Wireshark-bugs: [Wireshark-bugs] [Bug 12050] New: LUA: TVBs backing a data source is freed too e
Bug ID |
12050
|
Summary |
LUA: TVBs backing a data source is freed too early
|
Product |
Wireshark
|
Version |
2.1.x (Experimental)
|
Hardware |
All
|
OS |
All
|
Status |
CONFIRMED
|
Severity |
Major
|
Priority |
Low
|
Component |
Dissection engine (libwireshark)
|
Assignee |
bugzilla-admin@wireshark.org
|
Reporter |
peter@lekensteyn.nl
|
CC |
hadrielk@yahoo.com
|
Created attachment 14279 [details]
LUA dissector reproducing the UAF
Build Information:
Wireshark 2.1.0 (v2.1.0rc0-1688-g4d258e8 from unknown)
Copyright 1998-2016 Gerald Combs <gerald@wireshark.org> and contributors.
License GPLv2+: GNU GPL version 2 or later
<http://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Compiled (64-bit) with Qt 5.5.1, with libpcap, with POSIX capabilities (Linux),
with libnl 3, with libz 1.2.8, with GLib 2.46.2, without SMI, without c-ares,
without ADNS, with Lua 5.2, with GnuTLS 3.4.8, with Gcrypt 1.6.4, with MIT
Kerberos, with GeoIP, with QtMultimedia, without AirPcap.
Running on Linux 4.3.0-custom, with locale C, with libpcap version 1.7.4, with
libz 1.2.8, with GnuTLS 3.4.8, with Gcrypt 1.6.4.
Intel(R) Core(TM) i5 CPU M 560 @ 2.67GHz (with SSE4.2)
Built using clang 4.2.1 Compatible Clang 3.7.1 (tags/RELEASE_371/final).
--
The TVBs backing a data source are deallocated too early for LUA dissectors.
This results in a use-after-free when the data source is selected. (When the
TVB is GC'd and the packet is finished dissecting, the tvb is freed.)
Steps to reproduce:
1. Load the attached LUA dissector and any pcap with at least two packets:
wireshark -Xlua_script:tvb-datasource.lua -r some.pcap
2. Select the second packet.
3. Select the generated data source tab in the byte view ("Data source name")
4. Use-after-free occurs (crash for an ASAN build, continuously changing bytes
when hovering over the hex display for others.)
The attached LUA dissector uses this construct to create a new data source (in
real world, some decrypted data was added in place of "X"):
ByteArray.new("X", true):tvb("Data source name")
In my original dissector, use-after-free would occur with "large" (>= 112
bytes) data, this apparently happened due to LUA's automatic garbage collector.
Adding "collectgarbage" as done in the attached dissector helps reproducing
this more consistently.
Happens with both GTK+ and Qt, also occurs in Wireshark 2.0.1.
Bug 10888 proposed to tie wmem-alloced memory to the pinfo scope, is that
feasible?
You are receiving this mail because:
- You are watching all bug changes.