-
Notifications
You must be signed in to change notification settings - Fork 22
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Heap use after free #11
Comments
Thank you for this report, I confirm it reproduces as described. |
This issue was discovered by Mohammad Hosein Askari (@C0NSTANTINE110), see GitHub issue #11. In extract_slice() pcap_dump_open() takes a pcap_t argument to tell which DLT to use for the output file. This used to be the pcap_t of the first input file, as main() requires at least one input file. However, the loop before pcap_dump_open() closes all, including the first, input files that don't meet a test condition. This way, when the first file didn't meet the condition, the call to pcap_dump_open() would end up as a use-after-free. Make the pcap_dump_open() call before the loop, when the first array element is always valid, and fix this problem.
This problem's identifier is CVE-2021-41043; a by-product of its debugging is four other confirmed or potential bugs. tcpslice release 1.5 should fix all of that. This should be sufficient to proceed with the formal CVE publication, let me try that. In future please send security bug reports to security@tcpdump.org instead of opening an issue in the public bug tracker. |
CVE-2021-41043 has been published, see CVEProject/cvelist#3904. Closing as resolved. |
For posterity, signed tcpslice tarballs are available at https://www.tcpdump.org/release/ |
Tested on:
version 1.5-PRE-GIT
version 1.2a3
Command:
tcpslice -w a.txt heap.pcap
Segmentation fault
Results:
==1676569==ERROR: AddressSanitizer: heap-use-after-free on address 0x617000000160 at pc 0x7ffff761fa7d bp 0x7fffffffd700 sp 0x7fffffffce90
WRITE of size 56 at 0x617000000160 thread T0
#0 0x7ffff761fa7c in vsnprintf (/lib/x86_64-linux-gnu/libasan.so.5+0x9fa7c)
#1 0x7ffff7620036 in __snprintf_chk (/lib/x86_64-linux-gnu/libasan.so.5+0xa0036)
#2 0x7ffff75594ee in pcap_dump_open (/lib/x86_64-linux-gnu/libpcap.so.0.8+0x244ee)
#3 0x555555559ea4 in extract_slice tcpslice.c:882
#4 0x555555559ea4 in main tcpslice.c:312
#5 0x7ffff736a0b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
#6 0x55555555eadd in _start (/home/constantine/tcpslice/tcpslice+0xaadd)
0x617000000160 is located 224 bytes inside of 664-byte region [0x617000000080,0x617000000318)
freed by thread T0 here:
#0 0x7ffff768d7cf in __interceptor_free (/lib/x86_64-linux-gnu/libasan.so.5+0x10d7cf)
#1 0x555555559d8a in get_next_packet tcpslice.c:747
#2 0x555555559d8a in extract_slice tcpslice.c:879
#3 0x555555559d8a in main tcpslice.c:312
previously allocated by thread T0 here:
#0 0x7ffff768ddc6 in calloc (/lib/x86_64-linux-gnu/libasan.so.5+0x10ddc6)
#1 0x7ffff7545bea (/lib/x86_64-linux-gnu/libpcap.so.0.8+0x10bea)
#2 0x64656e696665646d ()
SUMMARY: AddressSanitizer: heap-use-after-free (/lib/x86_64-linux-gnu/libasan.so.5+0x9fa7c) in vsnprintf
Shadow bytes around the buggy address:
0x0c2e7fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c2e7fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c2e7fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c2e7fff8000: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c2e7fff8010: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c2e7fff8020: fd fd fd fd fd fd fd fd fd fd fd fd[fd]fd fd fd
0x0c2e7fff8030: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c2e7fff8040: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c2e7fff8050: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c2e7fff8060: fd fd fd fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c2e7fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==1676569==ABORTING
PoC:
heap.pcap.zip
The text was updated successfully, but these errors were encountered: