Headline
CVE-2022-0581: Fuzz job crash output: fuzz-2022-02-07-6714.pcap (#17935) · Issues · Wireshark Foundation / wireshark · GitLab
Crash in the CMS protocol dissector in Wireshark 3.6.0 to 3.6.1 and 3.4.0 to 3.4.11 allows denial of service via packet injection or crafted capture file
Skip to content
Open Issue created Feb 07, 2022 by A Wireshark GitLab Utility@ws-gitlab-utilityDeveloper
Fuzz job crash output: fuzz-2022-02-07-6714.pcap
Problems have been found with the following capture file:
https://www.wireshark.org/download/automated/captures/fuzz-2022-02-07-6714.pcap
stderr:
Branch: HEAD
Input file: /var/menagerie/menagerie/13895-x509-ce-distribution-points-dissection-problem.pcapng
Build host information:
Linux 5.4.0-96-generic #109-Ubuntu SMP Wed Jan 12 16:49:16 UTC 2022 x86_64
Distributor ID: Ubuntu
Description: Ubuntu 20.04.3 LTS
Release: 20.04
Codename: focal
Branch: release-3.4
CI job name: ASan Menagerie Fuzz, ID: 2060427609
Return value: 0
Dissector bug: 0
Valgrind error count: 0
Latest (but not necessarily the problem) commit:
e9c3dfe05 [Automatic update for 2022-02-06]
Command and args: /builds/wireshark/wireshark/_install/bin/tshark -2 -nVxr
Running as user "root" and group "root". This could be dangerous.
=================================================================
==87972==ERROR: AddressSanitizer: heap-use-after-free on address 0x606000886420 at pc 0x5604c9392069 bp 0x7ffe62ef3be0 sp 0x7ffe62ef33a0
READ of size 28 at 0x606000886420 thread T0
#0 0x5604c9392068 in strlen (/builds/wireshark/wireshark/_install/bin/tshark+0x6e068)
#1 0x7f9e573a6147 in g_strdup (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x72147)
#2 0x7f9e63f2bc6b in find_string_dtbl_entry /builds/wireshark/wireshark/build/../epan/packet.c:1496:9
#3 0x7f9e63f2c041 in dissector_try_string_new /builds/wireshark/wireshark/build/../epan/packet.c:1692:15
#4 0x7f9e63f2c206 in dissector_try_string /builds/wireshark/wireshark/build/../epan/packet.c:1739:9
#5 0x7f9e6100e26d in call_ber_oid_callback /builds/wireshark/wireshark/build/../epan/dissectors/packet-ber.c:1101:17
#6 0x7f9e631995f1 in dissect_cms_T_parameters /builds/wireshark/wireshark/build/./asn1/cms/cms.cnf:220:10
#7 0x7f9e61017bed in dissect_ber_sequence /builds/wireshark/wireshark/build/../epan/dissectors/packet-ber.c:2444:17
#8 0x7f9e63199477 in dissect_cms_SMIMECapability /builds/wireshark/wireshark/build/./asn1/cms/cms.cnf:236:12
#9 0x7f9e61020437 in dissect_ber_sq_of /builds/wireshark/wireshark/build/../epan/dissectors/packet-ber.c:3556:9
#10 0x7f9e610206f2 in dissect_ber_sequence_of /builds/wireshark/wireshark/build/../epan/dissectors/packet-ber.c:3584:12
#11 0x7f9e63199407 in dissect_cms_SMIMECapabilities /builds/wireshark/wireshark/build/./asn1/cms/cms.cnf:249:12
#12 0x7f9e63194397 in dissect_SMIMECapabilities_PDU /builds/wireshark/wireshark/build/./asn1/cms/cms.cnf:893:12
#13 0x7f9e63f361d1 in call_dissector_through_handle /builds/wireshark/wireshark/build/../epan/packet.c:720:9
#14 0x7f9e63f2b000 in call_dissector_work /builds/wireshark/wireshark/build/../epan/packet.c:813:9
#15 0x7f9e63f2c136 in dissector_try_string_new /builds/wireshark/wireshark/build/../epan/packet.c:1714:9
#16 0x7f9e63f2c206 in dissector_try_string /builds/wireshark/wireshark/build/../epan/packet.c:1739:9
#17 0x7f9e6100e26d in call_ber_oid_callback /builds/wireshark/wireshark/build/../epan/dissectors/packet-ber.c:1101:17
#18 0x7f9e63ba9279 in dissect_x509af_T_extnValue /builds/wireshark/wireshark/build/./asn1/x509af/x509af.cnf:146:10
#19 0x7f9e61017bed in dissect_ber_sequence /builds/wireshark/wireshark/build/../epan/dissectors/packet-ber.c:2444:17
#20 0x7f9e63ba6447 in dissect_x509af_Extension /builds/wireshark/wireshark/build/./asn1/x509af/x509af.cnf:163:12
#21 0x7f9e61020437 in dissect_ber_sq_of /builds/wireshark/wireshark/build/../epan/dissectors/packet-ber.c:3556:9
#22 0x7f9e610206f2 in dissect_ber_sequence_of /builds/wireshark/wireshark/build/../epan/dissectors/packet-ber.c:3584:12
#23 0x7f9e63ba64b7 in dissect_x509af_Extensions /builds/wireshark/wireshark/build/./asn1/x509af/x509af.cnf:176:12
#24 0x7f9e61017bed in dissect_ber_sequence /builds/wireshark/wireshark/build/../epan/dissectors/packet-ber.c:2444:17
#25 0x7f9e63ba9367 in dissect_x509af_T_signedCertificate /builds/wireshark/wireshark/build/./asn1/x509af/x509af.cnf:199:12
#26 0x7f9e61017bed in dissect_ber_sequence /builds/wireshark/wireshark/build/../epan/dissectors/packet-ber.c:2444:17
#27 0x7f9e63ba6527 in dissect_x509af_Certificate /builds/wireshark/wireshark/build/./asn1/x509af/x509af.cnf:226:12
#28 0x7f9e6293c5e9 in ssl_dissect_hnd_cert /builds/wireshark/wireshark/build/../epan/dissectors/packet-tls-utils.c:8838:13
#29 0x7f9e629656ca in dissect_tls_handshake_full /builds/wireshark/wireshark/build/../epan/dissectors/packet-tls.c:2676:17
#30 0x7f9e629632fa in dissect_tls_handshake /builds/wireshark/wireshark/build/../epan/dissectors/packet-tls.c:2495:9
#31 0x7f9e6295ed72 in dissect_ssl3_record /builds/wireshark/wireshark/build/../epan/dissectors/packet-tls.c:2005:13
#32 0x7f9e6295aa21 in dissect_ssl /builds/wireshark/wireshark/build/../epan/dissectors/packet-tls.c:745:26
#33 0x7f9e63f361d1 in call_dissector_through_handle /builds/wireshark/wireshark/build/../epan/packet.c:720:9
#34 0x7f9e63f2b000 in call_dissector_work /builds/wireshark/wireshark/build/../epan/packet.c:813:9
#35 0x7f9e63f32a20 in call_dissector_only /builds/wireshark/wireshark/build/../epan/packet.c:3233:8
#36 0x7f9e63f27024 in call_dissector_with_data /builds/wireshark/wireshark/build/../epan/packet.c:3246:8
#37 0x7f9e63f32a61 in call_dissector /builds/wireshark/wireshark/build/../epan/packet.c:3263:9
#38 0x7f9e61642dd2 in dissect_eap /builds/wireshark/wireshark/build/../epan/dissectors/packet-eap.c:1938:13
#39 0x7f9e63f361d1 in call_dissector_through_handle /builds/wireshark/wireshark/build/../epan/packet.c:720:9
#40 0x7f9e63f2b000 in call_dissector_work /builds/wireshark/wireshark/build/../epan/packet.c:813:9
#41 0x7f9e63f2a919 in dissector_try_uint_new /builds/wireshark/wireshark/build/../epan/packet.c:1413:8
#42 0x7f9e61649839 in dissect_eapol /builds/wireshark/wireshark/build/../epan/dissectors/packet-eapol.c:132:8
#43 0x7f9e63f361d1 in call_dissector_through_handle /builds/wireshark/wireshark/build/../epan/packet.c:720:9
#44 0x7f9e63f2b000 in call_dissector_work /builds/wireshark/wireshark/build/../epan/packet.c:813:9
#45 0x7f9e63f2a919 in dissector_try_uint_new /builds/wireshark/wireshark/build/../epan/packet.c:1413:8
#46 0x7f9e63f2b3eb in dissector_try_uint /builds/wireshark/wireshark/build/../epan/packet.c:1437:9
#47 0x7f9e61d70341 in dissect_snap /builds/wireshark/wireshark/build/../epan/dissectors/packet-llc.c:552:9
#48 0x7f9e61d71134 in dissect_llc /builds/wireshark/wireshark/build/../epan/dissectors/packet-llc.c:434:3
#49 0x7f9e63f361d1 in call_dissector_through_handle /builds/wireshark/wireshark/build/../epan/packet.c:720:9
#50 0x7f9e63f2b000 in call_dissector_work /builds/wireshark/wireshark/build/../epan/packet.c:813:9
#51 0x7f9e63f32a20 in call_dissector_only /builds/wireshark/wireshark/build/../epan/packet.c:3233:8
#52 0x7f9e63f27024 in call_dissector_with_data /builds/wireshark/wireshark/build/../epan/packet.c:3246:8
#53 0x7f9e63f32a61 in call_dissector /builds/wireshark/wireshark/build/../epan/packet.c:3263:9
#54 0x7f9e61aa467a in dissect_ieee80211_common /builds/wireshark/wireshark/build/../epan/dissectors/packet-ieee80211.c:26880:11
#55 0x7f9e61a74706 in dissect_ieee80211 /builds/wireshark/wireshark/build/../epan/dissectors/packet-ieee80211.c:26932:10
#56 0x7f9e63f361d1 in call_dissector_through_handle /builds/wireshark/wireshark/build/../epan/packet.c:720:9
#57 0x7f9e63f2b000 in call_dissector_work /builds/wireshark/wireshark/build/../epan/packet.c:813:9
#58 0x7f9e63f32a20 in call_dissector_only /builds/wireshark/wireshark/build/../epan/packet.c:3233:8
#59 0x7f9e63f27024 in call_dissector_with_data /builds/wireshark/wireshark/build/../epan/packet.c:3246:8
#60 0x7f9e61a4e021 in dissect_wlan_radio /builds/wireshark/wireshark/build/../epan/dissectors/packet-ieee80211-radio.c:1513:10
#61 0x7f9e63f361d1 in call_dissector_through_handle /builds/wireshark/wireshark/build/../epan/packet.c:720:9
#62 0x7f9e63f2b000 in call_dissector_work /builds/wireshark/wireshark/build/../epan/packet.c:813:9
#63 0x7f9e63f32a20 in call_dissector_only /builds/wireshark/wireshark/build/../epan/packet.c:3233:8
#64 0x7f9e63f27024 in call_dissector_with_data /builds/wireshark/wireshark/build/../epan/packet.c:3246:8
#65 0x7f9e61a60959 in dissect_radiotap /builds/wireshark/wireshark/build/../epan/dissectors/packet-ieee80211-radiotap.c:3104:2
#66 0x7f9e63f361d1 in call_dissector_through_handle /builds/wireshark/wireshark/build/../epan/packet.c:720:9
#67 0x7f9e63f2b000 in call_dissector_work /builds/wireshark/wireshark/build/../epan/packet.c:813:9
#68 0x7f9e63f32a20 in call_dissector_only /builds/wireshark/wireshark/build/../epan/packet.c:3233:8
#69 0x7f9e6175f8b6 in dissect_frame /builds/wireshark/wireshark/build/../epan/dissectors/packet-frame.c:783:6
#70 0x7f9e63f361d1 in call_dissector_through_handle /builds/wireshark/wireshark/build/../epan/packet.c:720:9
#71 0x7f9e63f2b000 in call_dissector_work /builds/wireshark/wireshark/build/../epan/packet.c:813:9
#72 0x7f9e63f32a20 in call_dissector_only /builds/wireshark/wireshark/build/../epan/packet.c:3233:8
#73 0x7f9e63f27024 in call_dissector_with_data /builds/wireshark/wireshark/build/../epan/packet.c:3246:8
#74 0x7f9e63f2680f in dissect_record /builds/wireshark/wireshark/build/../epan/packet.c:594:3
#75 0x7f9e63ef5f88 in epan_dissect_run_with_taps /builds/wireshark/wireshark/build/../epan/epan.c:598:2
#76 0x5604c945e357 in process_packet_second_pass /builds/wireshark/wireshark/build/../tshark.c:3250:5
#77 0x5604c945c88e in process_cap_file_second_pass /builds/wireshark/wireshark/build/../tshark.c:3389:9
#78 0x5604c94569b6 in process_cap_file /builds/wireshark/wireshark/build/../tshark.c:3650:28
#79 0x5604c94504c8 in main /builds/wireshark/wireshark/build/../tshark.c:2102:16
#80 0x7f9e5711e0b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
#81 0x5604c937f43d in _start (/builds/wireshark/wireshark/_install/bin/tshark+0x5b43d)
0x60600088643b is located 0 bytes to the right of 59-byte region [0x606000886400,0x60600088643b)
freed by thread T0 here:
#0 0x5604c93f78fd in free (/builds/wireshark/wireshark/_install/bin/tshark+0xd38fd)
#1 0x7f9e63e00f03 in wmem_free /builds/wireshark/wireshark/build/../epan/wmem/wmem_core.c:65:9
#2 0x7f9e63e0b01b in wmem_strict_free /builds/wireshark/wireshark/build/../epan/wmem/wmem_allocator_strict.c:127:5
#3 0x7f9e63e0b0c4 in wmem_strict_free_all /builds/wireshark/wireshark/build/../epan/wmem/wmem_allocator_strict.c:182:9
#4 0x7f9e63e01279 in wmem_free_all_real /builds/wireshark/wireshark/build/../epan/wmem/wmem_core.c:104:5
#5 0x7f9e63e011d6 in wmem_free_all /builds/wireshark/wireshark/build/../epan/wmem/wmem_core.c:110:5
#6 0x7f9e63e10a1a in wmem_leave_packet_scope /builds/wireshark/wireshark/build/../epan/wmem/wmem_scopes.c:69:5
#7 0x7f9e63ef5f2d in epan_dissect_run /builds/wireshark/wireshark/build/../epan/epan.c:588:2
#8 0x5604c945db37 in process_packet_first_pass /builds/wireshark/wireshark/build/../tshark.c:3028:5
#9 0x5604c945bf2f in process_cap_file_first_pass /builds/wireshark/wireshark/build/../tshark.c:3165:9
#10 0x5604c945696c in process_cap_file /builds/wireshark/wireshark/build/../tshark.c:3631:25
#11 0x5604c94504c8 in main /builds/wireshark/wireshark/build/../tshark.c:2102:16
#12 0x7f9e5711e0b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
previously allocated by thread T0 here:
#0 0x5604c93f7b7d in malloc (/builds/wireshark/wireshark/_install/bin/tshark+0xd3b7d)
#1 0x7f9e5738be98 in g_malloc (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x57e98)
#2 0x7f9e63e0a8ab in wmem_strict_alloc /builds/wireshark/wireshark/build/../epan/wmem/wmem_allocator_strict.c:81:46
#3 0x7f9e63e0ac94 in wmem_strict_realloc /builds/wireshark/wireshark/build/../epan/wmem/wmem_allocator_strict.c:139:15
#4 0x7f9e63e011b0 in wmem_realloc /builds/wireshark/wireshark/build/../epan/wmem/wmem_core.c:96:12
#5 0x7f9e63e1327c in wmem_strbuf_finalize /builds/wireshark/wireshark/build/../epan/wmem/wmem_strbuf.c:296:19
#6 0x7f9e63f1d4dc in rel_oid_subid2string /builds/wireshark/wireshark/build/../epan/oids.c:898:9
#7 0x7f9e63f18a07 in oid_subid2string /builds/wireshark/wireshark/build/../epan/oids.c:875:9
#8 0x7f9e63f1f5f4 in oid_encoded2string /builds/wireshark/wireshark/build/../epan/oids.c:1164:9
#9 0x7f9e6101dd26 in dissect_ber_any_oid_str /builds/wireshark/wireshark/build/../epan/dissectors/packet-ber.c:3285:30
#10 0x7f9e6101dec2 in dissect_ber_object_identifier_str /builds/wireshark/wireshark/build/../epan/dissectors/packet-ber.c:3319:12
#11 0x7f9e631994df in dissect_cms_T_capability /builds/wireshark/wireshark/build/./asn1/cms/cms.cnf:210:14
#12 0x7f9e61017bed in dissect_ber_sequence /builds/wireshark/wireshark/build/../epan/dissectors/packet-ber.c:2444:17
#13 0x7f9e63199477 in dissect_cms_SMIMECapability /builds/wireshark/wireshark/build/./asn1/cms/cms.cnf:236:12
#14 0x7f9e61020437 in dissect_ber_sq_of /builds/wireshark/wireshark/build/../epan/dissectors/packet-ber.c:3556:9
#15 0x7f9e610206f2 in dissect_ber_sequence_of /builds/wireshark/wireshark/build/../epan/dissectors/packet-ber.c:3584:12
#16 0x7f9e63199407 in dissect_cms_SMIMECapabilities /builds/wireshark/wireshark/build/./asn1/cms/cms.cnf:249:12
#17 0x7f9e63194397 in dissect_SMIMECapabilities_PDU /builds/wireshark/wireshark/build/./asn1/cms/cms.cnf:893:12
#18 0x7f9e63f361d1 in call_dissector_through_handle /builds/wireshark/wireshark/build/../epan/packet.c:720:9
#19 0x7f9e63f2b000 in call_dissector_work /builds/wireshark/wireshark/build/../epan/packet.c:813:9
#20 0x7f9e63f2c136 in dissector_try_string_new /builds/wireshark/wireshark/build/../epan/packet.c:1714:9
#21 0x7f9e63f2c206 in dissector_try_string /builds/wireshark/wireshark/build/../epan/packet.c:1739:9
#22 0x7f9e6100e26d in call_ber_oid_callback /builds/wireshark/wireshark/build/../epan/dissectors/packet-ber.c:1101:17
#23 0x7f9e63ba9279 in dissect_x509af_T_extnValue /builds/wireshark/wireshark/build/./asn1/x509af/x509af.cnf:146:10
#24 0x7f9e61017bed in dissect_ber_sequence /builds/wireshark/wireshark/build/../epan/dissectors/packet-ber.c:2444:17
#25 0x7f9e63ba6447 in dissect_x509af_Extension /builds/wireshark/wireshark/build/./asn1/x509af/x509af.cnf:163:12
#26 0x7f9e61020437 in dissect_ber_sq_of /builds/wireshark/wireshark/build/../epan/dissectors/packet-ber.c:3556:9
#27 0x7f9e610206f2 in dissect_ber_sequence_of /builds/wireshark/wireshark/build/../epan/dissectors/packet-ber.c:3584:12
#28 0x7f9e63ba64b7 in dissect_x509af_Extensions /builds/wireshark/wireshark/build/./asn1/x509af/x509af.cnf:176:12
#29 0x7f9e61017bed in dissect_ber_sequence /builds/wireshark/wireshark/build/../epan/dissectors/packet-ber.c:2444:17
SUMMARY: AddressSanitizer: heap-use-after-free (/builds/wireshark/wireshark/_install/bin/tshark+0x6e068) in strlen
Shadow bytes around the buggy address:
0x0c0c80108c30: fd fd fd fd fa fa fa fa fd fd fd fd fd fd fd fa
0x0c0c80108c40: fa fa fa fa fd fd fd fd fd fd fd fd fa fa fa fa
0x0c0c80108c50: fd fd fd fd fd fd fd fa fa fa fa fa fd fd fd fd
0x0c0c80108c60: fd fd fd fa fa fa fa fa fd fd fd fd fd fd fd fa
0x0c0c80108c70: fa fa fa fa fd fd fd fd fd fd fd fa fa fa fa fa
=>0x0c0c80108c80: fd fd fd fd[fd]fd fd fd fa fa fa fa fd fd fd fd
0x0c0c80108c90: fd fd fd fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c0c80108ca0: fa fa fa fa fd fd fd fd fd fd fd fa fa fa fa fa
0x0c0c80108cb0: fd fd fd fd fd fd fd fa fa fa fa fa fd fd fd fd
0x0c0c80108cc0: fd fd fd fd fa fa fa fa 00 00 00 00 00 00 00 00
0x0c0c80108cd0: fa fa fa fa fd fd fd fd fd fd fd fd fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==87972==ABORTING
fuzz-test.sh stderr:
Running as user "root" and group "root". This could be dangerous.
no debug trace