Fuzz job crash output: fuzz-2023-05-26-6880.pcap
Problems have been found with the following capture file:
https://www.wireshark.org/download/automated/captures/fuzz-2023-05-26-6880.pcap.gz
stderr:
Branch: release-3.6
Input file: /var/menagerie/menagerie/dump.kafka.produce.snappy.pcap
CI job name: ASan Menagerie Fuzz, ID: 4353356392
CI job URL: https://gitlab.com/wireshark/wireshark/-/jobs/4353356392
Return value: 0
Dissector bug: 0
Date and time: Fri May 26 02:49:44 UTC 2023
Commits in the last 48 hours:
20404b96816 GitLab CI: Allow API pipeline builds
395040cba10 Version: 3.6.14 → 3.6.15
83f40263b97 Build: 3.6.14
fc3cfd37a7b QUIC: Don't include data from other streams in Follow tap
461a1736d2f XRA: Fix an infinite loop
Build host information:
Linux 5.19.0-42-generic #43~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Fri Apr 21 16:51:08 UTC 2 x86_64
Distributor ID: Ubuntu
Description: Ubuntu 22.04.2 LTS
Release: 22.04
Codename: jammy
Command and args: /builds/wireshark/wireshark/_install/bin/tshark -2 -nVxr
Running as user "root" and group "root". This could be dangerous.
=================================================================
==93565==ERROR: AddressSanitizer: heap-use-after-free on address 0x60c000121ce0 at pc 0x7f4ea650851d bp 0x7ffc9e8c10a0 sp 0x7ffc9e8c1098
READ of size 1 at 0x60c000121ce0 thread T0
#0 0x7f4ea650851c in tvb_get_guint8 /builds/wireshark/wireshark/epan/tvbuff.c:1027:9
#1 0x7f4ea6516256 in tvb_get_varint /builds/wireshark/wireshark/epan/tvbuff.c:4596:8
#2 0x7f4ea42a9bd9 in dissect_kafka_record /builds/wireshark/wireshark/epan/dissectors/packet-kafka.c:1562:11
#3 0x7f4ea42a6cea in dissect_kafka_message_new /builds/wireshark/wireshark/epan/dissectors/packet-kafka.c:2097:35
#4 0x7f4ea42a5793 in dissect_kafka_message /builds/wireshark/wireshark/epan/dissectors/packet-kafka.c:2130:16
#5 0x7f4ea42a558e in dissect_kafka_message_set /builds/wireshark/wireshark/epan/dissectors/packet-kafka.c:2148:18
#6 0x7f4ea42a51ee in dissect_kafka_produce_request_partition /builds/wireshark/wireshark/epan/dissectors/packet-kafka.c:3517:18
#7 0x7f4ea42a3dc3 in dissect_kafka_array_elements /builds/wireshark/wireshark/epan/dissectors/packet-kafka.c:942:18
#8 0x7f4ea42a4fa5 in dissect_kafka_regular_array /builds/wireshark/wireshark/epan/dissectors/packet-kafka.c:967:14
#9 0x7f4ea42a478e in dissect_kafka_array /builds/wireshark/wireshark/epan/dissectors/packet-kafka.c:1022:16
#10 0x7f4ea42a4990 in dissect_kafka_produce_request_topic /builds/wireshark/wireshark/epan/dissectors/packet-kafka.c:3538:14
#11 0x7f4ea42a3dc3 in dissect_kafka_array_elements /builds/wireshark/wireshark/epan/dissectors/packet-kafka.c:942:18
#12 0x7f4ea42a4fa5 in dissect_kafka_regular_array /builds/wireshark/wireshark/epan/dissectors/packet-kafka.c:967:14
#13 0x7f4ea42a478e in dissect_kafka_array /builds/wireshark/wireshark/epan/dissectors/packet-kafka.c:1022:16
#14 0x7f4ea4296d72 in dissect_kafka_produce_request /builds/wireshark/wireshark/epan/dissectors/packet-kafka.c:3562:14
#15 0x7f4ea42917cd in dissect_kafka /builds/wireshark/wireshark/epan/dissectors/packet-kafka.c:8974:26
#16 0x7f4ea4e57234 in tcp_dissect_pdus /builds/wireshark/wireshark/epan/dissectors/packet-tcp.c:4308:13
#17 0x7f4ea4290c5e in dissect_kafka_tcp /builds/wireshark/wireshark/epan/dissectors/packet-kafka.c:9365:5
#18 0x7f4ea63fa95a in call_dissector_through_handle /builds/wireshark/wireshark/epan/packet.c:757:9
#19 0x7f4ea63f02e3 in call_dissector_work /builds/wireshark/wireshark/epan/packet.c:850:9
#20 0x7f4ea63efc73 in dissector_try_uint_new /builds/wireshark/wireshark/epan/packet.c:1450:8
#21 0x7f4ea4e58479 in decode_tcp_ports /builds/wireshark/wireshark/epan/dissectors/packet-tcp.c:6425:9
#22 0x7f4ea4e5e963 in process_tcp_payload /builds/wireshark/wireshark/epan/dissectors/packet-tcp.c:6494:13
#23 0x7f4ea4e5c349 in desegment_tcp /builds/wireshark/wireshark/epan/dissectors/packet-tcp.c:3776:9
#24 0x7f4ea4e5a131 in dissect_tcp_payload /builds/wireshark/wireshark/epan/dissectors/packet-tcp.c:6567:9
#25 0x7f4ea4e6bd64 in dissect_tcp /builds/wireshark/wireshark/epan/dissectors/packet-tcp.c:7582:17
#26 0x7f4ea63fa95a in call_dissector_through_handle /builds/wireshark/wireshark/epan/packet.c:757:9
#27 0x7f4ea63f02e3 in call_dissector_work /builds/wireshark/wireshark/epan/packet.c:850:9
#28 0x7f4ea63efc73 in dissector_try_uint_new /builds/wireshark/wireshark/epan/packet.c:1450:8
#29 0x7f4ea416545e in ip_try_dissect /builds/wireshark/wireshark/epan/dissectors/packet-ip.c:1817:7
#30 0x7f4ea416a742 in dissect_ip_v4 /builds/wireshark/wireshark/epan/dissectors/packet-ip.c:2307:10
#31 0x7f4ea4165ccd in dissect_ip /builds/wireshark/wireshark/epan/dissectors/packet-ip.c:2331:12
#32 0x7f4ea63fa95a in call_dissector_through_handle /builds/wireshark/wireshark/epan/packet.c:757:9
#33 0x7f4ea63f02e3 in call_dissector_work /builds/wireshark/wireshark/epan/packet.c:850:9
#34 0x7f4ea63efc73 in dissector_try_uint_new /builds/wireshark/wireshark/epan/packet.c:1450:8
#35 0x7f4ea63f0682 in dissector_try_uint /builds/wireshark/wireshark/epan/packet.c:1474:9
#36 0x7f4ea46f7a43 in dissect_null /builds/wireshark/wireshark/epan/dissectors/packet-null.c:411:12
#37 0x7f4ea63fa95a in call_dissector_through_handle /builds/wireshark/wireshark/epan/packet.c:757:9
#38 0x7f4ea63f02e3 in call_dissector_work /builds/wireshark/wireshark/epan/packet.c:850:9
#39 0x7f4ea63f7510 in call_dissector_only /builds/wireshark/wireshark/epan/packet.c:3270:8
#40 0x7f4ea3dd0bbe in dissect_frame /builds/wireshark/wireshark/epan/dissectors/packet-frame.c:935:6
#41 0x7f4ea63fa95a in call_dissector_through_handle /builds/wireshark/wireshark/epan/packet.c:757:9
#42 0x7f4ea63f02e3 in call_dissector_work /builds/wireshark/wireshark/epan/packet.c:850:9
#43 0x7f4ea63f7510 in call_dissector_only /builds/wireshark/wireshark/epan/packet.c:3270:8
#44 0x7f4ea63ec734 in call_dissector_with_data /builds/wireshark/wireshark/epan/packet.c:3283:8
#45 0x7f4ea63ebf10 in dissect_record /builds/wireshark/wireshark/epan/packet.c:624:3
#46 0x7f4ea63bf988 in epan_dissect_run /builds/wireshark/wireshark/epan/epan.c:614:2
#47 0x5645c8f0b05f in process_packet_first_pass /builds/wireshark/wireshark/tshark.c:3037:5
#48 0x5645c8f0926d in process_cap_file_first_pass /builds/wireshark/wireshark/tshark.c:3174:9
#49 0x5645c8f04050 in process_cap_file /builds/wireshark/wireshark/tshark.c:3653:25
#50 0x5645c8efe0ee in main /builds/wireshark/wireshark/tshark.c:2112:16
#51 0x7f4e9bff4d8f (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f) (BuildId: 69389d485a9793dbe873f0ea2c93e02efaa9aa3d)
#52 0x7f4e9bff4e3f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x29e3f) (BuildId: 69389d485a9793dbe873f0ea2c93e02efaa9aa3d)
#53 0x5645c8e174f4 in _start (/builds/wireshark/wireshark/_install/bin/tshark+0x4b4f4) (BuildId: ac2afcaeb2c390aa9f8dc344867e568db12e21c3)
0x60c000121ce0 is located 32 bytes inside of 120-byte region [0x60c000121cc0,0x60c000121d38)
freed by thread T0 here:
#0 0x5645c8e9cc72 in free (/builds/wireshark/wireshark/_install/bin/tshark+0xd0c72) (BuildId: ac2afcaeb2c390aa9f8dc344867e568db12e21c3)
#1 0x7f4e9c382b03 in wmem_free /builds/wireshark/wireshark/wsutil/wmem/wmem_core.c:65:9
#2 0x7f4e9c38be41 in wmem_strict_free /builds/wireshark/wireshark/wsutil/wmem/wmem_allocator_strict.c:127:5
#3 0x7f4e9c382c05 in wmem_free /builds/wireshark/wireshark/wsutil/wmem/wmem_core.c:75:5
#4 0x7f4ea42a79f6 in decompress_snappy /builds/wireshark/wireshark/epan/dissectors/packet-kafka.c:1785:13
#5 0x7f4ea42a7408 in decompress /builds/wireshark/wireshark/epan/dissectors/packet-kafka.c:1907:20
#6 0x7f4ea42a6a66 in dissect_kafka_message_new /builds/wireshark/wireshark/epan/dissectors/packet-kafka.c:2091:9
#7 0x7f4ea42a5793 in dissect_kafka_message /builds/wireshark/wireshark/epan/dissectors/packet-kafka.c:2130:16
#8 0x7f4ea42a558e in dissect_kafka_message_set /builds/wireshark/wireshark/epan/dissectors/packet-kafka.c:2148:18
#9 0x7f4ea42a51ee in dissect_kafka_produce_request_partition /builds/wireshark/wireshark/epan/dissectors/packet-kafka.c:3517:18
#10 0x7f4ea42a3dc3 in dissect_kafka_array_elements /builds/wireshark/wireshark/epan/dissectors/packet-kafka.c:942:18
#11 0x7f4ea42a4fa5 in dissect_kafka_regular_array /builds/wireshark/wireshark/epan/dissectors/packet-kafka.c:967:14
#12 0x7f4ea42a478e in dissect_kafka_array /builds/wireshark/wireshark/epan/dissectors/packet-kafka.c:1022:16
#13 0x7f4ea42a4990 in dissect_kafka_produce_request_topic /builds/wireshark/wireshark/epan/dissectors/packet-kafka.c:3538:14
#14 0x7f4ea42a3dc3 in dissect_kafka_array_elements /builds/wireshark/wireshark/epan/dissectors/packet-kafka.c:942:18
#15 0x7f4ea42a4fa5 in dissect_kafka_regular_array /builds/wireshark/wireshark/epan/dissectors/packet-kafka.c:967:14
#16 0x7f4ea42a478e in dissect_kafka_array /builds/wireshark/wireshark/epan/dissectors/packet-kafka.c:1022:16
#17 0x7f4ea4296d72 in dissect_kafka_produce_request /builds/wireshark/wireshark/epan/dissectors/packet-kafka.c:3562:14
#18 0x7f4ea42917cd in dissect_kafka /builds/wireshark/wireshark/epan/dissectors/packet-kafka.c:8974:26
#19 0x7f4ea4e57234 in tcp_dissect_pdus /builds/wireshark/wireshark/epan/dissectors/packet-tcp.c:4308:13
#20 0x7f4ea4290c5e in dissect_kafka_tcp /builds/wireshark/wireshark/epan/dissectors/packet-kafka.c:9365:5
#21 0x7f4ea63fa95a in call_dissector_through_handle /builds/wireshark/wireshark/epan/packet.c:757:9
#22 0x7f4ea63f02e3 in call_dissector_work /builds/wireshark/wireshark/epan/packet.c:850:9
#23 0x7f4ea63efc73 in dissector_try_uint_new /builds/wireshark/wireshark/epan/packet.c:1450:8
#24 0x7f4ea4e58479 in decode_tcp_ports /builds/wireshark/wireshark/epan/dissectors/packet-tcp.c:6425:9
#25 0x7f4ea4e5e963 in process_tcp_payload /builds/wireshark/wireshark/epan/dissectors/packet-tcp.c:6494:13
#26 0x7f4ea4e5c349 in desegment_tcp /builds/wireshark/wireshark/epan/dissectors/packet-tcp.c:3776:9
#27 0x7f4ea4e5a131 in dissect_tcp_payload /builds/wireshark/wireshark/epan/dissectors/packet-tcp.c:6567:9
#28 0x7f4ea4e6bd64 in dissect_tcp /builds/wireshark/wireshark/epan/dissectors/packet-tcp.c:7582:17
#29 0x7f4ea63fa95a in call_dissector_through_handle /builds/wireshark/wireshark/epan/packet.c:757:9
previously allocated by thread T0 here:
#0 0x5645c8e9cf1e in malloc (/builds/wireshark/wireshark/_install/bin/tshark+0xd0f1e) (BuildId: ac2afcaeb2c390aa9f8dc344867e568db12e21c3)
#1 0x7f4e9c28d738 in g_malloc (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x5e738) (BuildId: 137458a0f7846a084270bf5bb03df075a578db6d)
#2 0x7f4e9c38b77f in wmem_strict_alloc /builds/wireshark/wireshark/wsutil/wmem/wmem_allocator_strict.c:81:46
#3 0x7f4e9c382a7d in wmem_alloc /builds/wireshark/wireshark/wsutil/wmem/wmem_core.c:44:12
#4 0x7f4ea42a78ae in decompress_snappy /builds/wireshark/wireshark/epan/dissectors/packet-kafka.c:1773:52
#5 0x7f4ea42a7408 in decompress /builds/wireshark/wireshark/epan/dissectors/packet-kafka.c:1907:20
#6 0x7f4ea42a6a66 in dissect_kafka_message_new /builds/wireshark/wireshark/epan/dissectors/packet-kafka.c:2091:9
#7 0x7f4ea42a5793 in dissect_kafka_message /builds/wireshark/wireshark/epan/dissectors/packet-kafka.c:2130:16
#8 0x7f4ea42a558e in dissect_kafka_message_set /builds/wireshark/wireshark/epan/dissectors/packet-kafka.c:2148:18
#9 0x7f4ea42a51ee in dissect_kafka_produce_request_partition /builds/wireshark/wireshark/epan/dissectors/packet-kafka.c:3517:18
#10 0x7f4ea42a3dc3 in dissect_kafka_array_elements /builds/wireshark/wireshark/epan/dissectors/packet-kafka.c:942:18
#11 0x7f4ea42a4fa5 in dissect_kafka_regular_array /builds/wireshark/wireshark/epan/dissectors/packet-kafka.c:967:14
#12 0x7f4ea42a478e in dissect_kafka_array /builds/wireshark/wireshark/epan/dissectors/packet-kafka.c:1022:16
#13 0x7f4ea42a4990 in dissect_kafka_produce_request_topic /builds/wireshark/wireshark/epan/dissectors/packet-kafka.c:3538:14
#14 0x7f4ea42a3dc3 in dissect_kafka_array_elements /builds/wireshark/wireshark/epan/dissectors/packet-kafka.c:942:18
#15 0x7f4ea42a4fa5 in dissect_kafka_regular_array /builds/wireshark/wireshark/epan/dissectors/packet-kafka.c:967:14
#16 0x7f4ea42a478e in dissect_kafka_array /builds/wireshark/wireshark/epan/dissectors/packet-kafka.c:1022:16
#17 0x7f4ea4296d72 in dissect_kafka_produce_request /builds/wireshark/wireshark/epan/dissectors/packet-kafka.c:3562:14
#18 0x7f4ea42917cd in dissect_kafka /builds/wireshark/wireshark/epan/dissectors/packet-kafka.c:8974:26
#19 0x7f4ea4e57234 in tcp_dissect_pdus /builds/wireshark/wireshark/epan/dissectors/packet-tcp.c:4308:13
#20 0x7f4ea4290c5e in dissect_kafka_tcp /builds/wireshark/wireshark/epan/dissectors/packet-kafka.c:9365:5
#21 0x7f4ea63fa95a in call_dissector_through_handle /builds/wireshark/wireshark/epan/packet.c:757:9
#22 0x7f4ea63f02e3 in call_dissector_work /builds/wireshark/wireshark/epan/packet.c:850:9
#23 0x7f4ea63efc73 in dissector_try_uint_new /builds/wireshark/wireshark/epan/packet.c:1450:8
#24 0x7f4ea4e58479 in decode_tcp_ports /builds/wireshark/wireshark/epan/dissectors/packet-tcp.c:6425:9
#25 0x7f4ea4e5e963 in process_tcp_payload /builds/wireshark/wireshark/epan/dissectors/packet-tcp.c:6494:13
#26 0x7f4ea4e5c349 in desegment_tcp /builds/wireshark/wireshark/epan/dissectors/packet-tcp.c:3776:9
#27 0x7f4ea4e5a131 in dissect_tcp_payload /builds/wireshark/wireshark/epan/dissectors/packet-tcp.c:6567:9
#28 0x7f4ea4e6bd64 in dissect_tcp /builds/wireshark/wireshark/epan/dissectors/packet-tcp.c:7582:17
#29 0x7f4ea63fa95a in call_dissector_through_handle /builds/wireshark/wireshark/epan/packet.c:757:9
SUMMARY: AddressSanitizer: heap-use-after-free /builds/wireshark/wireshark/epan/tvbuff.c:1027:9 in tvb_get_guint8
Shadow bytes around the buggy address:
0x0c188001c340: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
0x0c188001c350: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa
0x0c188001c360: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
0x0c188001c370: fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa fa
0x0c188001c380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c188001c390: fa fa fa fa fa fa fa fa fd fd fd fd[fd]fd fd fd
0x0c188001c3a0: fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa fa
0x0c188001c3b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c188001c3c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c188001c3d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c188001c3e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==93565==ABORTING
fuzz-test.sh stderr:
Running as user "root" and group "root". This could be dangerous.
no debug trace