DVBCI dissector crash

This issue was migrated from bug 8916 in our old bug tracker.

Original bug information:

Reporter: Laurent Butti
Status: RESOLVED FIXED
Product: Wireshark
Component: TShark
OS: Ubuntu
Platform: x86-64
Version: 1.10.0

Attachments:

test.pcap: capture

See also: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4930

Laurent Butti said:

Created attachment 11172 capture

Build Information: Build Information: TShark 1.10.0 (SVN Rev Unknown from unknown)

Copyright 1998-2013 Gerald Combs <gerald@‍wireshark.org> and contributors. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (64-bit) with GLib 2.32.3, with libpcap, with libz 1.2.3.4, without POSIX capabilities, without libnl, without SMI, without c-ares, without ADNS, with Lua 5.1, without Python, with GnuTLS 2.12.14, with Gcrypt 1.5.0, with MIT Kerberos, without GeoIP.

Running on Linux 3.2.0-43-generic, with locale en_US.UTF-8, with libpcap version 1.1.1, with libz 1.2.3.4. AMD Athlon(tm) Dual Core Processor 5000B

Built using gcc 4.6.3.

Hi,

Here is a PCAP file triggering a SIGTRAP that could enable (at least) a remote
party to trigger a denial of service.

This file was generated thanks to a fuzz testing campaign.

Laurent Butti.

--

(process:31678): GLib-ERROR **: /build/buildd/glib2.0-2.32.3/./glib/gmem.c:165: failed to allocate 4294967295 bytes

Program received signal SIGTRAP, Trace/breakpoint trap.
0x00007ffff36bdfdb in g_logv () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
(gdb) bt
#0  0x00007ffff36bdfdb in g_logv () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#1  0x00007ffff36be1b2 in g_log () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#2  0x00007ffff36bcaaf in g_malloc () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#3  0x00007ffff4e4d4c5 in fragment_add_seq_work (more_frags=0, frag_data_len=4294967295, frag_number=<optimized out>, pinfo=0x7fffffffd630, offset=0,
    tvb=0x177f120, fd_head=0x6575c0) at reassemble.c:1720
#4  fragment_add_seq_common (table=0x7ffff76c3220, tvb=0x177f120, offset=0, pinfo=0x7fffffffd630, id=2418, data=<optimized out>, frag_number=<optimized out>,
    frag_data_len=4294967295, more_frags=0, flags=5, orig_keyp=0x7fffffffcf08) at reassemble.c:1888
#5  0x00007ffff4e4d7b6 in fragment_add_seq_check_work (flags=1, more_frags=0, frag_data_len=4294967295, frag_number=0, data=<optimized out>, id=2418,
    pinfo=0x7fffffffd630, offset=<optimized out>, tvb=<optimized out>, table=0x7ffff76c3220) at reassemble.c:1969
#6  fragment_add_seq_check_work (table=0x7ffff76c3220, tvb=<optimized out>, offset=<optimized out>, pinfo=0x7fffffffd630, id=2418, data=<optimized out>,
    frag_number=0, frag_data_len=4294967295, more_frags=0, flags=1) at reassemble.c:1948
#7  0x00007ffff4e4e538 in fragment_add_seq_next (table=<optimized out>, tvb=<optimized out>, offset=<optimized out>, pinfo=<optimized out>,
    id=<optimized out>, data=<optimized out>, frag_data_len=4294967295, more_frags=0) at reassemble.c:2037
#8  0x00007ffff5071190 in dissect_dvbci_tpdu (lpdu_tcid=1 '\001', direction=255 '\377', tree=0x177e810, pinfo=0x7fffffffd630, tvb=0x177f1e0)
    at packet-dvbci.c:4232
#9  dissect_dvbci_lpdu (direction=255 '\377', tree=0x177e810, pinfo=0x7fffffffd630, tvb=<optimized out>) at packet-dvbci.c:4331
#10 dissect_dvbci (tree=<optimized out>, pinfo=0x7fffffffd630, tvb=<optimized out>, data=<optimized out>) at packet-dvbci.c:4693
#11 dissect_dvbci (tvb=<optimized out>, pinfo=0x7fffffffd630, tree=<optimized out>, data=<optimized out>) at packet-dvbci.c:4628
#12 0x00007ffff4e2f2ef in call_dissector_through_handle (handle=0x15f16f0, tvb=0x177d1e0, pinfo=0x7fffffffd630, tree=0x177eaf0, data=0x0) at packet.c:454
#13 0x00007ffff4e2fbc5 in call_dissector_work (handle=0x15f16f0, tvb=0x177d1e0, pinfo_arg=0x7fffffffd630, tree=0x177eaf0, add_proto_name=1, data=0x0)
    at packet.c:549
#14 0x00007ffff4e30453 in dissector_try_uint_new (sub_dissectors=<optimized out>, uint_val=132, tvb=0x177d1e0, pinfo=0x7fffffffd630, tree=0x177eaf0,
    add_proto_name=1, data=0x0) at packet.c:966
#15 0x00007ffff4e304a7 in dissector_try_uint (sub_dissectors=<optimized out>, uint_val=<optimized out>, tvb=<optimized out>, pinfo=<optimized out>,
    tree=<optimized out>) at packet.c:992
#16 0x00007ffff50c5108 in dissect_frame (tvb=0x177d1e0, pinfo=0x7fffffffd630, parent_tree=0x177eaf0) at packet-frame.c:481
#17 0x00007ffff4e2f2a8 in call_dissector_through_handle (handle=0x74c5d0, tvb=0x177d1e0, pinfo=0x7fffffffd630, tree=0x177eaf0, data=0x0) at packet.c:458
#18 0x00007ffff4e2fbc5 in call_dissector_work (handle=0x74c5d0, tvb=0x177d1e0, pinfo_arg=0x7fffffffd630, tree=0x177eaf0, add_proto_name=1, data=0x0)
    at packet.c:549
#19 0x00007ffff4e31991 in call_dissector_with_data (handle=<optimized out>, tvb=0x177d1e0, pinfo=0x7fffffffd630, tree=0x177eaf0, data=<optimized out>)
    at packet.c:2073
#20 0x00007ffff4e31d64 in dissect_packet (edt=0x7fffffffd620, phdr=0xffffffffffffffc0, pd=0x1753d80 "", fd=0x7fffffffd810, cinfo=0x0) at packet.c:392
#21 0x00007ffff4e277dc in epan_dissect_run_with_taps (edt=0x7fffffffd620, phdr=0x174ec90, data=0x1753d80 "", fd=0x7fffffffd810, cinfo=<optimized out>)
    at epan.c:217
#22 0x000000000041935e in process_packet (cf=0x643b00, offset=<optimized out>, whdr=0x174ec90, pd=0x1753d80 "", filtering_tap_listeners=<optimized out>,
    tap_flags=<optimized out>) at tshark.c:3251
#23 0x000000000040b519 in load_cap_file (max_byte_count=0, max_packet_count=-1, out_file_name_res=0, out_file_type=2, save_file=0x0, cf=<optimized out>)
    at tshark.c:3046
#24 main (argc=<optimized out>, argv=<optimized out>) at tshark.c:1918
(gdb) python import exploitable
(gdb) exploitable -v
'exploitable' version 1.04
Linux nitro 3.2.0-43-generic #68-Ubuntu SMP Wed May 15 03:33:33 UTC 2013 x86_64
Signal si_signo: 5 Signal si_addr: 0x0
Nearby code:
   0x00007ffff36bdfca <+458>:	je     0x7ffff36bdfdb <g_logv+475>
   0x00007ffff36bdfcc <+460>:	mov    r8d,DWORD PTR [rsp+0x14]
   0x00007ffff36bdfd1 <+465>:	test   r8d,r8d
   0x00007ffff36bdfd4 <+468>:	jne    0x7ffff36be118 <g_logv+792>
   0x00007ffff36bdfda <+474>:	int3
=> 0x00007ffff36bdfdb <+475>:	lea    rdi,[rip+0x2a513e]        # 0x7ffff3963120
   0x00007ffff36bdfe2 <+482>:	mov    esi,r14d
   0x00007ffff36bdfe5 <+485>:	call   0x7ffff36f2980 <g_private_set>
   0x00007ffff36bdfea <+490>:	nop    WORD PTR [rax+rax*1+0x0]
   0x00007ffff36bdff0 <+496>:	test   ebx,ebx
Stack trace:
#  0 g_logv at 0x7ffff36bdfdb in /lib/x86_64-linux-gnu/libglib-2.0.so.0.3200.3
#  1 g_log at 0x7ffff36be1b2 in /lib/x86_64-linux-gnu/libglib-2.0.so.0.3200.3
#  2 g_malloc at 0x7ffff36bcaaf in /lib/x86_64-linux-gnu/libglib-2.0.so.0.3200.3
#  3 fragment_add_seq_work at 0x7ffff4e4d4c5 in /home/laurent/fuzzing/bin/wireshark-1.10.0/lib/libwireshark.so.3.0.0
#  4 fragment_add_seq_common at 0x7ffff4e4d4c5 in /home/laurent/fuzzing/bin/wireshark-1.10.0/lib/libwireshark.so.3.0.0
#  5 fragment_add_seq_check_work at 0x7ffff4e4d7b6 in /home/laurent/fuzzing/bin/wireshark-1.10.0/lib/libwireshark.so.3.0.0
#  6 fragment_add_seq_check_work at 0x7ffff4e4d7b6 in /home/laurent/fuzzing/bin/wireshark-1.10.0/lib/libwireshark.so.3.0.0
#  7 fragment_add_seq_next at 0x7ffff4e4e538 in /home/laurent/fuzzing/bin/wireshark-1.10.0/lib/libwireshark.so.3.0.0
#  8 dissect_dvbci_tpdu at 0x7ffff5071190 in /home/laurent/fuzzing/bin/wireshark-1.10.0/lib/libwireshark.so.3.0.0
#  9 dissect_dvbci_lpdu at 0x7ffff5071190 in /home/laurent/fuzzing/bin/wireshark-1.10.0/lib/libwireshark.so.3.0.0
# 10 dissect_dvbci at 0x7ffff5071190 in /home/laurent/fuzzing/bin/wireshark-1.10.0/lib/libwireshark.so.3.0.0
# 11 dissect_dvbci at 0x7ffff5071190 in /home/laurent/fuzzing/bin/wireshark-1.10.0/lib/libwireshark.so.3.0.0
# 12 call_dissector_through_handle at 0x7ffff4e2f2ef in /home/laurent/fuzzing/bin/wireshark-1.10.0/lib/libwireshark.so.3.0.0
# 13 call_dissector_work at 0x7ffff4e2fbc5 in /home/laurent/fuzzing/bin/wireshark-1.10.0/lib/libwireshark.so.3.0.0
# 14 dissector_try_uint_new at 0x7ffff4e30453 in /home/laurent/fuzzing/bin/wireshark-1.10.0/lib/libwireshark.so.3.0.0
# 15 dissector_try_uint at 0x7ffff4e304a7 in /home/laurent/fuzzing/bin/wireshark-1.10.0/lib/libwireshark.so.3.0.0
# 16 dissect_frame at 0x7ffff50c5108 in /home/laurent/fuzzing/bin/wireshark-1.10.0/lib/libwireshark.so.3.0.0
# 17 call_dissector_through_handle at 0x7ffff4e2f2a8 in /home/laurent/fuzzing/bin/wireshark-1.10.0/lib/libwireshark.so.3.0.0
# 18 call_dissector_work at 0x7ffff4e2fbc5 in /home/laurent/fuzzing/bin/wireshark-1.10.0/lib/libwireshark.so.3.0.0
# 19 call_dissector_with_data at 0x7ffff4e31991 in /home/laurent/fuzzing/bin/wireshark-1.10.0/lib/libwireshark.so.3.0.0
# 20 dissect_packet at 0x7ffff4e31d64 in /home/laurent/fuzzing/bin/wireshark-1.10.0/lib/libwireshark.so.3.0.0
# 21 epan_dissect_run_with_taps at 0x7ffff4e277dc in /home/laurent/fuzzing/bin/wireshark-1.10.0/lib/libwireshark.so.3.0.0
# 22 process_packet at 0x41935e in /home/laurent/fuzzing/bin/wireshark-1.10.0/bin/tshark
# 23 load_cap_file at 0x40b519 in /home/laurent/fuzzing/bin/wireshark-1.10.0/bin/tshark
# 24 main at 0x40b519 in /home/laurent/fuzzing/bin/wireshark-1.10.0/bin/tshark
Faulting frame: #  0 g_logv at 0x7ffff36bdfdb in /lib/x86_64-linux-gnu/libglib-2.0.so.0.3200.3
Description: Uncategorized signal
Short description: UncategorizedSignal (21/21)
Hash: b0f3a8f9f5ef304686aa4ebe588f1e4c.750159aba60eb29a065e1f6cced98e15
Exploitability Classification: UNKNOWN
Explanation: The target is stopped on a signal. This may be an exploitable condition, but this command was unable to categorize it.

added clitshark crash osubuntu version1.10 labels

Martin Kaiser said:

I'll have a look...

Thanks for reporting this

Martin Kaiser said:

body_len = len_field-1;
...
fragment_add_seq_next(, ...., body_len, ...)


This tries to allocate 0xFFFFFFFF bytes, causing a dissector assert.

Fixed in r50474

Martin Kaiser said:

back-ported to 1.10.1 and 1.8.9

making bug public now that it's fixed

closed