Open GoogleCodeExporter opened 8 years ago
Update: there is also a similar crash due to out-of-bounds access to the global
"ett_zbee_zcl_pwr_prof_enphases" array, see the report below.
Attached is a file which triggers the crash.
--- cut ---
==8228==ERROR: AddressSanitizer: global-buffer-overflow on address
0x7f0d4f321100 at pc 0x7f0d45344cd5 bp 0x7fff69e4e4a0 sp 0x7fff69e4e498
READ of size 4 at 0x7f0d4f321100 thread T0
#0 0x7f0d45344cd4 in dissect_zcl_pwr_prof_enphsschednotif wireshark/epan/dissectors/packet-zbee-zcl-general.c:3685:25
#1 0x7f0d4533bd04 in dissect_zbee_zcl_pwr_prof wireshark/epan/dissectors/packet-zbee-zcl-general.c:3463:21
#2 0x7f0d42d6dcc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#3 0x7f0d42d605ea in call_dissector_work wireshark/epan/packet.c:691:9
#4 0x7f0d42d6a2be in call_dissector_only wireshark/epan/packet.c:2662:8
#5 0x7f0d42d5bccf in call_dissector_with_data wireshark/epan/packet.c:2675:8
#6 0x7f0d453308ac in dissect_zbee_zcl wireshark/epan/dissectors/packet-zbee-zcl.c:887:13
#7 0x7f0d42d6dcc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#8 0x7f0d42d605ea in call_dissector_work wireshark/epan/packet.c:691:9
#9 0x7f0d42d6a2be in call_dissector_only wireshark/epan/packet.c:2662:8
#10 0x7f0d42d5bccf in call_dissector_with_data wireshark/epan/packet.c:2675:8
#11 0x7f0d4530b750 in dissect_zbee_apf wireshark/epan/dissectors/packet-zbee-aps.c:1680:9
#12 0x7f0d42d6dcc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#13 0x7f0d42d605ea in call_dissector_work wireshark/epan/packet.c:691:9
#14 0x7f0d42d6a2be in call_dissector_only wireshark/epan/packet.c:2662:8
#15 0x7f0d42d5bccf in call_dissector_with_data wireshark/epan/packet.c:2675:8
#16 0x7f0d4530aee1 in dissect_zbee_aps wireshark/epan/dissectors/packet-zbee-aps.c:1033:13
#17 0x7f0d42d6dcc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#18 0x7f0d42d605ea in call_dissector_work wireshark/epan/packet.c:691:9
#19 0x7f0d42d6a2be in call_dissector_only wireshark/epan/packet.c:2662:8
#20 0x7f0d42d5bccf in call_dissector_with_data wireshark/epan/packet.c:2675:8
#21 0x7f0d45314897 in dissect_zbee_nwk_full wireshark/epan/dissectors/packet-zbee-nwk.c:665:9
#22 0x7f0d4530e8aa in dissect_zbee_nwk wireshark/epan/dissectors/packet-zbee-nwk.c:701:9
#23 0x7f0d4530fef7 in dissect_zbee_nwk_heur wireshark/epan/dissectors/packet-zbee-nwk.c:337:5
#24 0x7f0d42d68417 in dissector_try_heuristic wireshark/epan/packet.c:2329:7
#25 0x7f0d43e2563b in dissect_ieee802154_common wireshark/epan/dissectors/packet-ieee802154.c:1139:17
#26 0x7f0d43e1b40a in dissect_ieee802154_nofcs wireshark/epan/dissectors/packet-ieee802154.c:594:5
#27 0x7f0d42d6dcc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#28 0x7f0d42d605ea in call_dissector_work wireshark/epan/packet.c:691:9
#29 0x7f0d42d5fdbd in dissector_try_uint_new wireshark/epan/packet.c:1148:9
#30 0x7f0d43a6f5f6 in dissect_frame wireshark/epan/dissectors/packet-frame.c:500:11
#31 0x7f0d42d6dcc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#32 0x7f0d42d605ea in call_dissector_work wireshark/epan/packet.c:691:9
#33 0x7f0d42d6a2be in call_dissector_only wireshark/epan/packet.c:2662:8
#34 0x7f0d42d5bccf in call_dissector_with_data wireshark/epan/packet.c:2675:8
#35 0x7f0d42d5b33b in dissect_record wireshark/epan/packet.c:501:3
#36 0x7f0d42d093c9 in epan_dissect_run_with_taps wireshark/epan/epan.c:373:2
#37 0x5264eb in process_packet wireshark/tshark.c:3728:5
#38 0x51f960 in load_cap_file wireshark/tshark.c:3484:11
#39 0x515daf in main wireshark/tshark.c:2197:13
0x7f0d4f321100 is located 32 bytes to the left of global variable
'ett_zbee_zcl_appl_ctrl_func' defined in 'packet-zbee-zcl-general.c:4460:13'
(0x7f0d4f321120) of size 128
0x7f0d4f321100 is located 0 bytes to the right of global variable
'ett_zbee_zcl_pwr_prof_enphases' defined in 'packet-zbee-zcl-general.c:3329:13'
(0x7f0d4f3210c0) of size 64
SUMMARY: AddressSanitizer: global-buffer-overflow
wireshark/epan/dissectors/packet-zbee-zcl-general.c:3685:25 in
dissect_zcl_pwr_prof_enphsschednotif
Shadow bytes around the buggy address:
0x0fe229e5c1d0: 00 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00
0x0fe229e5c1e0: f9 f9 f9 f9 00 00 00 00 00 00 00 00 f9 f9 f9 f9
0x0fe229e5c1f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fe229e5c200: 00 00 00 00 00 00 00 00 00 f9 f9 f9 f9 f9 f9 f9
0x0fe229e5c210: 00 00 04 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00
=>0x0fe229e5c220:[f9]f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00
0x0fe229e5c230: 00 00 00 00 f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9
0x0fe229e5c240: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fe229e5c250: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fe229e5c260: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fe229e5c270: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==8228==ABORTING
--- cut ---
Original comment by mjurc...@google.com
on 30 Nov 2015 at 4:48
Attachments:
Furthermore, there is yet another similar condition in a somewhat related area
of code, see the attached file and report below:
--- cut ---
==8856==ERROR: AddressSanitizer: global-buffer-overflow on address
0x7f148fad2900 at pc 0x7f1485afc15d bp 0x7ffd41dc3de0 sp 0x7ffd41dc3dd8
READ of size 4 at 0x7f148fad2900 thread T0
#0 0x7f1485afc15c in dissect_zcl_appl_evtalt_get_alerts_rsp wireshark/epan/dissectors/packet-zbee-zcl-ha.c:889:21
#1 0x7f1485afab0f in dissect_zbee_zcl_appl_evtalt wireshark/epan/dissectors/packet-zbee-zcl-ha.c:818:21
#2 0x7f148351ecc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#3 0x7f14835115ea in call_dissector_work wireshark/epan/packet.c:691:9
#4 0x7f148351b2be in call_dissector_only wireshark/epan/packet.c:2662:8
#5 0x7f148350cccf in call_dissector_with_data wireshark/epan/packet.c:2675:8
#6 0x7f1485ae18ac in dissect_zbee_zcl wireshark/epan/dissectors/packet-zbee-zcl.c:887:13
#7 0x7f148351ecc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#8 0x7f14835115ea in call_dissector_work wireshark/epan/packet.c:691:9
#9 0x7f148351b2be in call_dissector_only wireshark/epan/packet.c:2662:8
#10 0x7f148350cccf in call_dissector_with_data wireshark/epan/packet.c:2675:8
#11 0x7f1485abbe40 in dissect_zbee_aps wireshark/epan/dissectors/packet-zbee-aps.c:1029:21
#12 0x7f148351ecc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#13 0x7f14835115ea in call_dissector_work wireshark/epan/packet.c:691:9
#14 0x7f148351b2be in call_dissector_only wireshark/epan/packet.c:2662:8
#15 0x7f148350cccf in call_dissector_with_data wireshark/epan/packet.c:2675:8
#16 0x7f1485ac5897 in dissect_zbee_nwk_full wireshark/epan/dissectors/packet-zbee-nwk.c:665:9
#17 0x7f1485abf8aa in dissect_zbee_nwk wireshark/epan/dissectors/packet-zbee-nwk.c:701:9
#18 0x7f1485ac0ef7 in dissect_zbee_nwk_heur wireshark/epan/dissectors/packet-zbee-nwk.c:337:5
#19 0x7f1483519417 in dissector_try_heuristic wireshark/epan/packet.c:2329:7
#20 0x7f14845d663b in dissect_ieee802154_common wireshark/epan/dissectors/packet-ieee802154.c:1139:17
#21 0x7f14845cc35e in dissect_ieee802154 wireshark/epan/dissectors/packet-ieee802154.c:561:5
#22 0x7f148351ecc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#23 0x7f14835115ea in call_dissector_work wireshark/epan/packet.c:691:9
#24 0x7f1483510dbd in dissector_try_uint_new wireshark/epan/packet.c:1148:9
#25 0x7f14842205f6 in dissect_frame wireshark/epan/dissectors/packet-frame.c:500:11
#26 0x7f148351ecc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#27 0x7f14835115ea in call_dissector_work wireshark/epan/packet.c:691:9
#28 0x7f148351b2be in call_dissector_only wireshark/epan/packet.c:2662:8
#29 0x7f148350cccf in call_dissector_with_data wireshark/epan/packet.c:2675:8
#30 0x7f148350c33b in dissect_record wireshark/epan/packet.c:501:3
#31 0x7f14834ba3c9 in epan_dissect_run_with_taps wireshark/epan/epan.c:373:2
#32 0x5264eb in process_packet wireshark/tshark.c:3728:5
#33 0x51f960 in load_cap_file wireshark/tshark.c:3484:11
#34 0x515daf in main wireshark/tshark.c:2197:13
0x7f148fad2900 is located 32 bytes to the left of global variable 'ett' defined
in 'packet-zbee-zcl-ha.c:1391:18' (0x7f148fad2920) of size 136
0x7f148fad2900 is located 0 bytes to the right of global variable
'ett_zbee_zcl_appl_evtalt_alerts_struct' defined in
'packet-zbee-zcl-ha.c:698:13' (0x7f148fad28e0) of size 32
SUMMARY: AddressSanitizer: global-buffer-overflow
wireshark/epan/dissectors/packet-zbee-zcl-ha.c:889:21 in
dissect_zcl_appl_evtalt_get_alerts_rsp
Shadow bytes around the buggy address:
0x0fe311f524d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fe311f524e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fe311f524f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fe311f52500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fe311f52510: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0fe311f52520:[f9]f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00
0x0fe311f52530: 00 00 00 00 00 f9 f9 f9 f9 f9 f9 f9 00 00 00 00
0x0fe311f52540: 00 00 00 00 f9 f9 f9 f9 00 00 00 00 00 00 00 00
0x0fe311f52550: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fe311f52560: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fe311f52570: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==8856==ABORTING
--- cut ---
Original comment by mjurc...@google.com
on 30 Nov 2015 at 5:06
Attachments:
Original comment by mjurc...@google.com
on 4 Dec 2015 at 10:51
Fixed at https://code.wireshark.org/review/#/c/12555/.
Original comment by mjurc...@google.com
on 16 Dec 2015 at 11:52
I'm reopening this bug, as it turns out that the provided patch only fixes the
first reported problem, and doesn't address the other ones (i.e. similar issues
in functions dissect_zcl_pwr_prof_enphsschednotif and
dissect_zcl_appl_evtalt_get_alerts_rsp).
Original comment by mjurc...@google.com
on 11 Jan 2016 at 1:48
Original issue reported on code.google.com by
mjurc...@google.com
on 30 Nov 2015 at 4:40Attachments: