bug-ncurses
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Bug: A heap-buffer-overflow in save_text of ncurses-6.1

From: 乐泰
Subject: Bug: A heap-buffer-overflow in save_text of ncurses-6.1
Date: Sat, 1 Aug 2020 13:01:50 +0800 (GMT+08:00)
Reporter: Tai

Version: ncurses-6.1

Command: infotocap PoC

Environment: Ubuntu 16.04 x86-64

Detail Information: we have found a heap-buffer-overflow bug in the function save_text of ncurses-6.1 by fuzzing. We compile the ncurses-6.1 by AddressSanitizer in x86-64 format and print the information by executing infotocap PoC as below. The PoC file is in attachment.

==12235==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x619000000000 at pc 0x00000044b4d4 bp 0x7ffcce3d9a90 sp 0x7ffcce3d9240

READ of size 5 at 0x619000000000 thread T0

    #0 0x44b4d3 in __interceptor_strlen.part.30 /home/ubuntu/kxd/tools/llvm-4.0/llvm-4.0.0.src/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:284

    #1 0x548bcb in save_text /home/ubuntu/kxd_ncurses-6.1/build/ncurses/../../ncurses/tinfo/lib_tparm.c:139:20

    #2 0x546526 in tparam_internal /home/ubuntu/kxd_ncurses-6.1/build/ncurses/../../ncurses/tinfo/lib_tparm.c:610:3

    #3 0x5452fe in tparm /home/ubuntu/kxd_ncurses-6.1/build/ncurses/../../ncurses/tinfo/lib_tparm.c:849:14

    #4 0x553846 in set_attribute_9 /home/ubuntu/kxd_ncurses-6.1/build/ncurses/../../ncurses/tinfo/trim_sgr0.c:54:13

    #5 0x552e74 in _nc_trim_sgr0 /home/ubuntu/kxd_ncurses-6.1/build/ncurses/../../ncurses/tinfo/trim_sgr0.c:244:13

    #6 0x529888 in fmt_entry /home/ubuntu/kxd_ncurses-6.1/build/progs/../../progs/dump_entry.c:1054:22

    #7 0x52e827 in dump_entry /home/ubuntu/kxd_ncurses-6.1/build/progs/../../progs/dump_entry.c:1514:10

    #8 0x50b6a9 in main /home/ubuntu/kxd_ncurses-6.1/build/progs/../../progs/tic.c:1035:7

    #9 0x7fb3333e3b96 in __libc_start_main /build/glibc-2ORdQG/glibc-2.27/csu/../csu/libc-start.c:310

    #10 0x41a029 in _start (/home/ubuntu/kxd_ncurses-6.1/ncurses-install/bin/tic+0x41a029)


0x619000000000 is located 128 bytes to the left of 1024-byte region [0x619000000080,0x619000000480)

freed by thread T0 here:

    #0 0x4cfa95 in realloc /home/ubuntu/kxd/tools/llvm-4.0/llvm-4.0.0.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:79

    #1 0x53b297 in _nc_doalloc /home/ubuntu/kxd_ncurses-6.1/build/ncurses/../../ncurses/tinfo/doalloc.c:50:14

    #2 0x5687ad in next_char /home/ubuntu/kxd_ncurses-6.1/build/ncurses/../../ncurses/tinfo/comp_scan.c:202:16

    #3 0x566513 in _nc_get_token /home/ubuntu/kxd_ncurses-6.1/build/ncurses/../../ncurses/tinfo/comp_scan.c:396:18

    #4 0x56cfe4 in _nc_parse_entry /home/ubuntu/kxd_ncurses-6.1/build/ncurses/../../ncurses/tinfo/parse_entry.c:302:16

    #5 0x563942 in _nc_read_entry_source /home/ubuntu/kxd_ncurses-6.1/build/ncurses/../../ncurses/tinfo/comp_parse.c:225:6

    #6 0x50ac8c in main /home/ubuntu/kxd_ncurses-6.1/build/progs/../../progs/tic.c:961:5

    #7 0x7fb3333e3b96 in __libc_start_main /build/glibc-2ORdQG/glibc-2.27/csu/../csu/libc-start.c:310


previously allocated by thread T0 here:

    #0 0x4cf670 in malloc /home/ubuntu/kxd/tools/llvm-4.0/llvm-4.0.0.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:66

    #1 0x53b30a in _nc_doalloc /home/ubuntu/kxd_ncurses-6.1/build/ncurses/../../ncurses/tinfo/doalloc.c:55:9

    #2 0x5687ad in next_char /home/ubuntu/kxd_ncurses-6.1/build/ncurses/../../ncurses/tinfo/comp_scan.c:202:16

    #3 0x566513 in _nc_get_token /home/ubuntu/kxd_ncurses-6.1/build/ncurses/../../ncurses/tinfo/comp_scan.c:396:18

    #4 0x56a579 in _nc_parse_entry /home/ubuntu/kxd_ncurses-6.1/build/ncurses/../../ncurses/tinfo/parse_entry.c:231:18

    #5 0x563942 in _nc_read_entry_source /home/ubuntu/kxd_ncurses-6.1/build/ncurses/../../ncurses/tinfo/comp_parse.c:225:6

    #6 0x50ac8c in main /home/ubuntu/kxd_ncurses-6.1/build/progs/../../progs/tic.c:961:5

    #7 0x7fb3333e3b96 in __libc_start_main /build/glibc-2ORdQG/glibc-2.27/csu/../csu/libc-start.c:310


SUMMARY: AddressSanitizer: heap-buffer-overflow /home/ubuntu/kxd/tools/llvm-4.0/llvm-4.0.0.src/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:284 in __interceptor_strlen.part.30

Shadow bytes around the buggy address:

  0x0c327fff7fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

  0x0c327fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

  0x0c327fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

  0x0c327fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

  0x0c327fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

=>0x0c327fff8000:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

  0x0c327fff8010: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd

  0x0c327fff8020: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd

  0x0c327fff8030: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd

  0x0c327fff8040: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd

  0x0c327fff8050: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd

Shadow byte legend (one shadow byte represents 8 application bytes):

  Addressable:           00

  Partially addressable: 01 02 03 04 05 06 07 

  Heap left redzone:       fa

  Freed heap region:       fd

  Stack left redzone:      f1

  Stack mid redzone:       f2

  Stack right redzone:     f3

  Stack after return:      f5

  Stack use after scope:   f8

  Global redzone:          f9

  Global init order:       f6

  Poisoned by user:        f7

  Container overflow:      fc

  Array cookie:            ac

  Intra object redzone:    bb

  ASan internal:           fe

  Left alloca redzone:     ca

  Right alloca redzone:    cb

==12235==ABORTING

Attachment: id:000332,sig:11,src:005647,op:havoc,rep:32
Description: Binary data

reply via email to
[Prev in Thread] Current Thread [Next in Thread]