扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 |
Source: https://code.google.com/p/google-security-research/issues/detail?id=661 The following crash due to a static out-of-bounds read can be observed in an ASAN build of Wireshark (current git master), by feeding a malformed file to tshark ("$ ./tshark -nVxr /path/to/file"): --- cut --- ==7849==ERROR: AddressSanitizer: global-buffer-overflow on address 0x7f8e33764094 at pc 0x7f8e29788726 bp 0x7ffe27806640 sp 0x7ffe27806638 READ of size 4 at 0x7f8e33764094 thread T0 #0 0x7f8e29788725 in dissect_zcl_pwr_prof_pwrprofstatersp wireshark/epan/dissectors/packet-zbee-zcl-general.c:3847:21 #1 0x7f8e2977f2be in dissect_zbee_zcl_pwr_prof wireshark/epan/dissectors/packet-zbee-zcl-general.c:3494:21 #2 0x7f8e271b0cc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8 #3 0x7f8e271a35ea in call_dissector_work wireshark/epan/packet.c:691:9 #4 0x7f8e271ad2be in call_dissector_only wireshark/epan/packet.c:2662:8 #5 0x7f8e2719eccf in call_dissector_with_data wireshark/epan/packet.c:2675:8 #6 0x7f8e297738ac in dissect_zbee_zcl wireshark/epan/dissectors/packet-zbee-zcl.c:887:13 #7 0x7f8e271b0cc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8 #8 0x7f8e271a35ea in call_dissector_work wireshark/epan/packet.c:691:9 #9 0x7f8e271ad2be in call_dissector_only wireshark/epan/packet.c:2662:8 #10 0x7f8e2719eccf in call_dissector_with_data wireshark/epan/packet.c:2675:8 #11 0x7f8e2974de40 in dissect_zbee_aps wireshark/epan/dissectors/packet-zbee-aps.c:1029:21 #12 0x7f8e271b0cc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8 #13 0x7f8e271a35ea in call_dissector_work wireshark/epan/packet.c:691:9 #14 0x7f8e271ad2be in call_dissector_only wireshark/epan/packet.c:2662:8 #15 0x7f8e2719eccf in call_dissector_with_data wireshark/epan/packet.c:2675:8 #16 0x7f8e29757897 in dissect_zbee_nwk_full wireshark/epan/dissectors/packet-zbee-nwk.c:665:9 #17 0x7f8e297518aa in dissect_zbee_nwk wireshark/epan/dissectors/packet-zbee-nwk.c:701:9 #18 0x7f8e29752ef7 in dissect_zbee_nwk_heur wireshark/epan/dissectors/packet-zbee-nwk.c:337:5 #19 0x7f8e271ab417 in dissector_try_heuristic wireshark/epan/packet.c:2329:7 #20 0x7f8e2826863b in dissect_ieee802154_common wireshark/epan/dissectors/packet-ieee802154.c:1139:17 #21 0x7f8e2825e35e in dissect_ieee802154 wireshark/epan/dissectors/packet-ieee802154.c:561:5 #22 0x7f8e271b0cc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8 #23 0x7f8e271a35ea in call_dissector_work wireshark/epan/packet.c:691:9 #24 0x7f8e271a2dbd in dissector_try_uint_new wireshark/epan/packet.c:1148:9 #25 0x7f8e27eb25f6 in dissect_frame wireshark/epan/dissectors/packet-frame.c:500:11 #26 0x7f8e271b0cc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8 #27 0x7f8e271a35ea in call_dissector_work wireshark/epan/packet.c:691:9 #28 0x7f8e271ad2be in call_dissector_only wireshark/epan/packet.c:2662:8 #29 0x7f8e2719eccf in call_dissector_with_data wireshark/epan/packet.c:2675:8 #30 0x7f8e2719e33b in dissect_record wireshark/epan/packet.c:501:3 #31 0x7f8e2714c3c9 in epan_dissect_run_with_taps wireshark/epan/epan.c:373:2 #32 0x5264eb in process_packet wireshark/tshark.c:3728:5 #33 0x51f960 in load_cap_file wireshark/tshark.c:3484:11 #34 0x515daf in main wireshark/tshark.c:2197:13 0x7f8e33764094 is located 44 bytes to the left of global variable 'ett_zbee_zcl_pwr_prof_enphases' defined in 'packet-zbee-zcl-general.c:3329:13' (0x7f8e337640c0) of size 64 0x7f8e33764094 is located 0 bytes to the right of global variable 'ett_zbee_zcl_pwr_prof_pwrprofiles' defined in 'packet-zbee-zcl-general.c:3328:13' (0x7f8e33764080) of size 20 SUMMARY: AddressSanitizer: global-buffer-overflow wireshark/epan/dissectors/packet-zbee-zcl-general.c:3847:21 in dissect_zcl_pwr_prof_pwrprofstatersp Shadow bytes around the buggy address: 0x0ff2466e47c0: 00 00 00 00 00 00 00 00 00 00 00 f9 f9 f9 f9 f9 0x0ff2466e47d0: 00 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00 0x0ff2466e47e0: f9 f9 f9 f9 00 00 00 00 00 00 00 00 f9 f9 f9 f9 0x0ff2466e47f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0ff2466e4800: 00 00 00 00 00 00 00 00 00 f9 f9 f9 f9 f9 f9 f9 =>0x0ff2466e4810: 00 00[04]f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00 0x0ff2466e4820: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00 0x0ff2466e4830: 00 00 00 00 f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9 0x0ff2466e4840: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0ff2466e4850: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0ff2466e4860: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone:fb Freed heap region: fd Stack left redzone:f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return:f5 Stack use after scope: f8 Global redzone:f9 Global init order: f6 Poisoned by user:f7 Container overflow:fc Array cookie:ac Intra object redzone:bb ASan internal: fe Left alloca redzone: ca Right alloca redzone:cb ==7849==ABORTING --- cut --- The crash was reported at https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11830. Attached are three files which trigger the crash. Update: there is also a similar crash due to out-of-bounds access to the global "ett_zbee_zcl_pwr_prof_enphases" array, see the report below. Attached is a file which triggers the crash. --- cut --- ==8228==ERROR: AddressSanitizer: global-buffer-overflow on address 0x7f0d4f321100 at pc 0x7f0d45344cd5 bp 0x7fff69e4e4a0 sp 0x7fff69e4e498 READ of size 4 at 0x7f0d4f321100 thread T0 #0 0x7f0d45344cd4 in dissect_zcl_pwr_prof_enphsschednotif wireshark/epan/dissectors/packet-zbee-zcl-general.c:3685:25 #1 0x7f0d4533bd04 in dissect_zbee_zcl_pwr_prof wireshark/epan/dissectors/packet-zbee-zcl-general.c:3463:21 #2 0x7f0d42d6dcc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8 #3 0x7f0d42d605ea in call_dissector_work wireshark/epan/packet.c:691:9 #4 0x7f0d42d6a2be in call_dissector_only wireshark/epan/packet.c:2662:8 #5 0x7f0d42d5bccf in call_dissector_with_data wireshark/epan/packet.c:2675:8 #6 0x7f0d453308ac in dissect_zbee_zcl wireshark/epan/dissectors/packet-zbee-zcl.c:887:13 #7 0x7f0d42d6dcc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8 #8 0x7f0d42d605ea in call_dissector_work wireshark/epan/packet.c:691:9 #9 0x7f0d42d6a2be in call_dissector_only wireshark/epan/packet.c:2662:8 #10 0x7f0d42d5bccf in call_dissector_with_data wireshark/epan/packet.c:2675:8 #11 0x7f0d4530b750 in dissect_zbee_apf wireshark/epan/dissectors/packet-zbee-aps.c:1680:9 #12 0x7f0d42d6dcc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8 #13 0x7f0d42d605ea in call_dissector_work wireshark/epan/packet.c:691:9 #14 0x7f0d42d6a2be in call_dissector_only wireshark/epan/packet.c:2662:8 #15 0x7f0d42d5bccf in call_dissector_with_data wireshark/epan/packet.c:2675:8 #16 0x7f0d4530aee1 in dissect_zbee_aps wireshark/epan/dissectors/packet-zbee-aps.c:1033:13 #17 0x7f0d42d6dcc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8 #18 0x7f0d42d605ea in call_dissector_work wireshark/epan/packet.c:691:9 #19 0x7f0d42d6a2be in call_dissector_only wireshark/epan/packet.c:2662:8 #20 0x7f0d42d5bccf in call_dissector_with_data wireshark/epan/packet.c:2675:8 #21 0x7f0d45314897 in dissect_zbee_nwk_full wireshark/epan/dissectors/packet-zbee-nwk.c:665:9 #22 0x7f0d4530e8aa in dissect_zbee_nwk wireshark/epan/dissectors/packet-zbee-nwk.c:701:9 #23 0x7f0d4530fef7 in dissect_zbee_nwk_heur wireshark/epan/dissectors/packet-zbee-nwk.c:337:5 #24 0x7f0d42d68417 in dissector_try_heuristic wireshark/epan/packet.c:2329:7 #25 0x7f0d43e2563b in dissect_ieee802154_common wireshark/epan/dissectors/packet-ieee802154.c:1139:17 #26 0x7f0d43e1b40a in dissect_ieee802154_nofcs wireshark/epan/dissectors/packet-ieee802154.c:594:5 #27 0x7f0d42d6dcc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8 #28 0x7f0d42d605ea in call_dissector_work wireshark/epan/packet.c:691:9 #29 0x7f0d42d5fdbd in dissector_try_uint_new wireshark/epan/packet.c:1148:9 #30 0x7f0d43a6f5f6 in dissect_frame wireshark/epan/dissectors/packet-frame.c:500:11 #31 0x7f0d42d6dcc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8 #32 0x7f0d42d605ea in call_dissector_work wireshark/epan/packet.c:691:9 #33 0x7f0d42d6a2be in call_dissector_only wireshark/epan/packet.c:2662:8 #34 0x7f0d42d5bccf in call_dissector_with_data wireshark/epan/packet.c:2675:8 #35 0x7f0d42d5b33b in dissect_record wireshark/epan/packet.c:501:3 #36 0x7f0d42d093c9 in epan_dissect_run_with_taps wireshark/epan/epan.c:373:2 #37 0x5264eb in process_packet wireshark/tshark.c:3728:5 #38 0x51f960 in load_cap_file wireshark/tshark.c:3484:11 #39 0x515daf in main wireshark/tshark.c:2197:13 0x7f0d4f321100 is located 32 bytes to the left of global variable 'ett_zbee_zcl_appl_ctrl_func' defined in 'packet-zbee-zcl-general.c:4460:13' (0x7f0d4f321120) of size 128 0x7f0d4f321100 is located 0 bytes to the right of global variable 'ett_zbee_zcl_pwr_prof_enphases' defined in 'packet-zbee-zcl-general.c:3329:13' (0x7f0d4f3210c0) of size 64 SUMMARY: AddressSanitizer: global-buffer-overflow wireshark/epan/dissectors/packet-zbee-zcl-general.c:3685:25 in dissect_zcl_pwr_prof_enphsschednotif Shadow bytes around the buggy address: 0x0fe229e5c1d0: 00 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00 0x0fe229e5c1e0: f9 f9 f9 f9 00 00 00 00 00 00 00 00 f9 f9 f9 f9 0x0fe229e5c1f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0fe229e5c200: 00 00 00 00 00 00 00 00 00 f9 f9 f9 f9 f9 f9 f9 0x0fe229e5c210: 00 00 04 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00 =>0x0fe229e5c220:[f9]f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00 0x0fe229e5c230: 00 00 00 00 f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9 0x0fe229e5c240: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0fe229e5c250: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0fe229e5c260: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0fe229e5c270: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone:fb Freed heap region: fd Stack left redzone:f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return:f5 Stack use after scope: f8 Global redzone:f9 Global init order: f6 Poisoned by user:f7 Container overflow:fc Array cookie:ac Intra object redzone:bb ASan internal: fe Left alloca redzone: ca Right alloca redzone:cb ==8228==ABORTING --- cut --- Furthermore, there is yet another similar condition in a somewhat related area of code, see the attached file and report below: --- cut --- ==8856==ERROR: AddressSanitizer: global-buffer-overflow on address 0x7f148fad2900 at pc 0x7f1485afc15d bp 0x7ffd41dc3de0 sp 0x7ffd41dc3dd8 READ of size 4 at 0x7f148fad2900 thread T0 #0 0x7f1485afc15c in dissect_zcl_appl_evtalt_get_alerts_rsp wireshark/epan/dissectors/packet-zbee-zcl-ha.c:889:21 #1 0x7f1485afab0f in dissect_zbee_zcl_appl_evtalt wireshark/epan/dissectors/packet-zbee-zcl-ha.c:818:21 #2 0x7f148351ecc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8 #3 0x7f14835115ea in call_dissector_work wireshark/epan/packet.c:691:9 #4 0x7f148351b2be in call_dissector_only wireshark/epan/packet.c:2662:8 #5 0x7f148350cccf in call_dissector_with_data wireshark/epan/packet.c:2675:8 #6 0x7f1485ae18ac in dissect_zbee_zcl wireshark/epan/dissectors/packet-zbee-zcl.c:887:13 #7 0x7f148351ecc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8 #8 0x7f14835115ea in call_dissector_work wireshark/epan/packet.c:691:9 #9 0x7f148351b2be in call_dissector_only wireshark/epan/packet.c:2662:8 #10 0x7f148350cccf in call_dissector_with_data wireshark/epan/packet.c:2675:8 #11 0x7f1485abbe40 in dissect_zbee_aps wireshark/epan/dissectors/packet-zbee-aps.c:1029:21 #12 0x7f148351ecc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8 #13 0x7f14835115ea in call_dissector_work wireshark/epan/packet.c:691:9 #14 0x7f148351b2be in call_dissector_only wireshark/epan/packet.c:2662:8 #15 0x7f148350cccf in call_dissector_with_data wireshark/epan/packet.c:2675:8 #16 0x7f1485ac5897 in dissect_zbee_nwk_full wireshark/epan/dissectors/packet-zbee-nwk.c:665:9 #17 0x7f1485abf8aa in dissect_zbee_nwk wireshark/epan/dissectors/packet-zbee-nwk.c:701:9 #18 0x7f1485ac0ef7 in dissect_zbee_nwk_heur wireshark/epan/dissectors/packet-zbee-nwk.c:337:5 #19 0x7f1483519417 in dissector_try_heuristic wireshark/epan/packet.c:2329:7 #20 0x7f14845d663b in dissect_ieee802154_common wireshark/epan/dissectors/packet-ieee802154.c:1139:17 #21 0x7f14845cc35e in dissect_ieee802154 wireshark/epan/dissectors/packet-ieee802154.c:561:5 #22 0x7f148351ecc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8 #23 0x7f14835115ea in call_dissector_work wireshark/epan/packet.c:691:9 #24 0x7f1483510dbd in dissector_try_uint_new wireshark/epan/packet.c:1148:9 #25 0x7f14842205f6 in dissect_frame wireshark/epan/dissectors/packet-frame.c:500:11 #26 0x7f148351ecc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8 #27 0x7f14835115ea in call_dissector_work wireshark/epan/packet.c:691:9 #28 0x7f148351b2be in call_dissector_only wireshark/epan/packet.c:2662:8 #29 0x7f148350cccf in call_dissector_with_data wireshark/epan/packet.c:2675:8 #30 0x7f148350c33b in dissect_record wireshark/epan/packet.c:501:3 #31 0x7f14834ba3c9 in epan_dissect_run_with_taps wireshark/epan/epan.c:373:2 #32 0x5264eb in process_packet wireshark/tshark.c:3728:5 #33 0x51f960 in load_cap_file wireshark/tshark.c:3484:11 #34 0x515daf in main wireshark/tshark.c:2197:13 0x7f148fad2900 is located 32 bytes to the left of global variable 'ett' defined in 'packet-zbee-zcl-ha.c:1391:18' (0x7f148fad2920) of size 136 0x7f148fad2900 is located 0 bytes to the right of global variable 'ett_zbee_zcl_appl_evtalt_alerts_struct' defined in 'packet-zbee-zcl-ha.c:698:13' (0x7f148fad28e0) of size 32 SUMMARY: AddressSanitizer: global-buffer-overflow wireshark/epan/dissectors/packet-zbee-zcl-ha.c:889:21 in dissect_zcl_appl_evtalt_get_alerts_rsp Shadow bytes around the buggy address: 0x0fe311f524d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0fe311f524e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0fe311f524f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0fe311f52500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0fe311f52510: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0fe311f52520:[f9]f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00 0x0fe311f52530: 00 00 00 00 00 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 0x0fe311f52540: 00 00 00 00 f9 f9 f9 f9 00 00 00 00 00 00 00 00 0x0fe311f52550: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0fe311f52560: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0fe311f52570: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone:fb Freed heap region: fd Stack left redzone:f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return:f5 Stack use after scope: f8 Global redzone:f9 Global init order: f6 Poisoned by user:f7 Container overflow:fc Array cookie:ac Intra object redzone:bb ASan internal: fe Left alloca redzone: ca Right alloca redzone:cb ==8856==ABORTING --- cut --- Proof of Concept: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/38995.zip |
体验盒子
