12358 – Wireshark static out-of-bounds reads while accessing ett_zbee_zcl_pwr_prof_enphases

Bug 12358 - Wireshark static out-of-bounds reads while accessing ett_zbee_zcl_pwr_prof_enphases

Summary: Wireshark static out-of-bounds reads while accessing ett_zbee_zcl_pwr_prof_en...

Status:	RESOLVED FIXED

Alias:	None

Product:	Wireshark
Classification:	Unclassified
Component:	Dissection engine (libwireshark) (show other bugs)
Version:	Git
Hardware:	All All

Importance:	Low Major (vote)
Target Milestone:	---
Assignee:	Bugzilla Administrator

URL:

Depends on:
Blocks:

Reported:	2016-04-19 14:41 UTC by Mateusz Jurczyk
Modified:	2016-04-23 21:55 UTC (History)
CC List:	0 users

See Also:

Attachments
Reproducers. (773 bytes, application/zip) 2016-04-19 14:41 UTC, Mateusz Jurczyk	Details
unzip file 1 (430 bytes, application/vnd.tcpdump.pcap) 2016-04-23 16:10 UTC, Michael Mann	Details
unzip file 2 (5.74 KB, application/vnd.tcpdump.pcap) 2016-04-23 16:11 UTC, Michael Mann	Details
Show Obsolete (1) Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Mateusz Jurczyk 2016-04-19 14:41:07 UTC

Created attachment 14498 [details]
Reproducers.

Build Information:
TShark (Wireshark) 2.1.0 (v2.1.0rc0-2738-g68ec673 from master)

Copyright 1998-2016 Gerald Combs <gerald@wireshark.org> and contributors.
License GPLv2+: GNU GPL version 2 or later <http://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (64-bit) with libpcap, without POSIX capabilities, without libnl, with
GLib 2.40.2, with zlib 1.2.8, without SMI, without c-ares, without Lua, without
GnuTLS, without Gcrypt, with MIT Kerberos, without GeoIP.

Running on Linux 3.13.0-77-generic, with locale en_US.UTF-8, with libpcap
version 1.5.3, with zlib 1.2.8.
      Intel(R) Xeon(R) CPU E5-1650 v2 @ 3.50GHz (with SSE4.2)

Built using clang 4.2.1 Compatible Clang 3.8.0 (trunk 251411).
--
The following crashes due to a static out-of-bounds memory read can be observed in an ASAN build of Wireshark (current git master), by feeding a malformed file to tshark ("$ ./tshark -nVxr /path/to/file"):

Attached are two files which trigger the crash.

--- cut ---
==666==ERROR: AddressSanitizer: global-buffer-overflow on address 0x7fa5e68bd620 at pc 0x7fa5dc525eab bp 0x7ffd5938ec40 sp 0x7ffd5938ec38
READ of size 4 at 0x7fa5e68bd620 thread T0
    #0 0x7fa5dc525eaa in dissect_zcl_pwr_prof_pwrprofnotif wireshark/epan/dissectors/packet-zbee-zcl-general.c:10832:25
    #1 0x7fa5dc512afc in dissect_zbee_zcl_pwr_prof wireshark/epan/dissectors/packet-zbee-zcl-general.c:10549:21
    #2 0x7fa5d9d89911 in call_dissector_through_handle wireshark/epan/packet.c:656:8
    #3 0x7fa5d9d7b57a in call_dissector_work wireshark/epan/packet.c:731:9
    #4 0x7fa5d9d85a1e in call_dissector_only wireshark/epan/packet.c:2764:8
    #5 0x7fa5d9d768ff in call_dissector_with_data wireshark/epan/packet.c:2777:8
    #6 0x7fa5dc4f777c in dissect_zbee_zcl wireshark/epan/dissectors/packet-zbee-zcl.c:881:13
    #7 0x7fa5d9d89911 in call_dissector_through_handle wireshark/epan/packet.c:656:8
    #8 0x7fa5d9d7b57a in call_dissector_work wireshark/epan/packet.c:731:9
    #9 0x7fa5d9d85a1e in call_dissector_only wireshark/epan/packet.c:2764:8
    #10 0x7fa5d9d768ff in call_dissector_with_data wireshark/epan/packet.c:2777:8
    #11 0x7fa5dc4d0d60 in dissect_zbee_apf wireshark/epan/dissectors/packet-zbee-aps.c:1705:9
    #12 0x7fa5d9d89911 in call_dissector_through_handle wireshark/epan/packet.c:656:8
    #13 0x7fa5d9d7b57a in call_dissector_work wireshark/epan/packet.c:731:9
    #14 0x7fa5d9d85a1e in call_dissector_only wireshark/epan/packet.c:2764:8
    #15 0x7fa5d9d768ff in call_dissector_with_data wireshark/epan/packet.c:2777:8
    #16 0x7fa5dc4d04fa in dissect_zbee_aps wireshark/epan/dissectors/packet-zbee-aps.c:1055:13
    #17 0x7fa5d9d89911 in call_dissector_through_handle wireshark/epan/packet.c:656:8
    #18 0x7fa5d9d7b57a in call_dissector_work wireshark/epan/packet.c:731:9
    #19 0x7fa5d9d85a1e in call_dissector_only wireshark/epan/packet.c:2764:8
    #20 0x7fa5d9d768ff in call_dissector_with_data wireshark/epan/packet.c:2777:8
    #21 0x7fa5dc4da910 in dissect_zbee_nwk_full wireshark/epan/dissectors/packet-zbee-nwk.c:732:9
    #22 0x7fa5dc4d419a in dissect_zbee_nwk wireshark/epan/dissectors/packet-zbee-nwk.c:762:9
    #23 0x7fa5dc4d5fb7 in dissect_zbee_nwk_heur wireshark/epan/dissectors/packet-zbee-nwk.c:409:5
    #24 0x7fa5d9d83bbb in dissector_try_heuristic wireshark/epan/packet.c:2390:7
    #25 0x7fa5daf6591b in dissect_ieee802154_common wireshark/epan/dissectors/packet-ieee802154.c:1524:21
    #26 0x7fa5daf5756a in dissect_ieee802154_nofcs wireshark/epan/dissectors/packet-ieee802154.c:751:5
    #27 0x7fa5d9d89911 in call_dissector_through_handle wireshark/epan/packet.c:656:8
    #28 0x7fa5d9d7b57a in call_dissector_work wireshark/epan/packet.c:731:9
    #29 0x7fa5d9d7ad4d in dissector_try_uint_new wireshark/epan/packet.c:1190:9
    #30 0x7fa5dab8c105 in dissect_frame wireshark/epan/dissectors/packet-frame.c:492:11
    #31 0x7fa5d9d89911 in call_dissector_through_handle wireshark/epan/packet.c:656:8
    #32 0x7fa5d9d7b57a in call_dissector_work wireshark/epan/packet.c:731:9
    #33 0x7fa5d9d85a1e in call_dissector_only wireshark/epan/packet.c:2764:8
    #34 0x7fa5d9d768ff in call_dissector_with_data wireshark/epan/packet.c:2777:8
    #35 0x7fa5d9d75cd4 in dissect_record wireshark/epan/packet.c:539:3
    #36 0x7fa5d9d28db9 in epan_dissect_run_with_taps wireshark/epan/epan.c:376:2
    #37 0x52ef3f in process_packet wireshark/tshark.c:3727:5
    #38 0x52830c in load_cap_file wireshark/tshark.c:3483:11
    #39 0x51e67c in main wireshark/tshark.c:2192:13

0x7fa5e68bd620 is located 32 bytes to the left of global variable 'ett_zbee_zcl_appl_ctrl_func' defined in 'packet-zbee-zcl-general.c:11520:13' (0x7fa5e68bd640) of size 128
0x7fa5e68bd620 is located 0 bytes to the right of global variable 'ett_zbee_zcl_pwr_prof_enphases' defined in 'packet-zbee-zcl-general.c:10389:13' (0x7fa5e68bd5e0) of size 64
SUMMARY: AddressSanitizer: global-buffer-overflow wireshark/epan/dissectors/packet-zbee-zcl-general.c:10832:25 in dissect_zcl_pwr_prof_pwrprofnotif
Shadow bytes around the buggy address:
  0x0ff53cd0fa70: f9 f9 f9 f9 00 00 00 f9 f9 f9 f9 f9 00 00 00 00
  0x0ff53cd0fa80: 00 00 00 00 f9 f9 f9 f9 00 00 00 00 00 00 00 00
  0x0ff53cd0fa90: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff53cd0faa0: 00 00 00 00 00 00 00 00 00 00 00 00 00 f9 f9 f9
  0x0ff53cd0fab0: f9 f9 f9 f9 00 00 04 f9 f9 f9 f9 f9 00 00 00 00
=>0x0ff53cd0fac0: 00 00 00 00[f9]f9 f9 f9 00 00 00 00 00 00 00 00
  0x0ff53cd0fad0: 00 00 00 00 00 00 00 00 f9 f9 f9 f9 00 f9 f9 f9
  0x0ff53cd0fae0: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff53cd0faf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff53cd0fb00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff53cd0fb10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==666==ABORTING
--- cut ---

--- cut ---
==695==ERROR: AddressSanitizer: global-buffer-overflow on address 0x7feb11013620 at pc 0x7feb06c7b825 bp 0x7ffd6fe96b00 sp 0x7ffd6fe96af8
READ of size 4 at 0x7feb11013620 thread T0
    #0 0x7feb06c7b824 in dissect_zcl_pwr_prof_enphsschednotif wireshark/epan/dissectors/packet-zbee-zcl-general.c:10745:25
    #1 0x7feb06c68ba8 in dissect_zbee_zcl_pwr_prof wireshark/epan/dissectors/packet-zbee-zcl-general.c:10563:21
    #2 0x7feb044df911 in call_dissector_through_handle wireshark/epan/packet.c:656:8
    #3 0x7feb044d157a in call_dissector_work wireshark/epan/packet.c:731:9
    #4 0x7feb044dba1e in call_dissector_only wireshark/epan/packet.c:2764:8
    #5 0x7feb044cc8ff in call_dissector_with_data wireshark/epan/packet.c:2777:8
    #6 0x7feb06c4d77c in dissect_zbee_zcl wireshark/epan/dissectors/packet-zbee-zcl.c:881:13
    #7 0x7feb044df911 in call_dissector_through_handle wireshark/epan/packet.c:656:8
    #8 0x7feb044d157a in call_dissector_work wireshark/epan/packet.c:731:9
    #9 0x7feb044dba1e in call_dissector_only wireshark/epan/packet.c:2764:8
    #10 0x7feb044cc8ff in call_dissector_with_data wireshark/epan/packet.c:2777:8
    #11 0x7feb06c26d60 in dissect_zbee_apf wireshark/epan/dissectors/packet-zbee-aps.c:1705:9
    #12 0x7feb044df911 in call_dissector_through_handle wireshark/epan/packet.c:656:8
    #13 0x7feb044d157a in call_dissector_work wireshark/epan/packet.c:731:9
    #14 0x7feb044dba1e in call_dissector_only wireshark/epan/packet.c:2764:8
    #15 0x7feb044cc8ff in call_dissector_with_data wireshark/epan/packet.c:2777:8
    #16 0x7feb06c264fa in dissect_zbee_aps wireshark/epan/dissectors/packet-zbee-aps.c:1055:13
    #17 0x7feb044df911 in call_dissector_through_handle wireshark/epan/packet.c:656:8
    #18 0x7feb044d157a in call_dissector_work wireshark/epan/packet.c:731:9
    #19 0x7feb044dba1e in call_dissector_only wireshark/epan/packet.c:2764:8
    #20 0x7feb044cc8ff in call_dissector_with_data wireshark/epan/packet.c:2777:8
    #21 0x7feb06c30910 in dissect_zbee_nwk_full wireshark/epan/dissectors/packet-zbee-nwk.c:732:9
    #22 0x7feb06c2a19a in dissect_zbee_nwk wireshark/epan/dissectors/packet-zbee-nwk.c:762:9
    #23 0x7feb06c2bfb7 in dissect_zbee_nwk_heur wireshark/epan/dissectors/packet-zbee-nwk.c:409:5
    #24 0x7feb044d9bbb in dissector_try_heuristic wireshark/epan/packet.c:2390:7
    #25 0x7feb056bb91b in dissect_ieee802154_common wireshark/epan/dissectors/packet-ieee802154.c:1524:21
    #26 0x7feb056ad56a in dissect_ieee802154_nofcs wireshark/epan/dissectors/packet-ieee802154.c:751:5
    #27 0x7feb044df911 in call_dissector_through_handle wireshark/epan/packet.c:656:8
    #28 0x7feb044d157a in call_dissector_work wireshark/epan/packet.c:731:9
    #29 0x7feb044d0d4d in dissector_try_uint_new wireshark/epan/packet.c:1190:9
    #30 0x7feb052e2105 in dissect_frame wireshark/epan/dissectors/packet-frame.c:492:11
    #31 0x7feb044df911 in call_dissector_through_handle wireshark/epan/packet.c:656:8
    #32 0x7feb044d157a in call_dissector_work wireshark/epan/packet.c:731:9
    #33 0x7feb044dba1e in call_dissector_only wireshark/epan/packet.c:2764:8
    #34 0x7feb044cc8ff in call_dissector_with_data wireshark/epan/packet.c:2777:8
    #35 0x7feb044cbcd4 in dissect_record wireshark/epan/packet.c:539:3
    #36 0x7feb0447edb9 in epan_dissect_run_with_taps wireshark/epan/epan.c:376:2
    #37 0x52ef3f in process_packet wireshark/tshark.c:3727:5
    #38 0x52830c in load_cap_file wireshark/tshark.c:3483:11
    #39 0x51e67c in main wireshark/tshark.c:2192:13

0x7feb11013620 is located 32 bytes to the left of global variable 'ett_zbee_zcl_appl_ctrl_func' defined in 'packet-zbee-zcl-general.c:11520:13' (0x7feb11013640) of size 128
0x7feb11013620 is located 0 bytes to the right of global variable 'ett_zbee_zcl_pwr_prof_enphases' defined in 'packet-zbee-zcl-general.c:10389:13' (0x7feb110135e0) of size 64
SUMMARY: AddressSanitizer: global-buffer-overflow wireshark/epan/dissectors/packet-zbee-zcl-general.c:10745:25 in dissect_zcl_pwr_prof_enphsschednotif
Shadow bytes around the buggy address:
  0x0ffde21fa670: f9 f9 f9 f9 00 00 00 f9 f9 f9 f9 f9 00 00 00 00
  0x0ffde21fa680: 00 00 00 00 f9 f9 f9 f9 00 00 00 00 00 00 00 00
  0x0ffde21fa690: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ffde21fa6a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 f9 f9 f9
  0x0ffde21fa6b0: f9 f9 f9 f9 00 00 04 f9 f9 f9 f9 f9 00 00 00 00
=>0x0ffde21fa6c0: 00 00 00 00[f9]f9 f9 f9 00 00 00 00 00 00 00 00
  0x0ffde21fa6d0: 00 00 00 00 00 00 00 00 f9 f9 f9 f9 00 f9 f9 f9
  0x0ffde21fa6e0: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ffde21fa6f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ffde21fa700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ffde21fa710: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==695==ABORTING
--- cut ---

This bug is subject to a 90 day disclosure deadline. If 90 days elapse without a broadly available patch, then the bug report will automatically become visible to the public.

Comment 1 Michael Mann 2016-04-23 16:10:25 UTC

Created attachment 14504 [details]
unzip file 1

Comment 2 Michael Mann 2016-04-23 16:11:22 UTC

Created attachment 14505 [details]
unzip file 2

Unzip for fuzzbots

Comment 3 Michael Mann 2016-04-23 16:11:53 UTC

Make public for Gerrit hooks

Comment 4 Michael Mann 2016-04-23 19:21:10 UTC

Fix at https://code.wireshark.org/review/15072

Comment 5 Gerrit Code Review 2016-04-23 21:55:15 UTC

Change 15072 merged by Anders Broman:
Bounds check the use of ett_zbee_zcl_pwr_prof_enphases array.

https://code.wireshark.org/review/15072