Fuzz job crash output: fuzz-2022-11-11-7078.pcap
Problems have been found with the following capture file:
https://www.wireshark.org/download/automated/captures/fuzz-2022-11-11-7078.pcap.gz
stderr:
Branch: master
Input file: /var/menagerie/menagerie/merge-request-6838-dump.pcap
CI job name: ASan Menagerie Fuzz, ID: 3307674414
CI job URL: https://gitlab.com/wireshark/wireshark/-/jobs/3307674414
Return value: 0
Dissector bug: 0
Date and time: Fri Nov 11 00:39:26 UTC 2022
Commits in the last 48 hours:
91279eb90 Qt: Add GeoIP latitude and longitude to Endpoints table
1e6f26adb wslua: init.lua - superuser logic; typeof() call on non-table
b032a40fd IEEE 802.11: random addresses in conversations and endpoints
c34223ad6 VRT: add context packet support to VITA 49 dissector
f9a5bf580 WASSP: Don't add a NULL to a column
99e93e24b Protobuf: fix the bug about string format
2a0061e44 EVS: improve info column display
1196f214a EVS: add an option to force decoding as Header-Full format only
7f2006e74 ieee80211: Use FT_STRING for HS 2.0 OSU NAI
085cbd27e pcapng: ws_debug - display option code in decimal
Build host information:
Linux 5.4.0-131-generic #147-Ubuntu SMP Fri Oct 14 17:07:22 UTC 2022 x86_64
Distributor ID: Ubuntu
Description: Ubuntu 22.04.1 LTS
Release: 22.04
Codename: jammy
Command and args: /builds/wireshark/wireshark/_install/bin/tshark -2 --log-fatal-domains=UTF-8 -nVxr
Running as user "root" and group "root". This could be dangerous.
=================================================================
==10860==ERROR: AddressSanitizer: heap-use-after-free on address 0x61e0000090a0 at pc 0x55f47b8c66d1 bp 0x7ffdbd189660 sp 0x7ffdbd188de8
READ of size 2569 at 0x61e0000090a0 thread T0
#0 0x55f47b8c66d0 in printf_common(void*, char const*, __va_list_tag*) asan_interceptors.cpp.o
#1 0x7efce7fefde8 in wmem_strdup_vprintf /builds/wireshark/wireshark/wsutil/wmem/wmem_strutl.c:98:18
#2 0x7efcf2bda8f8 in proto_item_append_text /builds/wireshark/wireshark/epan/proto.c:7172:10
#3 0x7efcf27f98c8 in dissect_x509af_SubjectName /builds/wireshark/wireshark/build/./asn1/x509af/x509af.cnf:169:3
#4 0x7efcefbc7577 in dissect_ber_sequence /builds/wireshark/wireshark/epan/dissectors/packet-ber.c:2443:17
#5 0x7efcf27f979e in dissect_x509af_T_signedCertificate /builds/wireshark/wireshark/build/./asn1/x509af/x509af.cnf:200:12
#6 0x7efcefbc7577 in dissect_ber_sequence /builds/wireshark/wireshark/epan/dissectors/packet-ber.c:2443:17
#7 0x7efcf27f6a0e in dissect_x509af_Certificate /builds/wireshark/wireshark/build/./asn1/x509af/x509af.cnf:227:12
#8 0x7efcf1534cdb in ssl_dissect_hnd_cert /builds/wireshark/wireshark/epan/dissectors/packet-tls-utils.c:9455:13
#9 0x7efcf155d4a8 in dissect_tls_handshake_full /builds/wireshark/wireshark/epan/dissectors/packet-tls.c:2879:17
#10 0x7efcf155b4c9 in dissect_tls_handshake /builds/wireshark/wireshark/epan/dissectors/packet-tls.c:2693:9
#11 0x7efcf1556a55 in dissect_ssl3_record /builds/wireshark/wireshark/epan/dissectors/packet-tls.c:2198:13
#12 0x7efcf15521ba in dissect_ssl /builds/wireshark/wireshark/epan/dissectors/packet-tls.c:767:26
#13 0x7efcf2b51f2a in call_dissector_through_handle /builds/wireshark/wireshark/epan/packet.c:822:9
#14 0x7efcf2b46f85 in call_dissector_work /builds/wireshark/wireshark/epan/packet.c:920:9
#15 0x7efcf2b4ebf0 in call_dissector_only /builds/wireshark/wireshark/epan/packet.c:3403:8
#16 0x7efcf2b43354 in call_dissector_with_data /builds/wireshark/wireshark/epan/packet.c:3416:8
#17 0x7efcf2b4ec31 in call_dissector /builds/wireshark/wireshark/epan/packet.c:3433:9
#18 0x7efcf01fcc99 in dissect_eap /builds/wireshark/wireshark/epan/dissectors/packet-eap.c:2283:13
#19 0x7efcf2b51f2a in call_dissector_through_handle /builds/wireshark/wireshark/epan/packet.c:822:9
#20 0x7efcf2b46f85 in call_dissector_work /builds/wireshark/wireshark/epan/packet.c:920:9
#21 0x7efcf2b468c3 in dissector_try_uint_new /builds/wireshark/wireshark/epan/packet.c:1526:8
#22 0x7efcf0204625 in dissect_eapol /builds/wireshark/wireshark/epan/dissectors/packet-eapol.c:132:8
#23 0x7efcf2b51f2a in call_dissector_through_handle /builds/wireshark/wireshark/epan/packet.c:822:9
#24 0x7efcf2b46f85 in call_dissector_work /builds/wireshark/wireshark/epan/packet.c:920:9
#25 0x7efcf2b468c3 in dissector_try_uint_new /builds/wireshark/wireshark/epan/packet.c:1526:8
#26 0x7efcf2b47342 in dissector_try_uint /builds/wireshark/wireshark/epan/packet.c:1550:9
#27 0x7efcf0288b63 in dissect_ethertype /builds/wireshark/wireshark/epan/dissectors/packet-ethertype.c:296:21
#28 0x7efcf2b51f2a in call_dissector_through_handle /builds/wireshark/wireshark/epan/packet.c:822:9
#29 0x7efcf2b46f85 in call_dissector_work /builds/wireshark/wireshark/epan/packet.c:920:9
#30 0x7efcf2b4ebf0 in call_dissector_only /builds/wireshark/wireshark/epan/packet.c:3403:8
#31 0x7efcf2b43354 in call_dissector_with_data /builds/wireshark/wireshark/epan/packet.c:3416:8
#32 0x7efcf02857a3 in dissect_eth_common /builds/wireshark/wireshark/epan/dissectors/packet-eth.c:595:5
#33 0x7efcf02842f7 in dissect_eth /builds/wireshark/wireshark/epan/dissectors/packet-eth.c:901:5
#34 0x7efcf2b51f2a in call_dissector_through_handle /builds/wireshark/wireshark/epan/packet.c:822:9
#35 0x7efcf2b46f85 in call_dissector_work /builds/wireshark/wireshark/epan/packet.c:920:9
#36 0x7efcf2b4ebf0 in call_dissector_only /builds/wireshark/wireshark/epan/packet.c:3403:8
#37 0x7efcf03272e9 in dissect_frame /builds/wireshark/wireshark/epan/dissectors/packet-frame.c:1018:6
#38 0x7efcf2b51f2a in call_dissector_through_handle /builds/wireshark/wireshark/epan/packet.c:822:9
#39 0x7efcf2b46f85 in call_dissector_work /builds/wireshark/wireshark/epan/packet.c:920:9
#40 0x7efcf2b4ebf0 in call_dissector_only /builds/wireshark/wireshark/epan/packet.c:3403:8
#41 0x7efcf2b43354 in call_dissector_with_data /builds/wireshark/wireshark/epan/packet.c:3416:8
#42 0x7efcf2b42b3a in dissect_record /builds/wireshark/wireshark/epan/packet.c:626:3
#43 0x7efcf2b15f88 in epan_dissect_run_with_taps /builds/wireshark/wireshark/epan/epan.c:639:2
#44 0x55f47b98e4c5 in process_packet_second_pass /builds/wireshark/wireshark/tshark.c:3272:9
#45 0x55f47b98c5a9 in process_cap_file_second_pass /builds/wireshark/wireshark/tshark.c:3416:13
#46 0x55f47b986b99 in process_cap_file /builds/wireshark/wireshark/tshark.c:3720:34
#47 0x55f47b9803b8 in main /builds/wireshark/wireshark/tshark.c:2251:22
#48 0x7efce7b95d8f (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f) (BuildId: 69389d485a9793dbe873f0ea2c93e02efaa9aa3d)
#49 0x7efce7b95e3f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x29e3f) (BuildId: 69389d485a9793dbe873f0ea2c93e02efaa9aa3d)
#50 0x55f47b8a3664 in _start (/builds/wireshark/wireshark/_install/bin/tshark+0x4d664) (BuildId: bd28ea4146fd47b7a55e2cede8ba5cfb38ae4755)
0x61e000009aa8 is located 0 bytes to the right of 2600-byte region [0x61e000009080,0x61e000009aa8)
freed by thread T0 here:
#0 0x55f47b928de2 in free (/builds/wireshark/wireshark/_install/bin/tshark+0xd2de2) (BuildId: bd28ea4146fd47b7a55e2cede8ba5cfb38ae4755)
#1 0x7efce7fdbe43 in wmem_free /builds/wireshark/wireshark/wsutil/wmem/wmem_core.c:65:9
#2 0x7efce7fe5181 in wmem_strict_free /builds/wireshark/wireshark/wsutil/wmem/wmem_allocator_strict.c:127:5
#3 0x7efce7fe5215 in wmem_strict_free_all /builds/wireshark/wireshark/wsutil/wmem/wmem_allocator_strict.c:182:9
#4 0x7efce7fdc17b in wmem_free_all_real /builds/wireshark/wireshark/wsutil/wmem/wmem_core.c:104:5
#5 0x7efce7fdc0e6 in wmem_free_all /builds/wireshark/wireshark/wsutil/wmem/wmem_core.c:110:5
#6 0x7efcf2b15d6b in epan_dissect_reset /builds/wireshark/wireshark/epan/epan.c:591:2
#7 0x55f47b98e008 in process_packet_first_pass /builds/wireshark/wireshark/tshark.c:3078:9
#8 0x55f47b98badd in process_cap_file_first_pass /builds/wireshark/wireshark/tshark.c:3185:13
#9 0x55f47b986b19 in process_cap_file /builds/wireshark/wireshark/tshark.c:3701:29
#10 0x55f47b9803b8 in main /builds/wireshark/wireshark/tshark.c:2251:22
#11 0x7efce7b95d8f (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f) (BuildId: 69389d485a9793dbe873f0ea2c93e02efaa9aa3d)
previously allocated by thread T0 here:
#0 0x55f47b92908e in malloc (/builds/wireshark/wireshark/_install/bin/tshark+0xd308e) (BuildId: bd28ea4146fd47b7a55e2cede8ba5cfb38ae4755)
#1 0x7efce7ee2718 in g_malloc (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x5e718) (BuildId: 0ab0b740e34eeb0c84656ba53737f4c440dfbed4)
#2 0x7efce7fe4abf in wmem_strict_alloc /builds/wireshark/wireshark/wsutil/wmem/wmem_allocator_strict.c:81:46
#3 0x7efce7fdbdbd in wmem_alloc /builds/wireshark/wireshark/wsutil/wmem/wmem_core.c:44:12
#4 0x7efcf2802e8c in dissect_x509if_RDNSequence /builds/wireshark/wireshark/build/./asn1/x509if/x509if.cnf:375:21
#5 0x7efcefbcabf5 in dissect_ber_choice /builds/wireshark/wireshark/epan/dissectors/packet-ber.c:2958:21
#6 0x7efcf28030b1 in dissect_x509if_Name /builds/wireshark/wireshark/build/./asn1/x509if/x509if.cnf:412:12
#7 0x7efcefbc7577 in dissect_ber_sequence /builds/wireshark/wireshark/epan/dissectors/packet-ber.c:2443:17
#8 0x7efcf27f979e in dissect_x509af_T_signedCertificate /builds/wireshark/wireshark/build/./asn1/x509af/x509af.cnf:200:12
#9 0x7efcefbc7577 in dissect_ber_sequence /builds/wireshark/wireshark/epan/dissectors/packet-ber.c:2443:17
#10 0x7efcf27f6a0e in dissect_x509af_Certificate /builds/wireshark/wireshark/build/./asn1/x509af/x509af.cnf:227:12
#11 0x7efcf1534cdb in ssl_dissect_hnd_cert /builds/wireshark/wireshark/epan/dissectors/packet-tls-utils.c:9455:13
#12 0x7efcf155d4a8 in dissect_tls_handshake_full /builds/wireshark/wireshark/epan/dissectors/packet-tls.c:2879:17
#13 0x7efcf155b4c9 in dissect_tls_handshake /builds/wireshark/wireshark/epan/dissectors/packet-tls.c:2693:9
#14 0x7efcf1556a55 in dissect_ssl3_record /builds/wireshark/wireshark/epan/dissectors/packet-tls.c:2198:13
#15 0x7efcf15521ba in dissect_ssl /builds/wireshark/wireshark/epan/dissectors/packet-tls.c:767:26
#16 0x7efcf2b51f2a in call_dissector_through_handle /builds/wireshark/wireshark/epan/packet.c:822:9
#17 0x7efcf2b46f85 in call_dissector_work /builds/wireshark/wireshark/epan/packet.c:920:9
#18 0x7efcf2b4ebf0 in call_dissector_only /builds/wireshark/wireshark/epan/packet.c:3403:8
#19 0x7efcf2b43354 in call_dissector_with_data /builds/wireshark/wireshark/epan/packet.c:3416:8
#20 0x7efcf2b4ec31 in call_dissector /builds/wireshark/wireshark/epan/packet.c:3433:9
#21 0x7efcf01fcc99 in dissect_eap /builds/wireshark/wireshark/epan/dissectors/packet-eap.c:2283:13
#22 0x7efcf2b51f2a in call_dissector_through_handle /builds/wireshark/wireshark/epan/packet.c:822:9
#23 0x7efcf2b46f85 in call_dissector_work /builds/wireshark/wireshark/epan/packet.c:920:9
#24 0x7efcf2b468c3 in dissector_try_uint_new /builds/wireshark/wireshark/epan/packet.c:1526:8
#25 0x7efcf0204625 in dissect_eapol /builds/wireshark/wireshark/epan/dissectors/packet-eapol.c:132:8
#26 0x7efcf2b51f2a in call_dissector_through_handle /builds/wireshark/wireshark/epan/packet.c:822:9
#27 0x7efcf2b46f85 in call_dissector_work /builds/wireshark/wireshark/epan/packet.c:920:9
#28 0x7efcf2b468c3 in dissector_try_uint_new /builds/wireshark/wireshark/epan/packet.c:1526:8
#29 0x7efcf2b47342 in dissector_try_uint /builds/wireshark/wireshark/epan/packet.c:1550:9
SUMMARY: AddressSanitizer: heap-use-after-free asan_interceptors.cpp.o in printf_common(void*, char const*, __va_list_tag*)
Shadow bytes around the buggy address:
0x0c3c7fff91c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c3c7fff91d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c3c7fff91e0: 04 fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3c7fff91f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3c7fff9200: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c3c7fff9210: fd fd fd fd[fd]fd fd fd fd fd fd fd fd fd fd fd
0x0c3c7fff9220: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c3c7fff9230: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c3c7fff9240: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c3c7fff9250: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c3c7fff9260: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==10860==ABORTING
fuzz-test.sh stderr:
Running as user "root" and group "root". This could be dangerous.
no debug trace