Wireshark-bugs: [Wireshark-bugs] [Bug 12437] New: Crash (use-after-free) when sorting a column i
Date: Thu, 12 May 2016 17:58:17 +0000
Bug ID 12437
Summary Crash (use-after-free) when sorting a column in the SIP Statistics dialog (SimpleStatisticsDialog)
Product Wireshark
Version 2.0.3
Hardware All
OS All
Status CONFIRMED
Severity Major
Priority Low
Component Qt UI
Assignee bugzilla-admin@wireshark.org
Reporter peter@lekensteyn.nl

Build Information:
Wireshark 2.0.3

Copyright 1998-2016 Gerald Combs <gerald@wireshark.org> and contributors.
License GPLv2+: GNU GPL version 2 or later
<http://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (64-bit) with Qt 5.6.0, with libpcap, with POSIX capabilities (Linux),
with libnl 3, with libz 1.2.8, with GLib 2.48.0, without SMI, with c-ares
1.11.0, with Lua 5.2, with GnuTLS 3.4.11, with Gcrypt 1.7.0, with MIT Kerberos,
with GeoIP, with QtMultimedia, without AirPcap.

Running on Linux 4.5.3-1-ARCH, with locale C, with libpcap version 1.7.4, with
libz 1.2.8, with GnuTLS 3.4.11, with Gcrypt 1.7.0.
Intel(R) Core(TM) i5 CPU       M 560  @ 2.67GHz (with SSE4.2)

Built using gcc 5.3.0.

Also reproduced with v2.1.0rc0-3022-ge578ac7
--
When a dialog is created, TapParameterDialog::setRetapOnShow is called which
will invoke TapParameterDialog::on_applyFilterButton_clicked via a signal.

This method will invoke free_stat_tables which clears all tables in a dialog
(SIP Responses/Rquests for example in SIP Statistics). When trying to sort
columns, a heap-use-after-free occurs.

I tried the below patch that delays freeing the dialog contents, but with
multiple dialogs of the same type (SIP Statistics) a use-after-free can still
occur. Is ((stat_tap_table_ui*)stu_)->tables somehow shared between simple
dialogs of the same type? (This was the case for GTK+, but I cannot see this
quickly in Qt.)

diff --git a/ui/qt/simple_statistics_dialog.cpp
b/ui/qt/simple_statistics_dialog.cpp
index 7e46086..f699473 100644
--- a/ui/qt/simple_statistics_dialog.cpp
+++ b/ui/qt/simple_statistics_dialog.cpp
@@ -262,2 +262,7 @@ void SimpleStatisticsDialog::fillTree()

+    // Clear the previous contents
+    if (stu_->tables) {
+        free_stat_tables(stu_, NULL, NULL);
+    }
+
     stu_->stat_tap_init_cb(stu_, NULL, NULL);
@@ -272,3 +277,2 @@ void SimpleStatisticsDialog::fillTree()
                              tapDraw)) {
-        free_stat_tables(stu_, NULL, NULL);
         reject(); // XXX Stay open instead?
@@ -287,3 +291,3 @@ void SimpleStatisticsDialog::fillTree()
     removeTapListeners();
-    free_stat_tables(stu_, NULL, NULL);
+    // TODO free_stat_tables(stu_, NULL, NULL) when dialog is closed?
 }


Steps to reproduce:

 1. Open aaa.pcap from SampleCaptures wiki
 2. Open Telephony -> SIP Statistics twice
 3. In the old window, try to sort by columns.

Expected results:
Sorting should work.

Actual results:
A heap-use-after-free occurs. An ASAN trace (with above patch) can be found
below. (Without the patch the trace is still similar, but then it will already
blow up with just one dialog).

==7846==ERROR: AddressSanitizer: heap-use-after-free on address 0x60d00084b310
at pc 0x555557b8805a bp 0x7fffffffc7b0 sp 0x7fffffffc7a0
READ of size 4 at 0x60d00084b310 thread T0
    #0 0x555557b88059 in
SimpleStatisticsTreeWidgetItem::operator<(QTreeWidgetItem const&) const
ui/qt/simple_statistics_dialog.cpp:107
<...lots of Qt internals, it is a triggered by a signal...>

0x60d00084b310 is located 48 bytes inside of 144-byte region
[0x60d00084b2e0,0x60d00084b370)
freed by thread T0 here:
    #0 0x7ffff6efea20 in __interceptor_free
/build/gcc-multilib/src/gcc/libsanitizer/asan/asan_malloc_linux.cc:28
    #1 0x7fffebe8942f in free_stat_tables epan/stat_tap_ui.c:278
    #2 0x555557b84a59 in SimpleStatisticsDialog::fillTree()
ui/qt/simple_statistics_dialog.cpp:265
    #3 0x555557be966f in TapParameterDialog::on_applyFilterButton_clicked()
ui/qt/tap_parameter_dialog.cpp:532
    #4 0x555557efcc3e in TapParameterDialog::qt_static_metacall(QObject*,
QMetaObject::Call, int, void**) ui/qt/moc_tap_parameter_dialog.cpp:116
    #5 0x7fffe1042178 in QObject::event(QEvent*)
(/usr/lib/libQt5Core.so.5+0x2af178)
    #6 0x7fffe1d8148a in QWidget::event(QEvent*)
(/usr/lib/libQt5Widgets.so.5+0x19a48a)

previously allocated by thread T0 here:
    #0 0x7ffff6efef10 in __interceptor_calloc
/build/gcc-multilib/src/gcc/libsanitizer/asan/asan_malloc_linux.cc:54
    #1 0x7ffff65f6440 in g_malloc0 (/usr/lib/libglib-2.0.so.0+0x4f440)
    #2 0x7fffeadbfc11 in sip_stat_init epan/dissectors/packet-sip.c:4871
    #3 0x555557b84ce8 in SimpleStatisticsDialog::fillTree()
ui/qt/simple_statistics_dialog.cpp:268
    #4 0x555557be966f in TapParameterDialog::on_applyFilterButton_clicked()
ui/qt/tap_parameter_dialog.cpp:532
    #5 0x555557efcc3e in TapParameterDialog::qt_static_metacall(QObject*,
QMetaObject::Call, int, void**) ui/qt/moc_tap_parameter_dialog.cpp:116
    #6 0x7fffe1042178 in QObject::event(QEvent*)
(/usr/lib/libQt5Core.so.5+0x2af178)
    #7 0x7fffe1d8148a in QWidget::event(QEvent*)
(/usr/lib/libQt5Widgets.so.5+0x19a48a)

SUMMARY: AddressSanitizer: heap-use-after-free
ui/qt/simple_statistics_dialog.cpp:107 in
SimpleStatisticsTreeWidgetItem::operator<(QTreeWidgetItem const&) const


You are receiving this mail because:
  • You are watching all bug changes.