Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=750 The following crash due to a static memory out-of-bounds write can be observed in an ASAN build of Wireshark (current git master), by feeding a malformed file to tshark ("$ ./tshark -nVxr /path/to/file"): --- cut --- ==28209==ERROR: AddressSanitizer: global-buffer-overflow on address 0x7fde2f36bfc4 at pc 0x7fde25b1332c bp 0x7fffe48bc670 sp 0x7fffe48bc668 WRITE of size 4 at 0x7fde2f36bfc4 thread T0 #0 0x7fde25b1332b in dissect_ber_integer epan/dissectors/packet-ber.c:2001:16 #1 0x7fde27f46621 in dissect_kerberos_ADDR_TYPE epan/dissectors/../../asn1/kerberos/kerberos.cnf:351:12 #2 0x7fde25b1959a in dissect_ber_sequence epan/dissectors/packet-ber.c:2415:17 #3 0x7fde27f4656f in dissect_kerberos_HostAddress epan/dissectors/../../asn1/kerberos/kerberos.cnf:233:12 #4 0x7fde25b1959a in dissect_ber_sequence epan/dissectors/packet-ber.c:2415:17 #5 0x7fde27f4badf in dissect_kerberos_EncKrbPrivPart epan/dissectors/../../asn1/kerberos/kerberos.cnf:407:12 #6 0x7fde25b040f7 in dissect_ber_tagged_type epan/dissectors/packet-ber.c:695:18 #7 0x7fde27f42384 in dissect_kerberos_ENC_KRB_PRIV_PART epan/dissectors/../../asn1/kerberos/kerberos.cnf:417:12 #8 0x7fde25b1f100 in dissect_ber_choice epan/dissectors/packet-ber.c:2917:21 #9 0x7fde27f4139a in dissect_kerberos_Applications epan/dissectors/../../asn1/kerberos/kerberos.cnf:185:12 #10 0x7fde27f3f7b2 in dissect_kerberos_common epan/dissectors/../../asn1/kerberos/packet-kerberos-template.c:2103:10 #11 0x7fde27f3e22f in dissect_kerberos_main epan/dissectors/../../asn1/kerberos/packet-kerberos-template.c:2134:10 #12 0x7fde26f3c34f in dissect_pktc_mtafqdn epan/dissectors/packet-pktc.c:566:15 #13 0x7fde256145c1 in call_dissector_through_handle epan/packet.c:626:8 #14 0x7fde25606f3a in call_dissector_work epan/packet.c:701:9 #15 0x7fde2560670d in dissector_try_uint_new epan/packet.c:1160:9 #16 0x7fde256072b4 in dissector_try_uint epan/packet.c:1186:9 #17 0x7fde277709e5 in decode_udp_ports epan/dissectors/packet-udp.c:583:7 #18 0x7fde2777fa80 in dissect epan/dissectors/packet-udp.c:1081:5 #19 0x7fde27773840 in dissect_udplite epan/dissectors/packet-udp.c:1094:3 #20 0x7fde256145c1 in call_dissector_through_handle epan/packet.c:626:8 #21 0x7fde25606f3a in call_dissector_work epan/packet.c:701:9 #22 0x7fde2560670d in dissector_try_uint_new epan/packet.c:1160:9 #23 0x7fde267660bb in ip_try_dissect epan/dissectors/packet-ip.c:1978:7 #24 0x7fde26770de8 in dissect_ip_v4 epan/dissectors/packet-ip.c:2472:10 #25 0x7fde26766819 in dissect_ip epan/dissectors/packet-ip.c:2495:5 #26 0x7fde256145c1 in call_dissector_through_handle epan/packet.c:626:8 #27 0x7fde25606f3a in call_dissector_work epan/packet.c:701:9 #28 0x7fde2560670d in dissector_try_uint_new epan/packet.c:1160:9 #29 0x7fde256072b4 in dissector_try_uint epan/packet.c:1186:9 #30 0x7fde26f6e380 in dissect_ppp_common epan/dissectors/packet-ppp.c:4344:10 #31 0x7fde26f6db3c in dissect_ppp_hdlc_common epan/dissectors/packet-ppp.c:5337:5 #32 0x7fde26f65df5 in dissect_ppp_hdlc epan/dissectors/packet-ppp.c:5378:5 #33 0x7fde256145c1 in call_dissector_through_handle epan/packet.c:626:8 #34 0x7fde25606f3a in call_dissector_work epan/packet.c:701:9 #35 0x7fde2560670d in dissector_try_uint_new epan/packet.c:1160:9 #36 0x7fde2634fe55 in dissect_frame epan/dissectors/packet-frame.c:493:11 #37 0x7fde256145c1 in call_dissector_through_handle epan/packet.c:626:8 #38 0x7fde25606f3a in call_dissector_work epan/packet.c:701:9 #39 0x7fde25610a7e in call_dissector_only epan/packet.c:2674:8 #40 0x7fde2560243f in call_dissector_with_data epan/packet.c:2687:8 #41 0x7fde25601814 in dissect_record epan/packet.c:509:3 #42 0x7fde255b4bb9 in epan_dissect_run_with_taps epan/epan.c:376:2 #43 0x52f11b in process_packet tshark.c:3748:5 #44 0x52840c in load_cap_file tshark.c:3504:11 #45 0x51e71c in main tshark.c:2213:13 0x7fde2f36bfc4 is located 4 bytes to the right of global variable 'cb' defined in 'packet-pktc.c:539:27' (0x7fde2f36bfa0) of size 32 SUMMARY: AddressSanitizer: global-buffer-overflow epan/dissectors/packet-ber.c:2001:16 in dissect_ber_integer Shadow bytes around the buggy address: 0x0ffc45e657a0: 00 00 00 00 00 00 00 00 00 00 00 00 f9 f9 f9 f9 0x0ffc45e657b0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 0x0ffc45e657c0: 00 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00 0x0ffc45e657d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0ffc45e657e0: 00 00 00 00 00 00 00 00 00 00 f9 f9 f9 f9 f9 f9 =>0x0ffc45e657f0: f9 f9 f9 f9 00 00 00 00[f9]f9 f9 f9 00 00 00 00 0x0ffc45e65800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0ffc45e65810: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0ffc45e65820: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0ffc45e65830: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0ffc45e65840: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone:fb Freed heap region: fd Stack left redzone:f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return:f5 Stack use after scope: f8 Global redzone:f9 Global init order: f6 Poisoned by user:f7 Container overflow:fc Array cookie:ac Intra object redzone:bb ASan internal: fe Left alloca redzone: ca Right alloca redzone:cb ==28209==ABORTING --- cut --- The crash was reported at https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12206. Attached is a file which triggers the crash. Proof of Concept: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39604.zip
体验盒子
