Wireshark · Wireshark-bugs: [Wireshark-bugs] [Bug 12050] New: LUA: TVBs backing a data source is freed too early

Wireshark-bugs: [Wireshark-bugs] [Bug 12050] New: LUA: TVBs backing a data source is freed too e

Date: Tue, 26 Jan 2016 16:40:02 +0000

Bug ID	12050
Summary	LUA: TVBs backing a data source is freed too early
Product	Wireshark
Version	2.1.x (Experimental)
Hardware	All
OS	All
Status	CONFIRMED
Severity	Major
Priority	Low
Component	Dissection engine (libwireshark)
Assignee	bugzilla-admin@wireshark.org
Reporter	peter@lekensteyn.nl
CC	hadrielk@yahoo.com

Created attachment 14279 [details]
LUA dissector reproducing the UAF

Build Information:
Wireshark 2.1.0 (v2.1.0rc0-1688-g4d258e8 from unknown)

Copyright 1998-2016 Gerald Combs <gerald@wireshark.org> and contributors.
License GPLv2+: GNU GPL version 2 or later
<http://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (64-bit) with Qt 5.5.1, with libpcap, with POSIX capabilities (Linux),
with libnl 3, with libz 1.2.8, with GLib 2.46.2, without SMI, without c-ares,
without ADNS, with Lua 5.2, with GnuTLS 3.4.8, with Gcrypt 1.6.4, with MIT
Kerberos, with GeoIP, with QtMultimedia, without AirPcap.

Running on Linux 4.3.0-custom, with locale C, with libpcap version 1.7.4, with
libz 1.2.8, with GnuTLS 3.4.8, with Gcrypt 1.6.4.
Intel(R) Core(TM) i5 CPU       M 560  @ 2.67GHz (with SSE4.2)

Built using clang 4.2.1 Compatible Clang 3.7.1 (tags/RELEASE_371/final).
--
The TVBs backing a data source are deallocated too early for LUA dissectors.
This results in a use-after-free when the data source is selected. (When the
TVB is GC'd and the packet is finished dissecting, the tvb is freed.)

Steps to reproduce:

 1. Load the attached LUA dissector and any pcap with at least two packets:

        wireshark -Xlua_script:tvb-datasource.lua -r some.pcap

 2. Select the second packet.
 3. Select the generated data source tab in the byte view ("Data source name")
 4. Use-after-free occurs (crash for an ASAN build, continuously changing bytes
when hovering over the hex display for others.)

The attached LUA dissector uses this construct to create a new data source (in
real world, some decrypted data was added in place of "X"):

    ByteArray.new("X", true):tvb("Data source name")

In my original dissector, use-after-free would occur with "large" (>= 112
bytes) data, this apparently happened due to LUA's automatic garbage collector.
Adding "collectgarbage" as done in the attached dissector helps reproducing
this more consistently.

Happens with both GTK+ and Qt, also occurs in Wireshark 2.0.1.

Bug 10888 proposed to tie wmem-alloced memory to the pinfo scope, is that
feasible?

You are receiving this mail because:

You are watching all bug changes.

Follow-Ups:
- [Wireshark-bugs] [Bug 12050] LUA: TVBs backing a data source is freed too early
  - From: bugzilla-daemon
- [Wireshark-bugs] [Bug 12050] LUA: TVBs backing a data source is freed too early
  - From: bugzilla-daemon
- [Wireshark-bugs] [Bug 12050] LUA: TVBs backing a data source is freed too early
  - From: bugzilla-daemon
- [Wireshark-bugs] [Bug 12050] LUA: TVBs backing a data source is freed too early
  - From: bugzilla-daemon
- [Wireshark-bugs] [Bug 12050] LUA: TVBs backing a data source is freed too early
  - From: bugzilla-daemon
- [Wireshark-bugs] [Bug 12050] LUA: TVBs backing a data source is freed too early
  - From: bugzilla-daemon

Prev by Date: [Wireshark-bugs] [Bug 12049] New: CIP: Add support for all defined segment types
Next by Date: [Wireshark-bugs] [Bug 12049] CIP: Add support for all defined segment types
Previous by thread: [Wireshark-bugs] [Bug 12049] CIP: Add support for all defined segment types
Next by thread: [Wireshark-bugs] [Bug 12050] LUA: TVBs backing a data source is freed too early
Index(es):
- Date
- Thread