Wireshark-bugs: [Wireshark-bugs] [Bug 10987] New: double-free and use-after-free since "Call pre
Date: Sat, 21 Feb 2015 10:13:42 +0000
Bug ID 10987
Summary double-free and use-after-free since "Call pre_init_prefs each time our profile changes"
Product Wireshark
Version Git
Hardware All
OS All
Status UNCONFIRMED
Severity Major
Priority Low
Component TShark
Assignee bugzilla-admin@wireshark.org
Reporter peter@lekensteyn.nl
CC gerald@wireshark.org

Build Information:
v1.99.3rc0-238-g5012cf8
--
commit 5012cf84e6d84a448171dac64c14d9c83e3d4ae6 ("Call pre_init_prefs each time
our profile changes") results in a double-free when exiting tshark and
heap-use-after-free errors in wireshark-gtk/wireshark.

tshark
=================================================================
==602==ERROR: AddressSanitizer: attempting double-free on 0x607000069b80 in
thread T0:
    #0 0x7f8f0577652f in __interceptor_free (/usr/lib/libasan.so.1+0x5752f)
    #1 0x7f8efaa9375f in colorized_frame_free_cb epan/prefs.c:1965
    #2 0x7f8efaa8a8e8 in free_pref epan/prefs.c:248
    #3 0x7f8ef3ce310c in g_list_foreach (/usr/lib/libglib-2.0.so.0+0x4710c)
    #4 0x7f8efaa8a9b5 in free_module_prefs epan/prefs.c:259
    #5 0x7f8efaa8ba34 in call_foreach_cb epan/prefs.c:605
    #6 0x7f8efabcfd49 in wmem_tree_foreach_nodes epan/wmem/wmem_tree.c:643
    #7 0x7f8efabcfecd in wmem_tree_foreach epan/wmem/wmem_tree.c:666
    #8 0x7f8efabcfcef in wmem_tree_foreach_nodes epan/wmem/wmem_tree.c:640
    #9 0x7f8efabcfecd in wmem_tree_foreach epan/wmem/wmem_tree.c:666
    #10 0x7f8efabcfcef in wmem_tree_foreach_nodes epan/wmem/wmem_tree.c:640
    #11 0x7f8efabcfecd in wmem_tree_foreach epan/wmem/wmem_tree.c:666
    #12 0x7f8efaa8bbdf in prefs_module_list_foreach epan/prefs.c:622
    #13 0x7f8efaa8bd98 in prefs_modules_foreach_submodules epan/prefs.c:671
    #14 0x7f8efaa8ab0b in free_module_prefs epan/prefs.c:265
    #15 0x7f8efaa8ba34 in call_foreach_cb epan/prefs.c:605
    #16 0x7f8efabcfd49 in wmem_tree_foreach_nodes epan/wmem/wmem_tree.c:643
    #17 0x7f8efabcfecd in wmem_tree_foreach epan/wmem/wmem_tree.c:666
    #18 0x7f8efabcfcef in wmem_tree_foreach_nodes epan/wmem/wmem_tree.c:640
    #19 0x7f8efabcfdfe in wmem_tree_foreach_nodes epan/wmem/wmem_tree.c:651
    #20 0x7f8efabcfdfe in wmem_tree_foreach_nodes epan/wmem/wmem_tree.c:651
    #21 0x7f8efabcfc2a in wmem_tree_foreach_nodes epan/wmem/wmem_tree.c:634
    #22 0x7f8efabcfc2a in wmem_tree_foreach_nodes epan/wmem/wmem_tree.c:634
    #23 0x7f8efabcfc2a in wmem_tree_foreach_nodes epan/wmem/wmem_tree.c:634
    #24 0x7f8efabcfdfe in wmem_tree_foreach_nodes epan/wmem/wmem_tree.c:651
    #25 0x7f8efabcfecd in wmem_tree_foreach epan/wmem/wmem_tree.c:666
    #26 0x7f8efaa8bbdf in prefs_module_list_foreach epan/prefs.c:622
    #27 0x7f8efaa8bd1a in prefs_modules_foreach epan/prefs.c:654
    #28 0x7f8efaa8ab27 in prefs_cleanup epan/prefs.c:281
    #29 0x7f8efaa3ce07 in epan_cleanup epan/epan.c:132
    #30 0x419894 in main tshark.c:2260
    #31 0x7f8ef2c507ff in __libc_start_main (/usr/lib/libc.so.6+0x207ff)
    #32 0x40a728 in _start (/tmp/wsbuild/run/tshark+0x40a728)

0x607000069b80 is located 0 bytes inside of 70-byte region
[0x607000069b80,0x607000069bc6)
freed by thread T0 here:
    #0 0x7f8f0577652f in __interceptor_free (/usr/lib/libasan.so.1+0x5752f)
    #1 0x7f8efaa9693d in pre_init_prefs epan/prefs.c:2913
    #2 0x7f8efaa96603 in init_prefs epan/prefs.c:2842
    #3 0x7f8efaa97d1b in read_prefs epan/prefs.c:3182
    #4 0x416931 in main tshark.c:1276
    #5 0x7f8ef2c507ff in __libc_start_main (/usr/lib/libc.so.6+0x207ff)

previously allocated by thread T0 here:
    #0 0x7f8f057767a7 in malloc (/usr/lib/libasan.so.1+0x577a7)
    #1 0x7f8ef3ceccf1 in g_malloc (/usr/lib/libglib-2.0.so.0+0x50cf1)
    #2 0x7f8ef3d05d6f in g_strdup (/usr/lib/libglib-2.0.so.0+0x69d6f)
    #3 0x7f8efaa96903 in pre_init_prefs epan/prefs.c:2912
    #4 0x7f8efaa96603 in init_prefs epan/prefs.c:2842
    #5 0x7f8efaa97d1b in read_prefs epan/prefs.c:3182
    #6 0x416931 in main tshark.c:1276
    #7 0x7f8ef2c507ff in __libc_start_main (/usr/lib/libc.so.6+0x207ff)

SUMMARY: AddressSanitizer: double-free ??:0 __interceptor_free
==602==ABORTING


wireshark-gtk
=================================================================
==614==ERROR: AddressSanitizer: heap-use-after-free on address 0x60700010b4b0
at pc 0x7f2ff201da90 bp 0x7fff3f094f20 sp 0x7fff3f094ef0
READ of size 2 at 0x60700010b4b0 thread T0
    #0 0x7f2ff201da8f in strlen (/usr/lib/libasan.so.1+0x33a8f)
    #1 0x42dc1c in color_filters_add_tmp color_filters.c:100
    #2 0x42f302 in color_filters_init color_filters.c:290
    #3 0x48a587 in main ui/gtk/main.c:3068
    #4 0x7f2fdd2e57ff in __libc_start_main (/usr/lib/libc.so.6+0x207ff)
    #5 0x4242f8 in _start (/tmp/wsbuild/run/wireshark-gtk+0x4242f8)

0x60700010b4b0 is located 0 bytes inside of 70-byte region
[0x60700010b4b0,0x60700010b4f6)
freed by thread T0 here:
    #0 0x7f2ff204152f in __interceptor_free (/usr/lib/libasan.so.1+0x5752f)
    #1 0x7f2fe56ab93d in pre_init_prefs epan/prefs.c:2913
    #2 0x7f2fe56ab603 in init_prefs epan/prefs.c:2842
    #3 0x7f2fe56acd1b in read_prefs epan/prefs.c:3182
    #4 0x4874ce in read_configuration_files ui/gtk/main.c:1996
    #5 0x488835 in main ui/gtk/main.c:2533
    #6 0x7f2fdd2e57ff in __libc_start_main (/usr/lib/libc.so.6+0x207ff)

previously allocated by thread T0 here:
    #0 0x7f2ff20417a7 in malloc (/usr/lib/libasan.so.1+0x577a7)
    #1 0x7f2ff05b3cf1 in g_malloc (/usr/lib/libglib-2.0.so.0+0x50cf1)
    #2 0x7f2ff05ccd6f in g_strdup (/usr/lib/libglib-2.0.so.0+0x69d6f)
    #3 0x7f2fe56ab903 in pre_init_prefs epan/prefs.c:2912
    #4 0x7f2fe56ab603 in init_prefs epan/prefs.c:2842
    #5 0x7f2fe56acd1b in read_prefs epan/prefs.c:3182
    #6 0x4874ce in read_configuration_files ui/gtk/main.c:1996
    #7 0x488835 in main ui/gtk/main.c:2533
    #8 0x7f2fdd2e57ff in __libc_start_main (/usr/lib/libc.so.6+0x207ff)

SUMMARY: AddressSanitizer: heap-use-after-free ??:0 strlen



wireshark (QT)
=================================================================
==692==ERROR: AddressSanitizer: heap-use-after-free on address 0x6070002085c0
at pc 0x7faab4b11a90 bp 0x7fff52053930 sp 0x7fff52053900
READ of size 2 at 0x6070002085c0 thread T0
    #0 0x7faab4b11a8f in strlen (/usr/lib/libasan.so.1+0x33a8f)
    #1 0x5229c8 in color_filters_add_tmp color_filters.c:100
    #2 0x5240ae in color_filters_init color_filters.c:290
    #3 0x517ebf in main wireshark-qt.cpp:1308
    #4 0x7faaa03b77ff in __libc_start_main (/usr/lib/libc.so.6+0x207ff)
    #5 0x514c18 in _start (/tmp/wsbuild/run/wireshark+0x514c18)

0x6070002085c0 is located 0 bytes inside of 70-byte region
[0x6070002085c0,0x607000208606)
freed by thread T0 here:
    #0 0x7faab4b3552f in __interceptor_free (/usr/lib/libasan.so.1+0x5752f)
    #1 0x7faaa9b4793d in pre_init_prefs epan/prefs.c:2913
    #2 0x7faaa9b47603 in init_prefs epan/prefs.c:2842
    #3 0x7faaa9b48d1b in read_prefs epan/prefs.c:3182
    #4 0x6d765e in WiresharkApplication::readConfigurationFiles(char**, char**)
ui/qt/wireshark_application.cpp:691
    #5 0x5164a4 in main wireshark-qt.cpp:843
    #6 0x7faaa03b77ff in __libc_start_main (/usr/lib/libc.so.6+0x207ff)

previously allocated by thread T0 here:
    #0 0x7faab4b357a7 in malloc (/usr/lib/libasan.so.1+0x577a7)
    #1 0x7faab4820cf1 in g_malloc (/usr/lib/libglib-2.0.so.0+0x50cf1)
    #2 0x7faab4839d6f in g_strdup (/usr/lib/libglib-2.0.so.0+0x69d6f)
    #3 0x7faaa9b47903 in pre_init_prefs epan/prefs.c:2912
    #4 0x7faaa9b47603 in init_prefs epan/prefs.c:2842
    #5 0x7faaa9b48d1b in read_prefs epan/prefs.c:3182
    #6 0x6d765e in WiresharkApplication::readConfigurationFiles(char**, char**)
ui/qt/wireshark_application.cpp:691
    #7 0x5164a4 in main wireshark-qt.cpp:843
    #8 0x7faaa03b77ff in __libc_start_main (/usr/lib/libc.so.6+0x207ff)

SUMMARY: AddressSanitizer: heap-use-after-free ??:0 strlen


You are receiving this mail because:
  • You are watching all bug changes.