 01 f9 f9 f9 f9
=>0x0fe72348eed0: 00 00 00 00 f9 f9 f9[f9]00 00 00 00 f9 f9 f9 f9
  0x0fe72348eee0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe72348eef0: 00 00 00 05 f9 f9 f9 f9 00 00 00 00 00 00 00 00
  0x0fe72348ef00: 00 00 00 00 00 00 00 00 f9 f9 f9 f9 03 f9 f9 f9
  0x0fe72348ef10: f9 f9 f9 f9 05 f9 f9 f9 f9 f9 f9 f9 07 f9 f9 f9
  0x0fe72348ef20: f9 f9 f9 f9 00 07 f9 f9 f9 f9 f9 f9 00 03 f9 f9
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==31975==ABORTING

[ no debug trace ]
Comment 1 Peter Wu 2016-02-20 00:17:23 UTC 
The problem is here:

 for (first_pass = TRUE, cset = set, set_idx = 0; cset->func || first_pass; cset++, set_idx++) {

combined with:

 static const ber_sequence_t T_paramSet_set[] = {
   { NULL, 0, 0, 0, NULL }
 };

 static int
 dissect_ansi_tcap_T_paramSet(...) {
   offset = dissect_ber_set(..., T_paramSet_set, ...);

Because the list of possible set elements is empty, this will happen:

Iteration 0:
first_pass == TRUE;
cset == &T_paramSet_set[0];
cset->func == NULL;
condition TRUE because first_pass == TRUE

Iteration 1:
first_pass == FALSE;
cset == &T_paramSet_set[1];
Invalid memory access when reading cset->func!

I'm now checking which dissectors are affected by this (other than ansi_tcap).
Comment 2 Peter Wu 2016-02-20 14:05:03 UTC 
Find all ber_sequence_t definitions with a single element:

 grep ber_sequence_t -lr > /tmp/1
 clang-query -p=/tmp/wsbuild $(cat /tmp/1) -c 'set output print' \
     -c 'm varDecl(hasType(asString("const ber_sequence_t [1]")))' > /tmp/2

Find all variables having a NULL element (ignoring sequence_of and set_of definitions):

 awk '/void/{gsub(/[\[\]]/,"");print $4}' /tmp/2

There will be 29 of them. For the ansi_tcap example (asn1/ansi_tcap/TCAPPackage.asn) we have this specification:

 Reject ::= SEQUENCE {
 	componentID			[PRIVATE 15] IMPLICIT OCTET STRING (SIZE(0..1)),
 	rejectProblem		[PRIVATE 21] IMPLICIT Problem,
 	parameter CHOICE {
 		paramSequence [PRIVATE 16] IMPLICIT SEQUENCE { },
 		paramSet [PRIVATE 18] IMPLICIT SET { }
 	}	--The choice between paramSequence and paramSet is implementation
 		--dependent, however paramSequence is preferred.
 }

This empty "SET {}" will cause issues. ("SEQUENCE {}" will not cause issues with dissect_ber_sequence because it checks seq->func before continuing).

According to 26.1 from X.680-0207 an empty set is valid. Patch is coming up.
Comment 3 Gerrit Code Review 2016-02-20 14:11:47 UTC 
Change 14028 had a related patch set uploaded by Peter Wu:
ber: fix buffer overrun when handling empty sets

https://code.wireshark.org/review/14028
Comment 4 Gerrit Code Review 2016-02-20 15:06:47 UTC 
Change 14028 merged by Peter Wu:
ber: fix buffer overrun when handling empty sets

https://code.wireshark.org/review/14028
Comment 5 Gerrit Code Review 2016-02-20 15:06:57 UTC 
Change 14035 had a related patch set uploaded by Peter Wu:
ber: fix buffer overrun when handling empty sets

https://code.wireshark.org/review/14035
Comment 6 Gerrit Code Review 2016-02-20 15:07:05 UTC 
Change 14035 merged by Peter Wu:
ber: fix buffer overrun when handling empty sets

https://code.wireshark.org/review/14035
Comment 7 Gerrit Code Review 2016-02-20 15:07:21 UTC 
Change 14036 had a related patch set uploaded by Peter Wu:
ber: fix buffer overrun when handling empty sets

https://code.wireshark.org/review/14036
Comment 8 Gerrit Code Review 2016-02-20 15:07:28 UTC 
Change 14036 merged by Peter Wu:
ber: fix buffer overrun when handling empty sets

https://code.wireshark.org/review/14036
Comment 9 Peter Wu 2016-02-20 15:38:23 UTC 
*** Bug 11796 has been marked as a duplicate of this bug. ***
Comment 10 Gerrit Code Review 2016-03-04 16:00:03 UTC 
Change 14347 had a related patch set uploaded by Balint Reczey:
ber: fix buffer overrun when handling empty sets

https://code.wireshark.org/review/14347
Comment 11 Gerrit Code Review 2016-03-04 16:14:07 UTC 
Change 14347 merged by Balint Reczey:
ber: fix buffer overrun when handling empty sets

https://code.wireshark.org/review/14347
Comment 12 Gerrit Code Review 2016-03-06 20:17:42 UTC 
Change 14374 had a related patch set uploaded by Balint Reczey:
ber: fix buffer overrun when handling empty sets

https://code.wireshark.org/review/14374
Comment 13 Gerrit Code Review 2016-03-06 20:17:52 UTC 
Change 14374 merged by Balint Reczey:
ber: fix buffer overrun when handling empty sets

https://code.wireshark.org/review/14374