Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-0581: Fuzz job crash output: fuzz-2022-02-07-6714.pcap (#17935) · Issues · Wireshark Foundation / wireshark · GitLab

Crash in the CMS protocol dissector in Wireshark 3.6.0 to 3.6.1 and 3.4.0 to 3.4.11 allows denial of service via packet injection or crafted capture file

CVE
#ubuntu#linux#dos#git#ssl

Skip to content

Open Issue created Feb 07, 2022 by A Wireshark GitLab Utility@ws-gitlab-utilityDeveloper

Fuzz job crash output: fuzz-2022-02-07-6714.pcap

Problems have been found with the following capture file:

https://www.wireshark.org/download/automated/captures/fuzz-2022-02-07-6714.pcap

stderr:

Branch: HEAD

Input file: /var/menagerie/menagerie/13895-x509-ce-distribution-points-dissection-problem.pcapng

Build host information:
Linux 5.4.0-96-generic #109-Ubuntu SMP Wed Jan 12 16:49:16 UTC 2022 x86_64
Distributor ID: Ubuntu
Description:    Ubuntu 20.04.3 LTS
Release:    20.04
Codename:   focal

Branch: release-3.4

CI job name: ASan Menagerie Fuzz, ID: 2060427609

Return value:  0

Dissector bug:  0

Valgrind error count:  0

Latest (but not necessarily the problem) commit:
e9c3dfe05 [Automatic update for 2022-02-06]
Command and args: /builds/wireshark/wireshark/_install/bin/tshark -2  -nVxr
Running as user "root" and group "root". This could be dangerous.
=================================================================
==87972==ERROR: AddressSanitizer: heap-use-after-free on address 0x606000886420 at pc 0x5604c9392069 bp 0x7ffe62ef3be0 sp 0x7ffe62ef33a0
READ of size 28 at 0x606000886420 thread T0
    #0 0x5604c9392068 in strlen (/builds/wireshark/wireshark/_install/bin/tshark+0x6e068)
    #1 0x7f9e573a6147 in g_strdup (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x72147)
    #2 0x7f9e63f2bc6b in find_string_dtbl_entry /builds/wireshark/wireshark/build/../epan/packet.c:1496:9
    #3 0x7f9e63f2c041 in dissector_try_string_new /builds/wireshark/wireshark/build/../epan/packet.c:1692:15
    #4 0x7f9e63f2c206 in dissector_try_string /builds/wireshark/wireshark/build/../epan/packet.c:1739:9
    #5 0x7f9e6100e26d in call_ber_oid_callback /builds/wireshark/wireshark/build/../epan/dissectors/packet-ber.c:1101:17
    #6 0x7f9e631995f1 in dissect_cms_T_parameters /builds/wireshark/wireshark/build/./asn1/cms/cms.cnf:220:10
    #7 0x7f9e61017bed in dissect_ber_sequence /builds/wireshark/wireshark/build/../epan/dissectors/packet-ber.c:2444:17
    #8 0x7f9e63199477 in dissect_cms_SMIMECapability /builds/wireshark/wireshark/build/./asn1/cms/cms.cnf:236:12
    #9 0x7f9e61020437 in dissect_ber_sq_of /builds/wireshark/wireshark/build/../epan/dissectors/packet-ber.c:3556:9
    #10 0x7f9e610206f2 in dissect_ber_sequence_of /builds/wireshark/wireshark/build/../epan/dissectors/packet-ber.c:3584:12
    #11 0x7f9e63199407 in dissect_cms_SMIMECapabilities /builds/wireshark/wireshark/build/./asn1/cms/cms.cnf:249:12
    #12 0x7f9e63194397 in dissect_SMIMECapabilities_PDU /builds/wireshark/wireshark/build/./asn1/cms/cms.cnf:893:12
    #13 0x7f9e63f361d1 in call_dissector_through_handle /builds/wireshark/wireshark/build/../epan/packet.c:720:9
    #14 0x7f9e63f2b000 in call_dissector_work /builds/wireshark/wireshark/build/../epan/packet.c:813:9
    #15 0x7f9e63f2c136 in dissector_try_string_new /builds/wireshark/wireshark/build/../epan/packet.c:1714:9
    #16 0x7f9e63f2c206 in dissector_try_string /builds/wireshark/wireshark/build/../epan/packet.c:1739:9
    #17 0x7f9e6100e26d in call_ber_oid_callback /builds/wireshark/wireshark/build/../epan/dissectors/packet-ber.c:1101:17
    #18 0x7f9e63ba9279 in dissect_x509af_T_extnValue /builds/wireshark/wireshark/build/./asn1/x509af/x509af.cnf:146:10
    #19 0x7f9e61017bed in dissect_ber_sequence /builds/wireshark/wireshark/build/../epan/dissectors/packet-ber.c:2444:17
    #20 0x7f9e63ba6447 in dissect_x509af_Extension /builds/wireshark/wireshark/build/./asn1/x509af/x509af.cnf:163:12
    #21 0x7f9e61020437 in dissect_ber_sq_of /builds/wireshark/wireshark/build/../epan/dissectors/packet-ber.c:3556:9
    #22 0x7f9e610206f2 in dissect_ber_sequence_of /builds/wireshark/wireshark/build/../epan/dissectors/packet-ber.c:3584:12
    #23 0x7f9e63ba64b7 in dissect_x509af_Extensions /builds/wireshark/wireshark/build/./asn1/x509af/x509af.cnf:176:12
    #24 0x7f9e61017bed in dissect_ber_sequence /builds/wireshark/wireshark/build/../epan/dissectors/packet-ber.c:2444:17
    #25 0x7f9e63ba9367 in dissect_x509af_T_signedCertificate /builds/wireshark/wireshark/build/./asn1/x509af/x509af.cnf:199:12
    #26 0x7f9e61017bed in dissect_ber_sequence /builds/wireshark/wireshark/build/../epan/dissectors/packet-ber.c:2444:17
    #27 0x7f9e63ba6527 in dissect_x509af_Certificate /builds/wireshark/wireshark/build/./asn1/x509af/x509af.cnf:226:12
    #28 0x7f9e6293c5e9 in ssl_dissect_hnd_cert /builds/wireshark/wireshark/build/../epan/dissectors/packet-tls-utils.c:8838:13
    #29 0x7f9e629656ca in dissect_tls_handshake_full /builds/wireshark/wireshark/build/../epan/dissectors/packet-tls.c:2676:17
    #30 0x7f9e629632fa in dissect_tls_handshake /builds/wireshark/wireshark/build/../epan/dissectors/packet-tls.c:2495:9
    #31 0x7f9e6295ed72 in dissect_ssl3_record /builds/wireshark/wireshark/build/../epan/dissectors/packet-tls.c:2005:13
    #32 0x7f9e6295aa21 in dissect_ssl /builds/wireshark/wireshark/build/../epan/dissectors/packet-tls.c:745:26
    #33 0x7f9e63f361d1 in call_dissector_through_handle /builds/wireshark/wireshark/build/../epan/packet.c:720:9
    #34 0x7f9e63f2b000 in call_dissector_work /builds/wireshark/wireshark/build/../epan/packet.c:813:9
    #35 0x7f9e63f32a20 in call_dissector_only /builds/wireshark/wireshark/build/../epan/packet.c:3233:8
    #36 0x7f9e63f27024 in call_dissector_with_data /builds/wireshark/wireshark/build/../epan/packet.c:3246:8
    #37 0x7f9e63f32a61 in call_dissector /builds/wireshark/wireshark/build/../epan/packet.c:3263:9
    #38 0x7f9e61642dd2 in dissect_eap /builds/wireshark/wireshark/build/../epan/dissectors/packet-eap.c:1938:13
    #39 0x7f9e63f361d1 in call_dissector_through_handle /builds/wireshark/wireshark/build/../epan/packet.c:720:9
    #40 0x7f9e63f2b000 in call_dissector_work /builds/wireshark/wireshark/build/../epan/packet.c:813:9
    #41 0x7f9e63f2a919 in dissector_try_uint_new /builds/wireshark/wireshark/build/../epan/packet.c:1413:8
    #42 0x7f9e61649839 in dissect_eapol /builds/wireshark/wireshark/build/../epan/dissectors/packet-eapol.c:132:8
    #43 0x7f9e63f361d1 in call_dissector_through_handle /builds/wireshark/wireshark/build/../epan/packet.c:720:9
    #44 0x7f9e63f2b000 in call_dissector_work /builds/wireshark/wireshark/build/../epan/packet.c:813:9
    #45 0x7f9e63f2a919 in dissector_try_uint_new /builds/wireshark/wireshark/build/../epan/packet.c:1413:8
    #46 0x7f9e63f2b3eb in dissector_try_uint /builds/wireshark/wireshark/build/../epan/packet.c:1437:9
    #47 0x7f9e61d70341 in dissect_snap /builds/wireshark/wireshark/build/../epan/dissectors/packet-llc.c:552:9
    #48 0x7f9e61d71134 in dissect_llc /builds/wireshark/wireshark/build/../epan/dissectors/packet-llc.c:434:3
    #49 0x7f9e63f361d1 in call_dissector_through_handle /builds/wireshark/wireshark/build/../epan/packet.c:720:9
    #50 0x7f9e63f2b000 in call_dissector_work /builds/wireshark/wireshark/build/../epan/packet.c:813:9
    #51 0x7f9e63f32a20 in call_dissector_only /builds/wireshark/wireshark/build/../epan/packet.c:3233:8
    #52 0x7f9e63f27024 in call_dissector_with_data /builds/wireshark/wireshark/build/../epan/packet.c:3246:8
    #53 0x7f9e63f32a61 in call_dissector /builds/wireshark/wireshark/build/../epan/packet.c:3263:9
    #54 0x7f9e61aa467a in dissect_ieee80211_common /builds/wireshark/wireshark/build/../epan/dissectors/packet-ieee80211.c:26880:11
    #55 0x7f9e61a74706 in dissect_ieee80211 /builds/wireshark/wireshark/build/../epan/dissectors/packet-ieee80211.c:26932:10
    #56 0x7f9e63f361d1 in call_dissector_through_handle /builds/wireshark/wireshark/build/../epan/packet.c:720:9
    #57 0x7f9e63f2b000 in call_dissector_work /builds/wireshark/wireshark/build/../epan/packet.c:813:9
    #58 0x7f9e63f32a20 in call_dissector_only /builds/wireshark/wireshark/build/../epan/packet.c:3233:8
    #59 0x7f9e63f27024 in call_dissector_with_data /builds/wireshark/wireshark/build/../epan/packet.c:3246:8
    #60 0x7f9e61a4e021 in dissect_wlan_radio /builds/wireshark/wireshark/build/../epan/dissectors/packet-ieee80211-radio.c:1513:10
    #61 0x7f9e63f361d1 in call_dissector_through_handle /builds/wireshark/wireshark/build/../epan/packet.c:720:9
    #62 0x7f9e63f2b000 in call_dissector_work /builds/wireshark/wireshark/build/../epan/packet.c:813:9
    #63 0x7f9e63f32a20 in call_dissector_only /builds/wireshark/wireshark/build/../epan/packet.c:3233:8
    #64 0x7f9e63f27024 in call_dissector_with_data /builds/wireshark/wireshark/build/../epan/packet.c:3246:8
    #65 0x7f9e61a60959 in dissect_radiotap /builds/wireshark/wireshark/build/../epan/dissectors/packet-ieee80211-radiotap.c:3104:2
    #66 0x7f9e63f361d1 in call_dissector_through_handle /builds/wireshark/wireshark/build/../epan/packet.c:720:9
    #67 0x7f9e63f2b000 in call_dissector_work /builds/wireshark/wireshark/build/../epan/packet.c:813:9
    #68 0x7f9e63f32a20 in call_dissector_only /builds/wireshark/wireshark/build/../epan/packet.c:3233:8
    #69 0x7f9e6175f8b6 in dissect_frame /builds/wireshark/wireshark/build/../epan/dissectors/packet-frame.c:783:6
    #70 0x7f9e63f361d1 in call_dissector_through_handle /builds/wireshark/wireshark/build/../epan/packet.c:720:9
    #71 0x7f9e63f2b000 in call_dissector_work /builds/wireshark/wireshark/build/../epan/packet.c:813:9
    #72 0x7f9e63f32a20 in call_dissector_only /builds/wireshark/wireshark/build/../epan/packet.c:3233:8
    #73 0x7f9e63f27024 in call_dissector_with_data /builds/wireshark/wireshark/build/../epan/packet.c:3246:8
    #74 0x7f9e63f2680f in dissect_record /builds/wireshark/wireshark/build/../epan/packet.c:594:3
    #75 0x7f9e63ef5f88 in epan_dissect_run_with_taps /builds/wireshark/wireshark/build/../epan/epan.c:598:2
    #76 0x5604c945e357 in process_packet_second_pass /builds/wireshark/wireshark/build/../tshark.c:3250:5
    #77 0x5604c945c88e in process_cap_file_second_pass /builds/wireshark/wireshark/build/../tshark.c:3389:9
    #78 0x5604c94569b6 in process_cap_file /builds/wireshark/wireshark/build/../tshark.c:3650:28
    #79 0x5604c94504c8 in main /builds/wireshark/wireshark/build/../tshark.c:2102:16
    #80 0x7f9e5711e0b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
    #81 0x5604c937f43d in _start (/builds/wireshark/wireshark/_install/bin/tshark+0x5b43d)

0x60600088643b is located 0 bytes to the right of 59-byte region [0x606000886400,0x60600088643b)
freed by thread T0 here:
    #0 0x5604c93f78fd in free (/builds/wireshark/wireshark/_install/bin/tshark+0xd38fd)
    #1 0x7f9e63e00f03 in wmem_free /builds/wireshark/wireshark/build/../epan/wmem/wmem_core.c:65:9
    #2 0x7f9e63e0b01b in wmem_strict_free /builds/wireshark/wireshark/build/../epan/wmem/wmem_allocator_strict.c:127:5
    #3 0x7f9e63e0b0c4 in wmem_strict_free_all /builds/wireshark/wireshark/build/../epan/wmem/wmem_allocator_strict.c:182:9
    #4 0x7f9e63e01279 in wmem_free_all_real /builds/wireshark/wireshark/build/../epan/wmem/wmem_core.c:104:5
    #5 0x7f9e63e011d6 in wmem_free_all /builds/wireshark/wireshark/build/../epan/wmem/wmem_core.c:110:5
    #6 0x7f9e63e10a1a in wmem_leave_packet_scope /builds/wireshark/wireshark/build/../epan/wmem/wmem_scopes.c:69:5
    #7 0x7f9e63ef5f2d in epan_dissect_run /builds/wireshark/wireshark/build/../epan/epan.c:588:2
    #8 0x5604c945db37 in process_packet_first_pass /builds/wireshark/wireshark/build/../tshark.c:3028:5
    #9 0x5604c945bf2f in process_cap_file_first_pass /builds/wireshark/wireshark/build/../tshark.c:3165:9
    #10 0x5604c945696c in process_cap_file /builds/wireshark/wireshark/build/../tshark.c:3631:25
    #11 0x5604c94504c8 in main /builds/wireshark/wireshark/build/../tshark.c:2102:16
    #12 0x7f9e5711e0b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)

previously allocated by thread T0 here:
    #0 0x5604c93f7b7d in malloc (/builds/wireshark/wireshark/_install/bin/tshark+0xd3b7d)
    #1 0x7f9e5738be98 in g_malloc (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x57e98)
    #2 0x7f9e63e0a8ab in wmem_strict_alloc /builds/wireshark/wireshark/build/../epan/wmem/wmem_allocator_strict.c:81:46
    #3 0x7f9e63e0ac94 in wmem_strict_realloc /builds/wireshark/wireshark/build/../epan/wmem/wmem_allocator_strict.c:139:15
    #4 0x7f9e63e011b0 in wmem_realloc /builds/wireshark/wireshark/build/../epan/wmem/wmem_core.c:96:12
    #5 0x7f9e63e1327c in wmem_strbuf_finalize /builds/wireshark/wireshark/build/../epan/wmem/wmem_strbuf.c:296:19
    #6 0x7f9e63f1d4dc in rel_oid_subid2string /builds/wireshark/wireshark/build/../epan/oids.c:898:9
    #7 0x7f9e63f18a07 in oid_subid2string /builds/wireshark/wireshark/build/../epan/oids.c:875:9
    #8 0x7f9e63f1f5f4 in oid_encoded2string /builds/wireshark/wireshark/build/../epan/oids.c:1164:9
    #9 0x7f9e6101dd26 in dissect_ber_any_oid_str /builds/wireshark/wireshark/build/../epan/dissectors/packet-ber.c:3285:30
    #10 0x7f9e6101dec2 in dissect_ber_object_identifier_str /builds/wireshark/wireshark/build/../epan/dissectors/packet-ber.c:3319:12
    #11 0x7f9e631994df in dissect_cms_T_capability /builds/wireshark/wireshark/build/./asn1/cms/cms.cnf:210:14
    #12 0x7f9e61017bed in dissect_ber_sequence /builds/wireshark/wireshark/build/../epan/dissectors/packet-ber.c:2444:17
    #13 0x7f9e63199477 in dissect_cms_SMIMECapability /builds/wireshark/wireshark/build/./asn1/cms/cms.cnf:236:12
    #14 0x7f9e61020437 in dissect_ber_sq_of /builds/wireshark/wireshark/build/../epan/dissectors/packet-ber.c:3556:9
    #15 0x7f9e610206f2 in dissect_ber_sequence_of /builds/wireshark/wireshark/build/../epan/dissectors/packet-ber.c:3584:12
    #16 0x7f9e63199407 in dissect_cms_SMIMECapabilities /builds/wireshark/wireshark/build/./asn1/cms/cms.cnf:249:12
    #17 0x7f9e63194397 in dissect_SMIMECapabilities_PDU /builds/wireshark/wireshark/build/./asn1/cms/cms.cnf:893:12
    #18 0x7f9e63f361d1 in call_dissector_through_handle /builds/wireshark/wireshark/build/../epan/packet.c:720:9
    #19 0x7f9e63f2b000 in call_dissector_work /builds/wireshark/wireshark/build/../epan/packet.c:813:9
    #20 0x7f9e63f2c136 in dissector_try_string_new /builds/wireshark/wireshark/build/../epan/packet.c:1714:9
    #21 0x7f9e63f2c206 in dissector_try_string /builds/wireshark/wireshark/build/../epan/packet.c:1739:9
    #22 0x7f9e6100e26d in call_ber_oid_callback /builds/wireshark/wireshark/build/../epan/dissectors/packet-ber.c:1101:17
    #23 0x7f9e63ba9279 in dissect_x509af_T_extnValue /builds/wireshark/wireshark/build/./asn1/x509af/x509af.cnf:146:10
    #24 0x7f9e61017bed in dissect_ber_sequence /builds/wireshark/wireshark/build/../epan/dissectors/packet-ber.c:2444:17
    #25 0x7f9e63ba6447 in dissect_x509af_Extension /builds/wireshark/wireshark/build/./asn1/x509af/x509af.cnf:163:12
    #26 0x7f9e61020437 in dissect_ber_sq_of /builds/wireshark/wireshark/build/../epan/dissectors/packet-ber.c:3556:9
    #27 0x7f9e610206f2 in dissect_ber_sequence_of /builds/wireshark/wireshark/build/../epan/dissectors/packet-ber.c:3584:12
    #28 0x7f9e63ba64b7 in dissect_x509af_Extensions /builds/wireshark/wireshark/build/./asn1/x509af/x509af.cnf:176:12
    #29 0x7f9e61017bed in dissect_ber_sequence /builds/wireshark/wireshark/build/../epan/dissectors/packet-ber.c:2444:17

SUMMARY: AddressSanitizer: heap-use-after-free (/builds/wireshark/wireshark/_install/bin/tshark+0x6e068) in strlen
Shadow bytes around the buggy address:
  0x0c0c80108c30: fd fd fd fd fa fa fa fa fd fd fd fd fd fd fd fa
  0x0c0c80108c40: fa fa fa fa fd fd fd fd fd fd fd fd fa fa fa fa
  0x0c0c80108c50: fd fd fd fd fd fd fd fa fa fa fa fa fd fd fd fd
  0x0c0c80108c60: fd fd fd fa fa fa fa fa fd fd fd fd fd fd fd fa
  0x0c0c80108c70: fa fa fa fa fd fd fd fd fd fd fd fa fa fa fa fa
=>0x0c0c80108c80: fd fd fd fd[fd]fd fd fd fa fa fa fa fd fd fd fd
  0x0c0c80108c90: fd fd fd fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c0c80108ca0: fa fa fa fa fd fd fd fd fd fd fd fa fa fa fa fa
  0x0c0c80108cb0: fd fd fd fd fd fd fd fa fa fa fa fa fd fd fd fd
  0x0c0c80108cc0: fd fd fd fd fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c0c80108cd0: fa fa fa fa fd fd fd fd fd fd fd fd fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==87972==ABORTING

fuzz-test.sh stderr:
Running as user "root" and group "root". This could be dangerous.

no debug trace

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907