cr09philip / google-security-research

Automatically exported from code.google.com/p/google-security-research
0 stars 0 forks source link

Wireshark static out-of-bounds read in dissect_zcl_pwr_prof_pwrprofstatersp #661

Closed GoogleCodeExporter closed 8 years ago

GoogleCodeExporter commented 8 years ago
The following crash due to a static out-of-bounds read can be observed in an 
ASAN build of Wireshark (current git master), by feeding a malformed file to 
tshark ("$ ./tshark -nVxr /path/to/file"):

--- cut ---
==7849==ERROR: AddressSanitizer: global-buffer-overflow on address 
0x7f8e33764094 at pc 0x7f8e29788726 bp 0x7ffe27806640 sp 0x7ffe27806638
READ of size 4 at 0x7f8e33764094 thread T0
    #0 0x7f8e29788725 in dissect_zcl_pwr_prof_pwrprofstatersp wireshark/epan/dissectors/packet-zbee-zcl-general.c:3847:21
    #1 0x7f8e2977f2be in dissect_zbee_zcl_pwr_prof wireshark/epan/dissectors/packet-zbee-zcl-general.c:3494:21
    #2 0x7f8e271b0cc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
    #3 0x7f8e271a35ea in call_dissector_work wireshark/epan/packet.c:691:9
    #4 0x7f8e271ad2be in call_dissector_only wireshark/epan/packet.c:2662:8
    #5 0x7f8e2719eccf in call_dissector_with_data wireshark/epan/packet.c:2675:8
    #6 0x7f8e297738ac in dissect_zbee_zcl wireshark/epan/dissectors/packet-zbee-zcl.c:887:13
    #7 0x7f8e271b0cc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
    #8 0x7f8e271a35ea in call_dissector_work wireshark/epan/packet.c:691:9
    #9 0x7f8e271ad2be in call_dissector_only wireshark/epan/packet.c:2662:8
    #10 0x7f8e2719eccf in call_dissector_with_data wireshark/epan/packet.c:2675:8
    #11 0x7f8e2974de40 in dissect_zbee_aps wireshark/epan/dissectors/packet-zbee-aps.c:1029:21
    #12 0x7f8e271b0cc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
    #13 0x7f8e271a35ea in call_dissector_work wireshark/epan/packet.c:691:9
    #14 0x7f8e271ad2be in call_dissector_only wireshark/epan/packet.c:2662:8
    #15 0x7f8e2719eccf in call_dissector_with_data wireshark/epan/packet.c:2675:8
    #16 0x7f8e29757897 in dissect_zbee_nwk_full wireshark/epan/dissectors/packet-zbee-nwk.c:665:9
    #17 0x7f8e297518aa in dissect_zbee_nwk wireshark/epan/dissectors/packet-zbee-nwk.c:701:9
    #18 0x7f8e29752ef7 in dissect_zbee_nwk_heur wireshark/epan/dissectors/packet-zbee-nwk.c:337:5
    #19 0x7f8e271ab417 in dissector_try_heuristic wireshark/epan/packet.c:2329:7
    #20 0x7f8e2826863b in dissect_ieee802154_common wireshark/epan/dissectors/packet-ieee802154.c:1139:17
    #21 0x7f8e2825e35e in dissect_ieee802154 wireshark/epan/dissectors/packet-ieee802154.c:561:5
    #22 0x7f8e271b0cc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
    #23 0x7f8e271a35ea in call_dissector_work wireshark/epan/packet.c:691:9
    #24 0x7f8e271a2dbd in dissector_try_uint_new wireshark/epan/packet.c:1148:9
    #25 0x7f8e27eb25f6 in dissect_frame wireshark/epan/dissectors/packet-frame.c:500:11
    #26 0x7f8e271b0cc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
    #27 0x7f8e271a35ea in call_dissector_work wireshark/epan/packet.c:691:9
    #28 0x7f8e271ad2be in call_dissector_only wireshark/epan/packet.c:2662:8
    #29 0x7f8e2719eccf in call_dissector_with_data wireshark/epan/packet.c:2675:8
    #30 0x7f8e2719e33b in dissect_record wireshark/epan/packet.c:501:3
    #31 0x7f8e2714c3c9 in epan_dissect_run_with_taps wireshark/epan/epan.c:373:2
    #32 0x5264eb in process_packet wireshark/tshark.c:3728:5
    #33 0x51f960 in load_cap_file wireshark/tshark.c:3484:11
    #34 0x515daf in main wireshark/tshark.c:2197:13

0x7f8e33764094 is located 44 bytes to the left of global variable 
'ett_zbee_zcl_pwr_prof_enphases' defined in 'packet-zbee-zcl-general.c:3329:13' 
(0x7f8e337640c0) of size 64
0x7f8e33764094 is located 0 bytes to the right of global variable 
'ett_zbee_zcl_pwr_prof_pwrprofiles' defined in 
'packet-zbee-zcl-general.c:3328:13' (0x7f8e33764080) of size 20
SUMMARY: AddressSanitizer: global-buffer-overflow 
wireshark/epan/dissectors/packet-zbee-zcl-general.c:3847:21 in 
dissect_zcl_pwr_prof_pwrprofstatersp
Shadow bytes around the buggy address:
  0x0ff2466e47c0: 00 00 00 00 00 00 00 00 00 00 00 f9 f9 f9 f9 f9
  0x0ff2466e47d0: 00 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00
  0x0ff2466e47e0: f9 f9 f9 f9 00 00 00 00 00 00 00 00 f9 f9 f9 f9
  0x0ff2466e47f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff2466e4800: 00 00 00 00 00 00 00 00 00 f9 f9 f9 f9 f9 f9 f9
=>0x0ff2466e4810: 00 00[04]f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00
  0x0ff2466e4820: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff2466e4830: 00 00 00 00 f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9
  0x0ff2466e4840: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff2466e4850: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff2466e4860: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==7849==ABORTING
--- cut ---

The crash was reported at 
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11830. Attached are three 
files which trigger the crash.

This bug is subject to a 90 day disclosure deadline. If 90 days elapse without 
a broadly available patch, then the bug report will automatically become 
visible to the public.

Original issue reported on code.google.com by mjurc...@google.com on 30 Nov 2015 at 4:40

Attachments:

GoogleCodeExporter commented 8 years ago
Update: there is also a similar crash due to out-of-bounds access to the global 
"ett_zbee_zcl_pwr_prof_enphases" array, see the report below.

Attached is a file which triggers the crash.

--- cut ---
==8228==ERROR: AddressSanitizer: global-buffer-overflow on address 
0x7f0d4f321100 at pc 0x7f0d45344cd5 bp 0x7fff69e4e4a0 sp 0x7fff69e4e498
READ of size 4 at 0x7f0d4f321100 thread T0
    #0 0x7f0d45344cd4 in dissect_zcl_pwr_prof_enphsschednotif wireshark/epan/dissectors/packet-zbee-zcl-general.c:3685:25
    #1 0x7f0d4533bd04 in dissect_zbee_zcl_pwr_prof wireshark/epan/dissectors/packet-zbee-zcl-general.c:3463:21
    #2 0x7f0d42d6dcc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
    #3 0x7f0d42d605ea in call_dissector_work wireshark/epan/packet.c:691:9
    #4 0x7f0d42d6a2be in call_dissector_only wireshark/epan/packet.c:2662:8
    #5 0x7f0d42d5bccf in call_dissector_with_data wireshark/epan/packet.c:2675:8
    #6 0x7f0d453308ac in dissect_zbee_zcl wireshark/epan/dissectors/packet-zbee-zcl.c:887:13
    #7 0x7f0d42d6dcc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
    #8 0x7f0d42d605ea in call_dissector_work wireshark/epan/packet.c:691:9
    #9 0x7f0d42d6a2be in call_dissector_only wireshark/epan/packet.c:2662:8
    #10 0x7f0d42d5bccf in call_dissector_with_data wireshark/epan/packet.c:2675:8
    #11 0x7f0d4530b750 in dissect_zbee_apf wireshark/epan/dissectors/packet-zbee-aps.c:1680:9
    #12 0x7f0d42d6dcc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
    #13 0x7f0d42d605ea in call_dissector_work wireshark/epan/packet.c:691:9
    #14 0x7f0d42d6a2be in call_dissector_only wireshark/epan/packet.c:2662:8
    #15 0x7f0d42d5bccf in call_dissector_with_data wireshark/epan/packet.c:2675:8
    #16 0x7f0d4530aee1 in dissect_zbee_aps wireshark/epan/dissectors/packet-zbee-aps.c:1033:13
    #17 0x7f0d42d6dcc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
    #18 0x7f0d42d605ea in call_dissector_work wireshark/epan/packet.c:691:9
    #19 0x7f0d42d6a2be in call_dissector_only wireshark/epan/packet.c:2662:8
    #20 0x7f0d42d5bccf in call_dissector_with_data wireshark/epan/packet.c:2675:8
    #21 0x7f0d45314897 in dissect_zbee_nwk_full wireshark/epan/dissectors/packet-zbee-nwk.c:665:9
    #22 0x7f0d4530e8aa in dissect_zbee_nwk wireshark/epan/dissectors/packet-zbee-nwk.c:701:9
    #23 0x7f0d4530fef7 in dissect_zbee_nwk_heur wireshark/epan/dissectors/packet-zbee-nwk.c:337:5
    #24 0x7f0d42d68417 in dissector_try_heuristic wireshark/epan/packet.c:2329:7
    #25 0x7f0d43e2563b in dissect_ieee802154_common wireshark/epan/dissectors/packet-ieee802154.c:1139:17
    #26 0x7f0d43e1b40a in dissect_ieee802154_nofcs wireshark/epan/dissectors/packet-ieee802154.c:594:5
    #27 0x7f0d42d6dcc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
    #28 0x7f0d42d605ea in call_dissector_work wireshark/epan/packet.c:691:9
    #29 0x7f0d42d5fdbd in dissector_try_uint_new wireshark/epan/packet.c:1148:9
    #30 0x7f0d43a6f5f6 in dissect_frame wireshark/epan/dissectors/packet-frame.c:500:11
    #31 0x7f0d42d6dcc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
    #32 0x7f0d42d605ea in call_dissector_work wireshark/epan/packet.c:691:9
    #33 0x7f0d42d6a2be in call_dissector_only wireshark/epan/packet.c:2662:8
    #34 0x7f0d42d5bccf in call_dissector_with_data wireshark/epan/packet.c:2675:8
    #35 0x7f0d42d5b33b in dissect_record wireshark/epan/packet.c:501:3
    #36 0x7f0d42d093c9 in epan_dissect_run_with_taps wireshark/epan/epan.c:373:2
    #37 0x5264eb in process_packet wireshark/tshark.c:3728:5
    #38 0x51f960 in load_cap_file wireshark/tshark.c:3484:11
    #39 0x515daf in main wireshark/tshark.c:2197:13

0x7f0d4f321100 is located 32 bytes to the left of global variable 
'ett_zbee_zcl_appl_ctrl_func' defined in 'packet-zbee-zcl-general.c:4460:13' 
(0x7f0d4f321120) of size 128
0x7f0d4f321100 is located 0 bytes to the right of global variable 
'ett_zbee_zcl_pwr_prof_enphases' defined in 'packet-zbee-zcl-general.c:3329:13' 
(0x7f0d4f3210c0) of size 64
SUMMARY: AddressSanitizer: global-buffer-overflow 
wireshark/epan/dissectors/packet-zbee-zcl-general.c:3685:25 in 
dissect_zcl_pwr_prof_enphsschednotif
Shadow bytes around the buggy address:
  0x0fe229e5c1d0: 00 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00
  0x0fe229e5c1e0: f9 f9 f9 f9 00 00 00 00 00 00 00 00 f9 f9 f9 f9
  0x0fe229e5c1f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe229e5c200: 00 00 00 00 00 00 00 00 00 f9 f9 f9 f9 f9 f9 f9
  0x0fe229e5c210: 00 00 04 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00
=>0x0fe229e5c220:[f9]f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe229e5c230: 00 00 00 00 f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9
  0x0fe229e5c240: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe229e5c250: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe229e5c260: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe229e5c270: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==8228==ABORTING
--- cut ---

Original comment by mjurc...@google.com on 30 Nov 2015 at 4:48

Attachments:

GoogleCodeExporter commented 8 years ago
Furthermore, there is yet another similar condition in a somewhat related area 
of code, see the attached file and report below:

--- cut ---
==8856==ERROR: AddressSanitizer: global-buffer-overflow on address 
0x7f148fad2900 at pc 0x7f1485afc15d bp 0x7ffd41dc3de0 sp 0x7ffd41dc3dd8
READ of size 4 at 0x7f148fad2900 thread T0
    #0 0x7f1485afc15c in dissect_zcl_appl_evtalt_get_alerts_rsp wireshark/epan/dissectors/packet-zbee-zcl-ha.c:889:21
    #1 0x7f1485afab0f in dissect_zbee_zcl_appl_evtalt wireshark/epan/dissectors/packet-zbee-zcl-ha.c:818:21
    #2 0x7f148351ecc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
    #3 0x7f14835115ea in call_dissector_work wireshark/epan/packet.c:691:9
    #4 0x7f148351b2be in call_dissector_only wireshark/epan/packet.c:2662:8
    #5 0x7f148350cccf in call_dissector_with_data wireshark/epan/packet.c:2675:8
    #6 0x7f1485ae18ac in dissect_zbee_zcl wireshark/epan/dissectors/packet-zbee-zcl.c:887:13
    #7 0x7f148351ecc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
    #8 0x7f14835115ea in call_dissector_work wireshark/epan/packet.c:691:9
    #9 0x7f148351b2be in call_dissector_only wireshark/epan/packet.c:2662:8
    #10 0x7f148350cccf in call_dissector_with_data wireshark/epan/packet.c:2675:8
    #11 0x7f1485abbe40 in dissect_zbee_aps wireshark/epan/dissectors/packet-zbee-aps.c:1029:21
    #12 0x7f148351ecc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
    #13 0x7f14835115ea in call_dissector_work wireshark/epan/packet.c:691:9
    #14 0x7f148351b2be in call_dissector_only wireshark/epan/packet.c:2662:8
    #15 0x7f148350cccf in call_dissector_with_data wireshark/epan/packet.c:2675:8
    #16 0x7f1485ac5897 in dissect_zbee_nwk_full wireshark/epan/dissectors/packet-zbee-nwk.c:665:9
    #17 0x7f1485abf8aa in dissect_zbee_nwk wireshark/epan/dissectors/packet-zbee-nwk.c:701:9
    #18 0x7f1485ac0ef7 in dissect_zbee_nwk_heur wireshark/epan/dissectors/packet-zbee-nwk.c:337:5
    #19 0x7f1483519417 in dissector_try_heuristic wireshark/epan/packet.c:2329:7
    #20 0x7f14845d663b in dissect_ieee802154_common wireshark/epan/dissectors/packet-ieee802154.c:1139:17
    #21 0x7f14845cc35e in dissect_ieee802154 wireshark/epan/dissectors/packet-ieee802154.c:561:5
    #22 0x7f148351ecc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
    #23 0x7f14835115ea in call_dissector_work wireshark/epan/packet.c:691:9
    #24 0x7f1483510dbd in dissector_try_uint_new wireshark/epan/packet.c:1148:9
    #25 0x7f14842205f6 in dissect_frame wireshark/epan/dissectors/packet-frame.c:500:11
    #26 0x7f148351ecc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
    #27 0x7f14835115ea in call_dissector_work wireshark/epan/packet.c:691:9
    #28 0x7f148351b2be in call_dissector_only wireshark/epan/packet.c:2662:8
    #29 0x7f148350cccf in call_dissector_with_data wireshark/epan/packet.c:2675:8
    #30 0x7f148350c33b in dissect_record wireshark/epan/packet.c:501:3
    #31 0x7f14834ba3c9 in epan_dissect_run_with_taps wireshark/epan/epan.c:373:2
    #32 0x5264eb in process_packet wireshark/tshark.c:3728:5
    #33 0x51f960 in load_cap_file wireshark/tshark.c:3484:11
    #34 0x515daf in main wireshark/tshark.c:2197:13

0x7f148fad2900 is located 32 bytes to the left of global variable 'ett' defined 
in 'packet-zbee-zcl-ha.c:1391:18' (0x7f148fad2920) of size 136
0x7f148fad2900 is located 0 bytes to the right of global variable 
'ett_zbee_zcl_appl_evtalt_alerts_struct' defined in 
'packet-zbee-zcl-ha.c:698:13' (0x7f148fad28e0) of size 32
SUMMARY: AddressSanitizer: global-buffer-overflow 
wireshark/epan/dissectors/packet-zbee-zcl-ha.c:889:21 in 
dissect_zcl_appl_evtalt_get_alerts_rsp
Shadow bytes around the buggy address:
  0x0fe311f524d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe311f524e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe311f524f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe311f52500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe311f52510: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0fe311f52520:[f9]f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe311f52530: 00 00 00 00 00 f9 f9 f9 f9 f9 f9 f9 00 00 00 00
  0x0fe311f52540: 00 00 00 00 f9 f9 f9 f9 00 00 00 00 00 00 00 00
  0x0fe311f52550: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe311f52560: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe311f52570: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==8856==ABORTING
--- cut ---

Original comment by mjurc...@google.com on 30 Nov 2015 at 5:06

Attachments:

GoogleCodeExporter commented 8 years ago

Original comment by mjurc...@google.com on 4 Dec 2015 at 10:51

GoogleCodeExporter commented 8 years ago
Fixed at https://code.wireshark.org/review/#/c/12555/.

Original comment by mjurc...@google.com on 16 Dec 2015 at 11:52

GoogleCodeExporter commented 8 years ago
I'm reopening this bug, as it turns out that the provided patch only fixes the 
first reported problem, and doesn't address the other ones (i.e. similar issues 
in functions dissect_zcl_pwr_prof_enphsschednotif and 
dissect_zcl_appl_evtalt_get_alerts_rsp).

Original comment by mjurc...@google.com on 11 Jan 2016 at 1:48

GoogleCodeExporter commented 8 years ago
The issue appears to be now properly fixed in 
https://code.wireshark.org/review/#/c/13771/.

Original comment by mjurc...@google.com on 22 Feb 2016 at 2:25