Skip to content
GitLab
Closed
Issue created by A Wireshark GitLab Utility@ws-gitlab-utilityDeveloper

Fuzz job crash output: fuzz-2022-11-11-7078.pcap

Problems have been found with the following capture file:

https://www.wireshark.org/download/automated/captures/fuzz-2022-11-11-7078.pcap.gz

stderr:

Branch: master
Input file: /var/menagerie/menagerie/merge-request-6838-dump.pcap
CI job name: ASan Menagerie Fuzz, ID: 3307674414
CI job URL: https://gitlab.com/wireshark/wireshark/-/jobs/3307674414
Return value: 0
Dissector bug: 0
Date and time: Fri Nov 11 00:39:26 UTC 2022

Commits in the last 48 hours:
91279eb90 Qt: Add GeoIP latitude and longitude to Endpoints table
1e6f26adb wslua: init.lua - superuser logic; typeof() call on non-table
b032a40fd IEEE 802.11: random addresses in conversations and endpoints
c34223ad6 VRT: add context packet support to VITA 49 dissector
f9a5bf580 WASSP: Don't add a NULL to a column
99e93e24b Protobuf: fix the bug about string format
2a0061e44 EVS: improve info column display
1196f214a EVS: add an option to force decoding as Header-Full format only
7f2006e74 ieee80211: Use FT_STRING for HS 2.0 OSU NAI
085cbd27e pcapng: ws_debug - display option code in decimal

Build host information:
Linux 5.4.0-131-generic #147-Ubuntu SMP Fri Oct 14 17:07:22 UTC 2022 x86_64
Distributor ID:	Ubuntu
Description:	Ubuntu 22.04.1 LTS
Release:	22.04
Codename:	jammy

Command and args: /builds/wireshark/wireshark/_install/bin/tshark -2 --log-fatal-domains=UTF-8  -nVxr
Running as user "root" and group "root". This could be dangerous.
=================================================================
==10860==ERROR: AddressSanitizer: heap-use-after-free on address 0x61e0000090a0 at pc 0x55f47b8c66d1 bp 0x7ffdbd189660 sp 0x7ffdbd188de8
READ of size 2569 at 0x61e0000090a0 thread T0
    #0 0x55f47b8c66d0 in printf_common(void*, char const*, __va_list_tag*) asan_interceptors.cpp.o
    #1 0x7efce7fefde8 in wmem_strdup_vprintf /builds/wireshark/wireshark/wsutil/wmem/wmem_strutl.c:98:18
    #2 0x7efcf2bda8f8 in proto_item_append_text /builds/wireshark/wireshark/epan/proto.c:7172:10
    #3 0x7efcf27f98c8 in dissect_x509af_SubjectName /builds/wireshark/wireshark/build/./asn1/x509af/x509af.cnf:169:3
    #4 0x7efcefbc7577 in dissect_ber_sequence /builds/wireshark/wireshark/epan/dissectors/packet-ber.c:2443:17
    #5 0x7efcf27f979e in dissect_x509af_T_signedCertificate /builds/wireshark/wireshark/build/./asn1/x509af/x509af.cnf:200:12
    #6 0x7efcefbc7577 in dissect_ber_sequence /builds/wireshark/wireshark/epan/dissectors/packet-ber.c:2443:17
    #7 0x7efcf27f6a0e in dissect_x509af_Certificate /builds/wireshark/wireshark/build/./asn1/x509af/x509af.cnf:227:12
    #8 0x7efcf1534cdb in ssl_dissect_hnd_cert /builds/wireshark/wireshark/epan/dissectors/packet-tls-utils.c:9455:13
    #9 0x7efcf155d4a8 in dissect_tls_handshake_full /builds/wireshark/wireshark/epan/dissectors/packet-tls.c:2879:17
    #10 0x7efcf155b4c9 in dissect_tls_handshake /builds/wireshark/wireshark/epan/dissectors/packet-tls.c:2693:9
    #11 0x7efcf1556a55 in dissect_ssl3_record /builds/wireshark/wireshark/epan/dissectors/packet-tls.c:2198:13
    #12 0x7efcf15521ba in dissect_ssl /builds/wireshark/wireshark/epan/dissectors/packet-tls.c:767:26
    #13 0x7efcf2b51f2a in call_dissector_through_handle /builds/wireshark/wireshark/epan/packet.c:822:9
    #14 0x7efcf2b46f85 in call_dissector_work /builds/wireshark/wireshark/epan/packet.c:920:9
    #15 0x7efcf2b4ebf0 in call_dissector_only /builds/wireshark/wireshark/epan/packet.c:3403:8
    #16 0x7efcf2b43354 in call_dissector_with_data /builds/wireshark/wireshark/epan/packet.c:3416:8
    #17 0x7efcf2b4ec31 in call_dissector /builds/wireshark/wireshark/epan/packet.c:3433:9
    #18 0x7efcf01fcc99 in dissect_eap /builds/wireshark/wireshark/epan/dissectors/packet-eap.c:2283:13
    #19 0x7efcf2b51f2a in call_dissector_through_handle /builds/wireshark/wireshark/epan/packet.c:822:9
    #20 0x7efcf2b46f85 in call_dissector_work /builds/wireshark/wireshark/epan/packet.c:920:9
    #21 0x7efcf2b468c3 in dissector_try_uint_new /builds/wireshark/wireshark/epan/packet.c:1526:8
    #22 0x7efcf0204625 in dissect_eapol /builds/wireshark/wireshark/epan/dissectors/packet-eapol.c:132:8
    #23 0x7efcf2b51f2a in call_dissector_through_handle /builds/wireshark/wireshark/epan/packet.c:822:9
    #24 0x7efcf2b46f85 in call_dissector_work /builds/wireshark/wireshark/epan/packet.c:920:9
    #25 0x7efcf2b468c3 in dissector_try_uint_new /builds/wireshark/wireshark/epan/packet.c:1526:8
    #26 0x7efcf2b47342 in dissector_try_uint /builds/wireshark/wireshark/epan/packet.c:1550:9
    #27 0x7efcf0288b63 in dissect_ethertype /builds/wireshark/wireshark/epan/dissectors/packet-ethertype.c:296:21
    #28 0x7efcf2b51f2a in call_dissector_through_handle /builds/wireshark/wireshark/epan/packet.c:822:9
    #29 0x7efcf2b46f85 in call_dissector_work /builds/wireshark/wireshark/epan/packet.c:920:9
    #30 0x7efcf2b4ebf0 in call_dissector_only /builds/wireshark/wireshark/epan/packet.c:3403:8
    #31 0x7efcf2b43354 in call_dissector_with_data /builds/wireshark/wireshark/epan/packet.c:3416:8
    #32 0x7efcf02857a3 in dissect_eth_common /builds/wireshark/wireshark/epan/dissectors/packet-eth.c:595:5
    #33 0x7efcf02842f7 in dissect_eth /builds/wireshark/wireshark/epan/dissectors/packet-eth.c:901:5
    #34 0x7efcf2b51f2a in call_dissector_through_handle /builds/wireshark/wireshark/epan/packet.c:822:9
    #35 0x7efcf2b46f85 in call_dissector_work /builds/wireshark/wireshark/epan/packet.c:920:9
    #36 0x7efcf2b4ebf0 in call_dissector_only /builds/wireshark/wireshark/epan/packet.c:3403:8
    #37 0x7efcf03272e9 in dissect_frame /builds/wireshark/wireshark/epan/dissectors/packet-frame.c:1018:6
    #38 0x7efcf2b51f2a in call_dissector_through_handle /builds/wireshark/wireshark/epan/packet.c:822:9
    #39 0x7efcf2b46f85 in call_dissector_work /builds/wireshark/wireshark/epan/packet.c:920:9
    #40 0x7efcf2b4ebf0 in call_dissector_only /builds/wireshark/wireshark/epan/packet.c:3403:8
    #41 0x7efcf2b43354 in call_dissector_with_data /builds/wireshark/wireshark/epan/packet.c:3416:8
    #42 0x7efcf2b42b3a in dissect_record /builds/wireshark/wireshark/epan/packet.c:626:3
    #43 0x7efcf2b15f88 in epan_dissect_run_with_taps /builds/wireshark/wireshark/epan/epan.c:639:2
    #44 0x55f47b98e4c5 in process_packet_second_pass /builds/wireshark/wireshark/tshark.c:3272:9
    #45 0x55f47b98c5a9 in process_cap_file_second_pass /builds/wireshark/wireshark/tshark.c:3416:13
    #46 0x55f47b986b99 in process_cap_file /builds/wireshark/wireshark/tshark.c:3720:34
    #47 0x55f47b9803b8 in main /builds/wireshark/wireshark/tshark.c:2251:22
    #48 0x7efce7b95d8f  (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f) (BuildId: 69389d485a9793dbe873f0ea2c93e02efaa9aa3d)
    #49 0x7efce7b95e3f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x29e3f) (BuildId: 69389d485a9793dbe873f0ea2c93e02efaa9aa3d)
    #50 0x55f47b8a3664 in _start (/builds/wireshark/wireshark/_install/bin/tshark+0x4d664) (BuildId: bd28ea4146fd47b7a55e2cede8ba5cfb38ae4755)

0x61e000009aa8 is located 0 bytes to the right of 2600-byte region [0x61e000009080,0x61e000009aa8)
freed by thread T0 here:
    #0 0x55f47b928de2 in free (/builds/wireshark/wireshark/_install/bin/tshark+0xd2de2) (BuildId: bd28ea4146fd47b7a55e2cede8ba5cfb38ae4755)
    #1 0x7efce7fdbe43 in wmem_free /builds/wireshark/wireshark/wsutil/wmem/wmem_core.c:65:9
    #2 0x7efce7fe5181 in wmem_strict_free /builds/wireshark/wireshark/wsutil/wmem/wmem_allocator_strict.c:127:5
    #3 0x7efce7fe5215 in wmem_strict_free_all /builds/wireshark/wireshark/wsutil/wmem/wmem_allocator_strict.c:182:9
    #4 0x7efce7fdc17b in wmem_free_all_real /builds/wireshark/wireshark/wsutil/wmem/wmem_core.c:104:5
    #5 0x7efce7fdc0e6 in wmem_free_all /builds/wireshark/wireshark/wsutil/wmem/wmem_core.c:110:5
    #6 0x7efcf2b15d6b in epan_dissect_reset /builds/wireshark/wireshark/epan/epan.c:591:2
    #7 0x55f47b98e008 in process_packet_first_pass /builds/wireshark/wireshark/tshark.c:3078:9
    #8 0x55f47b98badd in process_cap_file_first_pass /builds/wireshark/wireshark/tshark.c:3185:13
    #9 0x55f47b986b19 in process_cap_file /builds/wireshark/wireshark/tshark.c:3701:29
    #10 0x55f47b9803b8 in main /builds/wireshark/wireshark/tshark.c:2251:22
    #11 0x7efce7b95d8f  (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f) (BuildId: 69389d485a9793dbe873f0ea2c93e02efaa9aa3d)

previously allocated by thread T0 here:
    #0 0x55f47b92908e in malloc (/builds/wireshark/wireshark/_install/bin/tshark+0xd308e) (BuildId: bd28ea4146fd47b7a55e2cede8ba5cfb38ae4755)
    #1 0x7efce7ee2718 in g_malloc (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x5e718) (BuildId: 0ab0b740e34eeb0c84656ba53737f4c440dfbed4)
    #2 0x7efce7fe4abf in wmem_strict_alloc /builds/wireshark/wireshark/wsutil/wmem/wmem_allocator_strict.c:81:46
    #3 0x7efce7fdbdbd in wmem_alloc /builds/wireshark/wireshark/wsutil/wmem/wmem_core.c:44:12
    #4 0x7efcf2802e8c in dissect_x509if_RDNSequence /builds/wireshark/wireshark/build/./asn1/x509if/x509if.cnf:375:21
    #5 0x7efcefbcabf5 in dissect_ber_choice /builds/wireshark/wireshark/epan/dissectors/packet-ber.c:2958:21
    #6 0x7efcf28030b1 in dissect_x509if_Name /builds/wireshark/wireshark/build/./asn1/x509if/x509if.cnf:412:12
    #7 0x7efcefbc7577 in dissect_ber_sequence /builds/wireshark/wireshark/epan/dissectors/packet-ber.c:2443:17
    #8 0x7efcf27f979e in dissect_x509af_T_signedCertificate /builds/wireshark/wireshark/build/./asn1/x509af/x509af.cnf:200:12
    #9 0x7efcefbc7577 in dissect_ber_sequence /builds/wireshark/wireshark/epan/dissectors/packet-ber.c:2443:17
    #10 0x7efcf27f6a0e in dissect_x509af_Certificate /builds/wireshark/wireshark/build/./asn1/x509af/x509af.cnf:227:12
    #11 0x7efcf1534cdb in ssl_dissect_hnd_cert /builds/wireshark/wireshark/epan/dissectors/packet-tls-utils.c:9455:13
    #12 0x7efcf155d4a8 in dissect_tls_handshake_full /builds/wireshark/wireshark/epan/dissectors/packet-tls.c:2879:17
    #13 0x7efcf155b4c9 in dissect_tls_handshake /builds/wireshark/wireshark/epan/dissectors/packet-tls.c:2693:9
    #14 0x7efcf1556a55 in dissect_ssl3_record /builds/wireshark/wireshark/epan/dissectors/packet-tls.c:2198:13
    #15 0x7efcf15521ba in dissect_ssl /builds/wireshark/wireshark/epan/dissectors/packet-tls.c:767:26
    #16 0x7efcf2b51f2a in call_dissector_through_handle /builds/wireshark/wireshark/epan/packet.c:822:9
    #17 0x7efcf2b46f85 in call_dissector_work /builds/wireshark/wireshark/epan/packet.c:920:9
    #18 0x7efcf2b4ebf0 in call_dissector_only /builds/wireshark/wireshark/epan/packet.c:3403:8
    #19 0x7efcf2b43354 in call_dissector_with_data /builds/wireshark/wireshark/epan/packet.c:3416:8
    #20 0x7efcf2b4ec31 in call_dissector /builds/wireshark/wireshark/epan/packet.c:3433:9
    #21 0x7efcf01fcc99 in dissect_eap /builds/wireshark/wireshark/epan/dissectors/packet-eap.c:2283:13
    #22 0x7efcf2b51f2a in call_dissector_through_handle /builds/wireshark/wireshark/epan/packet.c:822:9
    #23 0x7efcf2b46f85 in call_dissector_work /builds/wireshark/wireshark/epan/packet.c:920:9
    #24 0x7efcf2b468c3 in dissector_try_uint_new /builds/wireshark/wireshark/epan/packet.c:1526:8
    #25 0x7efcf0204625 in dissect_eapol /builds/wireshark/wireshark/epan/dissectors/packet-eapol.c:132:8
    #26 0x7efcf2b51f2a in call_dissector_through_handle /builds/wireshark/wireshark/epan/packet.c:822:9
    #27 0x7efcf2b46f85 in call_dissector_work /builds/wireshark/wireshark/epan/packet.c:920:9
    #28 0x7efcf2b468c3 in dissector_try_uint_new /builds/wireshark/wireshark/epan/packet.c:1526:8
    #29 0x7efcf2b47342 in dissector_try_uint /builds/wireshark/wireshark/epan/packet.c:1550:9

SUMMARY: AddressSanitizer: heap-use-after-free asan_interceptors.cpp.o in printf_common(void*, char const*, __va_list_tag*)
Shadow bytes around the buggy address:
  0x0c3c7fff91c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3c7fff91d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3c7fff91e0: 04 fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3c7fff91f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3c7fff9200: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c3c7fff9210: fd fd fd fd[fd]fd fd fd fd fd fd fd fd fd fd fd
  0x0c3c7fff9220: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c3c7fff9230: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c3c7fff9240: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c3c7fff9250: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c3c7fff9260: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==10860==ABORTING

fuzz-test.sh stderr:
Running as user "root" and group "root". This could be dangerous.

no debug trace

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information