A heap-buffer-overflow in convert_strings

[乐泰]

Reporter: Tai

Version: ncurses-6.2

Command: toe

Environment: Ubuntu 16.04 x86-64

Detail Information: we have found a heap-buffer-overflow bug in the function convert_strings of ncurses-6.2. We compile the ncurses-6.2 by AddressSanitizer in x86-64 format with commands:

$cd ./ncurses-6.2

$mkdir asan-ins

$cd asan-ins

$AFL_USE_ASAN=1 CC=afl-gcc CXX=afl-g++ CFLAGS="-g3" CXXFLAGS="-g3" ../configure --prefix=`pwd`/bin --disable-stripping

$AFL_USE_ASAN=1 make

$AFL_USE_ASAN=1 sudo make install

Then we execute the toe:

$./asan-ins/bin/bin/toe

And it reports:

=================================================================

==10095==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x616000036add at pc 0x00000040278c bp 0x7ffdd40b20d0 sp 0x7ffdd40b20c0

READ of size 1 at 0x616000036add thread T0

    #0 0x40278b in convert_strings ../../ncurses/tinfo/read_entry.c:164

    #1 0x41523c in _nc_read_termtype ../../ncurses/tinfo/read_entry.c:371

    #2 0x41523c in _nc_read_file_entry ../../ncurses/tinfo/read_entry.c:567

    #3 0x407914 in typelist ../../progs/toe.c:438

    #4 0x404359 in main ../../progs/toe.c:735

    #5 0x7fc3756b782f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

    #6 0x4056b8 in _start (/home/ubuntu/yuetai/test_programs/ncurses-6.2/asan-ins/bin/bin/toe+0x4056b8)

AddressSanitizer can not describe address in more detail (wild memory access suspected).

SUMMARY: AddressSanitizer: heap-buffer-overflow ../../ncurses/tinfo/read_entry.c:164 convert_strings

Shadow bytes around the buggy address:

  0x0c2c7fffed00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

  0x0c2c7fffed10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

  0x0c2c7fffed20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

  0x0c2c7fffed30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

  0x0c2c7fffed40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

=>0x0c2c7fffed50: fa fa fa fa fa fa fa fa fa fa fa[fa]fa fa fa fa

  0x0c2c7fffed60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

  0x0c2c7fffed70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

  0x0c2c7fffed80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

  0x0c2c7fffed90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

  0x0c2c7fffeda0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

Shadow byte legend (one shadow byte represents 8 application bytes):

  Addressable:           00

  Partially addressable: 01 02 03 04 05 06 07 

  Heap left redzone:       fa

  Heap right redzone:      fb

  Freed heap region:       fd

  Stack left redzone:      f1

  Stack mid redzone:       f2

  Stack right redzone:     f3

  Stack partial redzone:   f4

  Stack after return:      f5

  Stack use after scope:   f8

  Global redzone:          f9

  Global init order:       f6

  Poisoned by user:        f7

  Container overflow:      fc

  Array cookie:            ac

  Intra object redzone:    bb

  ASan internal:           fe

==10095==ABORTING