Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Heap use after free #11

Closed
C0NSTANTINE110 opened this issue Jun 30, 2021 · 4 comments
Closed

Heap use after free #11

C0NSTANTINE110 opened this issue Jun 30, 2021 · 4 comments
Assignees
@infrastation
Labels
bug

Comments

@C0NSTANTINE110
Copy link

Tested on:

version 1.5-PRE-GIT
version 1.2a3

Command:

tcpslice -w a.txt heap.pcap
Segmentation fault

Results:

==1676569==ERROR: AddressSanitizer: heap-use-after-free on address 0x617000000160 at pc 0x7ffff761fa7d bp 0x7fffffffd700 sp 0x7fffffffce90
WRITE of size 56 at 0x617000000160 thread T0
#0 0x7ffff761fa7c in vsnprintf (/lib/x86_64-linux-gnu/libasan.so.5+0x9fa7c)
#1 0x7ffff7620036 in __snprintf_chk (/lib/x86_64-linux-gnu/libasan.so.5+0xa0036)
#2 0x7ffff75594ee in pcap_dump_open (/lib/x86_64-linux-gnu/libpcap.so.0.8+0x244ee)
#3 0x555555559ea4 in extract_slice tcpslice.c:882
#4 0x555555559ea4 in main tcpslice.c:312
#5 0x7ffff736a0b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
#6 0x55555555eadd in _start (/home/constantine/tcpslice/tcpslice+0xaadd)

0x617000000160 is located 224 bytes inside of 664-byte region [0x617000000080,0x617000000318)
freed by thread T0 here:
#0 0x7ffff768d7cf in __interceptor_free (/lib/x86_64-linux-gnu/libasan.so.5+0x10d7cf)
#1 0x555555559d8a in get_next_packet tcpslice.c:747
#2 0x555555559d8a in extract_slice tcpslice.c:879
#3 0x555555559d8a in main tcpslice.c:312

previously allocated by thread T0 here:
#0 0x7ffff768ddc6 in calloc (/lib/x86_64-linux-gnu/libasan.so.5+0x10ddc6)
#1 0x7ffff7545bea (/lib/x86_64-linux-gnu/libpcap.so.0.8+0x10bea)
#2 0x64656e696665646d ()

SUMMARY: AddressSanitizer: heap-use-after-free (/lib/x86_64-linux-gnu/libasan.so.5+0x9fa7c) in vsnprintf
Shadow bytes around the buggy address:
0x0c2e7fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c2e7fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c2e7fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c2e7fff8000: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c2e7fff8010: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c2e7fff8020: fd fd fd fd fd fd fd fd fd fd fd fd[fd]fd fd fd
0x0c2e7fff8030: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c2e7fff8040: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c2e7fff8050: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c2e7fff8060: fd fd fd fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c2e7fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==1676569==ABORTING

PoC:

heap.pcap.zip
@infrastation
Copy link
Member

Thank you for this report, I confirm it reproduces as described.

@infrastation infrastation self-assigned this Jul 10, 2021
infrastation added a commit that referenced this issue Dec 30, 2021
@infrastation
CVE-2021-41043: Fix a use-after-free in extract_slice().
030859f 
This issue was discovered by Mohammad Hosein Askari (@C0NSTANTINE110),
see GitHub issue #11.

In extract_slice() pcap_dump_open() takes a pcap_t argument to tell
which DLT to use for the output file.  This used to be the pcap_t of the
first input file, as main() requires at least one input file.  However,
the loop before pcap_dump_open() closes all, including the first, input
files that don't meet a test condition.  This way, when the first file
didn't meet the condition, the call to pcap_dump_open() would end up as
a use-after-free.  Make the pcap_dump_open() call before the loop, when
the first array element is always valid, and fix this problem.
@infrastation
Copy link
Member

This problem's identifier is CVE-2021-41043; a by-product of its debugging is four other confirmed or potential bugs. tcpslice release 1.5 should fix all of that. This should be sufficient to proceed with the formal CVE publication, let me try that. In future please send security bug reports to security@tcpdump.org instead of opening an issue in the public bug tracker.

@infrastation
Copy link
Member

CVE-2021-41043 has been published, see CVEProject/cvelist#3904. Closing as resolved.

@infrastation
Copy link
Member

For posterity, signed tcpslice tarballs are available at https://www.tcpdump.org/release/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@infrastation infrastation

Labels
bug
Milestone
No milestone
Development

No branches or pull requests
2 participants
@infrastation @C0NSTANTINE110