Bug 14398 - [oss-fuzz] ASAN: heap-buffer-overflow epan/dissectors/packet-sigcomp.c:1353:16 in dissect_udvm_reference_operand_memory
Summary: [oss-fuzz] ASAN: heap-buffer-overflow epan/dissectors/packet-sigcomp.c:1353:1...
Status: RESOLVED FIXED
Alias: None
Product: Wireshark
Classification: Unclassified
Component: Dissection engine (libwireshark) (show other bugs)
Version: Git
Hardware: x86-64 Linux
: High Major (vote)
Target Milestone: ---
Assignee: Bugzilla Administrator
URL: https://bugs.chromium.org/p/oss-fuzz/...
Depends on:
Blocks:
 
Reported: 2018-02-06 12:55 UTC by Peter Wu
Modified: 2018-02-22 19:09 UTC (History)
1 user (show)

See Also:

Attachments
Packet capture file (629 bytes, application/octet-stream)
2018-02-06 12:55 UTC, Peter Wu 		Details
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Peter Wu 2018-02-06 12:55:47 UTC 
Build Information:
TShark (Wireshark) 2.5.0 (v2.5.0rc0-2634-g41b571f9)

Copyright 1998-2018 Gerald Combs <gerald@wireshark.org> and contributors.
License GPLv2+: GNU GPL version 2 or later <http://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (64-bit) with libpcap, with POSIX capabilities (Linux), with libnl 3,
with GLib 2.54.3, with zlib 1.2.11, without SMI, with c-ares 1.13.0, with Lua
5.2.4, with GnuTLS 3.5.17, with Gcrypt 1.8.2, with MIT Kerberos, with GeoIP,
with nghttp2 1.29.0, with LZ4, with Snappy, with libxml2 2.9.7.

Running on Linux 4.14.12-1-ARCH, with Intel(R) Core(TM) i7-6700HQ CPU @ 2.60GHz
(with SSE4.2), with 31989 MB of physical memory, with locale C, with libpcap
version 1.8.1, with GnuTLS 3.5.17, with Gcrypt 1.8.2, with zlib 1.2.11, binary
plugins supported (14 loaded).

Built using clang 4.2.1 Compatible Clang 5.0.1 (tags/RELEASE_501/final).
--
A problem was found by the oss-fuzz project:
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=4700

Attached is the sample that triggers this error which can be reproduced with an
ASAN+UBSAN build of Wireshark:
tshark -Vxr clusterfuzz-testcase-minimized-4680183702355968.pcap
--
=================================================================
==22609==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x631000178801 at pc 0x7f6fdee6b162 bp 0x7ffda05ed090 sp 0x7ffda05ed088
READ of size 1 at 0x631000178801 thread T0
    #0 0x7f6fdee6b161 in dissect_udvm_reference_operand_memory epan/dissectors/packet-sigcomp.c:1353:16
    #1 0x7f6fdee4023b in decompress_sigcomp_message epan/dissectors/packet-sigcomp.c:2027:32
    #2 0x7f6fdee3bdf4 in dissect_sigcomp_common epan/dissectors/packet-sigcomp.c:4998:30
    #3 0x7f6fdee37c38 in dissect_sigcomp epan/dissectors/packet-sigcomp.c:4642:12
    #4 0x7f6fe0bb127b in call_dissector_through_handle epan/packet.c:681:9
    #5 0x7f6fe0b9be17 in call_dissector_work epan/packet.c:766:9
    #6 0x7f6fe0b9ae75 in dissector_try_uint_new epan/packet.c:1348:8
    #7 0x7f6fe0b9c6c9 in dissector_try_uint epan/packet.c:1372:9
    #8 0x7f6fdf378490 in decode_udp_ports epan/dissectors/packet-udp.c:683:7
    #9 0x7f6fdf38bc4b in dissect epan/dissectors/packet-udp.c:1139:5
    #10 0x7f6fdf37d0bf in dissect_udp epan/dissectors/packet-udp.c:1145:3
    #11 0x7f6fe0bb127b in call_dissector_through_handle epan/packet.c:681:9
    #12 0x7f6fe0b9be17 in call_dissector_work epan/packet.c:766:9
    #13 0x7f6fe0b9ae75 in dissector_try_uint_new epan/packet.c:1348:8
    #14 0x7f6fdda85157 in dissect_exported_pdu epan/dissectors/packet-exported_pdu.c:378:17
    #15 0x7f6fe0bb127b in call_dissector_through_handle epan/packet.c:681:9
    #16 0x7f6fe0b9be17 in call_dissector_work epan/packet.c:766:9
    #17 0x7f6fe0b9ae75 in dissector_try_uint_new epan/packet.c:1348:8
    #18 0x7f6fddb941b7 in dissect_frame epan/dissectors/packet-frame.c:563:11
    #19 0x7f6fe0bb127b in call_dissector_through_handle epan/packet.c:681:9
    #20 0x7f6fe0b9be17 in call_dissector_work epan/packet.c:766:9
    #21 0x7f6fe0baa439 in call_dissector_only epan/packet.c:3079:8
    #22 0x7f6fe0b93ad1 in call_dissector_with_data epan/packet.c:3092:8
    #23 0x7f6fe0b92e2c in dissect_record epan/packet.c:555:3
    #24 0x7f6fe0b40968 in epan_dissect_run_with_taps epan/epan.c:540:2
    #25 0x55ebe43deb07 in process_packet_single_pass tshark.c:3496:5
    #26 0x55ebe43d7e17 in process_cap_file tshark.c:3322:11
    #27 0x55ebe43cfa9e in main tshark.c:2019:17
    #28 0x7f6fd2350f49 in __libc_start_main (/usr/lib/libc.so.6+0x20f49)
    #29 0x55ebe42b6ea9 in _start (run/tshark+0xdbea9)

0x631000178801 is located 1 bytes to the right of 65536-byte region [0x631000168800,0x631000178800)
allocated by thread T0 here:
    #0 0x55ebe4376c31 in malloc (run/tshark+0x19bc31)
    #1 0x7f6fd2d745a9 in g_malloc /build/src/glib/glib/gmem.c:94
    #2 0x7f6fe099b176 in wmem_simple_alloc epan/wmem/wmem_allocator_simple.c:55:50
    #3 0x7f6fe09882cb in wmem_alloc epan/wmem/wmem_core.c:58:12
    #4 0x7f6fe0988309 in wmem_alloc0 epan/wmem/wmem_core.c:66:11
    #5 0x7f6fdee3e301 in decompress_sigcomp_message epan/dissectors/packet-sigcomp.c:1739:59
    #6 0x7f6fdee3bdf4 in dissect_sigcomp_common epan/dissectors/packet-sigcomp.c:4998:30
    #7 0x7f6fdee37c38 in dissect_sigcomp epan/dissectors/packet-sigcomp.c:4642:12
    #8 0x7f6fe0bb127b in call_dissector_through_handle epan/packet.c:681:9
    #9 0x7f6fe0b9be17 in call_dissector_work epan/packet.c:766:9
    #10 0x7f6fe0b9ae75 in dissector_try_uint_new epan/packet.c:1348:8
    #11 0x7f6fe0b9c6c9 in dissector_try_uint epan/packet.c:1372:9
    #12 0x7f6fdf378490 in decode_udp_ports epan/dissectors/packet-udp.c:683:7
    #13 0x7f6fdf38bc4b in dissect epan/dissectors/packet-udp.c:1139:5
    #14 0x7f6fdf37d0bf in dissect_udp epan/dissectors/packet-udp.c:1145:3
    #15 0x7f6fe0bb127b in call_dissector_through_handle epan/packet.c:681:9
    #16 0x7f6fe0b9be17 in call_dissector_work epan/packet.c:766:9
    #17 0x7f6fe0b9ae75 in dissector_try_uint_new epan/packet.c:1348:8
    #18 0x7f6fdda85157 in dissect_exported_pdu epan/dissectors/packet-exported_pdu.c:378:17
    #19 0x7f6fe0bb127b in call_dissector_through_handle epan/packet.c:681:9
    #20 0x7f6fe0b9be17 in call_dissector_work epan/packet.c:766:9
    #21 0x7f6fe0b9ae75 in dissector_try_uint_new epan/packet.c:1348:8
    #22 0x7f6fddb941b7 in dissect_frame epan/dissectors/packet-frame.c:563:11
    #23 0x7f6fe0bb127b in call_dissector_through_handle epan/packet.c:681:9
    #24 0x7f6fe0b9be17 in call_dissector_work epan/packet.c:766:9
    #25 0x7f6fe0baa439 in call_dissector_only epan/packet.c:3079:8
    #26 0x7f6fe0b93ad1 in call_dissector_with_data epan/packet.c:3092:8
    #27 0x7f6fe0b92e2c in dissect_record epan/packet.c:555:3
    #28 0x7f6fe0b40968 in epan_dissect_run_with_taps epan/epan.c:540:2
    #29 0x55ebe43deb07 in process_packet_single_pass tshark.c:3496:5

SUMMARY: AddressSanitizer: heap-buffer-overflow epan/dissectors/packet-sigcomp.c:1353:16 in dissect_udvm_reference_operand_memory
Shadow bytes around the buggy address:
  0x0c62800270b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c62800270c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c62800270d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c62800270e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c62800270f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c6280027100:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c6280027110: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c6280027120: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c6280027130: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c6280027140: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c6280027150: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==22609==ABORTING
Comment 1 Peter Wu 2018-02-06 12:55:48 UTC 
Created attachment 16107 [details]
Packet capture file
Comment 2 Pascal Quantin 2018-02-14 10:48:19 UTC 
I cannot reproduce with v2.5.1rc0-121-g9198448f.

Peter, do you confirm?
Comment 3 Peter Wu 2018-02-14 11:01:25 UTC 
Still reproducible with v2.5.1rc0-121-g9198448f9d using tshark on Linux with ASAN, what is your environment?

==30408==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x631000178801 at pc 0x7f04310b34f2 bp 0x7ffe926230f0 sp 0x7ffe926230e8                                                                                                                                 
READ of size 1 at 0x631000178801 thread T0                                                                                           
    #0 0x7f04310b34f1 in dissect_udvm_reference_operand_memory epan/dissectors/packet-sigcomp.c:1341:16                              
    #1 0x7f04310885cb in decompress_sigcomp_message epan/dissectors/packet-sigcomp.c:2015:32                                         
    #2 0x7f0431084184 in dissect_sigcomp_common epan/dissectors/packet-sigcomp.c:4986:30                                             
    #3 0x7f043107ffd8 in dissect_sigcomp epan/dissectors/packet-sigcomp.c:4630:12
Comment 4 Pascal Quantin 2018-02-14 11:05:29 UTC 
Fedora 27 x64, gcc version 7.3.1 20180130 (Red Hat 7.3.1-2) (GCC), libasan 7.3.1.
Comment 5 Peter Wu 2018-02-14 11:47:00 UTC 
Can still reproduce with GCC 7.3.0-1 on Arch Linux x86_64.
Turns out that the following environment variable must be set as well:
WIRESHARK_DEBUG_WMEM_OVERRIDE=simple
Comment 6 Pascal Quantin 2018-02-14 12:21:31 UTC 
Indeed setting the environment variable was the trick I was missing. Thanks.
Comment 7 Gerrit Code Review 2018-02-14 13:45:34 UTC 
Change 25790 had a related patch set uploaded by Pascal Quantin:
SIGCOMP: check operand offset when accessing UDVM memory

https://code.wireshark.org/review/25790
Comment 8 Gerrit Code Review 2018-02-14 14:57:15 UTC 
Change 25790 merged by Anders Broman:
SIGCOMP: check operand offset when accessing UDVM memory

https://code.wireshark.org/review/25790
Comment 9 Gerrit Code Review 2018-02-14 15:48:41 UTC 
Change 25791 had a related patch set uploaded by Pascal Quantin:
SIGCOMP: check operand offset when accessing UDVM memory

https://code.wireshark.org/review/25791
Comment 10 Gerrit Code Review 2018-02-14 15:48:57 UTC 
Change 25792 had a related patch set uploaded by Pascal Quantin:
SIGCOMP: check operand offset when accessing UDVM memory

https://code.wireshark.org/review/25792
Comment 11 Gerrit Code Review 2018-02-14 16:20:48 UTC 
Change 25791 merged by Pascal Quantin:
SIGCOMP: check operand offset when accessing UDVM memory

https://code.wireshark.org/review/25791
Comment 12 Gerrit Code Review 2018-02-14 16:47:18 UTC 
Change 25792 merged by Pascal Quantin:
SIGCOMP: check operand offset when accessing UDVM memory

https://code.wireshark.org/review/25792