Wireshark-dev: [Wireshark-dev] Fuzz-test.sh crashes that can't be reproduced
From: Nora Sandler <nsandler@xxxxxxxxxxxxxxxxxxxxxx>
Date: Wed, 7 Dec 2016 16:07:45 -0800
Hi list!

I'm trying to do some fuzzing with fuzz-test.sh, and I'm seeing some strange behavior that I hope someone can help me figure out. For every pcap I try, I get a crash pretty quickly, usually in less than 10 passes. But then I can't reproduce the crash using test-captures.sh and the fuzzed output file. 

I'm seeing this behavior using my own pcaps as well as captures from https://wiki.wireshark.org/SampleCaptures#Sample_Captures. I'm running the latest code from the master branch on OS X 10.12. It seems like it's heap corruption related since I stop getting crashes if I comment out the following lines test-common.sh: 

export MallocCheckHeapStart=1000
export MallocCheckHeapEach=1000

Here's some sample output:

Fuzzing:

$ ./tools/fuzz-test.sh -b ./build/run/ ~/Downloads/dhcp.pcap
expr(15011,0x7fff9ab623c0) malloc: protecting edges
expr(15011,0x7fff9ab623c0) malloc: enabling scribbling to detect mods to free blocks
expr(15011,0x7fff9ab623c0) malloc: checks heap after 1000th operation and each 1000 operations
expr(15011,0x7fff9ab623c0) malloc: will abort on heap corruption
[...]
mv(15166,0x7fff9ab623c0) malloc: will abort on heap corruption
./tools/fuzz-test.sh: line 203: 15155 Segmentation fault: 11  (core dumped) "$RUNNER" $COMMON_ARGS $ARGS $TMP_DIR/$TMP_FILE > /dev/null 2>> $TMP_DIR/$ERR_FILE.$SUBSHELL_PID
[...]

 ERROR
Processing failed. Capture info follows:

  Input file: /Users/me/Downloads/dhcp.pcap
  Output file: /tmp/fuzz-2016-12-07-15007.pcap
  Pass: 6
[...]
stderr follows:

cat(15181,0x7fff9ab623c0) malloc: protecting edges
cat(15181,0x7fff9ab623c0) malloc: enabling scribbling to detect mods to free blocks
cat(15181,0x7fff9ab623c0) malloc: checks heap after 1000th operation and each 1000 operations
cat(15181,0x7fff9ab623c0) malloc: will abort on heap corruption
Input file: /Users/me/Downloads/dhcp.pcap

Build host information:
Darwin my-machine.local 16.1.0 Darwin Kernel Version 16.1.0: Thu Oct 13 21:26:57 PDT 2016; root:xnu-3789.21.3~60/RELEASE_X86_64 x86_64
[...]
Return value:  0

Dissector bug:  0

Valgrind error count:  0
[...]

And trying to reproduce the crash:

$ ./tools/test-captures.sh -b ./build/run /tmp/fuzz-2016-12-07-15007.pcap
Testing file /tmp/fuzz-2016-12-07-15007.pcap...
 - with tree... sh(15256,0x7fff9ab623c0) malloc: protecting edges
[...]
OK
[...]
 - without tree... sh(15262,0x7fff9ab623c0) malloc: protecting edges
[...]
OK
 - without tree but with a read filter... sh(15268,0x7fff9ab623c0) malloc: protecting edges
[...]
OK

Is this an actual memory corruption bug in wireshark? A problem with the fuzzing script? Or am I doing something wrong? I'd appreciate any suggestions you have.

Thanks,
Nora Sandler

Attachment: smime.p7s
Description: S/MIME cryptographic signature