Re: A heap-buffer-overflow in postprocess_termcap, ncurse

[郑晗]

Yeah, it's fixed now. Thanks.


> -----原始邮件-----
&gt; 发件人: "Thomas Dickey" <dickey@his.com>
&gt; 发送时间: 2022-05-01 08:40:22 (星期日)
&gt; 收件人: "郑晗" <zhenghan20@mails.ucas.ac.cn>
&gt; 抄送: bug-ncurses@gnu.org
&gt; 主题: Re: A heap-buffer-overflow in postprocess_termcap, ncurse
&gt; 
&gt; On Thu, Apr 28, 2022 at 04:36:38PM +0800, 郑晗 wrote:
&gt; &gt; 
&gt; &gt; Hmm, maybe you could try docker's ubuntu 20.04 image, which is the 
20.04.4 LTS.
&gt; 
&gt; hmm - my first thought on this was that it wouldn't work well
&gt; (since my Linux machines already are virtual).  But docker
&gt; might work adequately via MacPorts.
&gt; 
&gt; However, I made some changes to the library which may have fixed
&gt; the issue which you reported.
&gt;  
&gt; &gt; In the attachment is the compiled tic binary from latest ncurse. 
Could you try to reproduce by following steps:
&gt; &gt; 
&gt; &gt; (1) docker pull ubuntu:20.04 
&gt; &gt; 
&gt; &gt; (2) start a container in this docker, install gcc g++ package (to 
make sure we have asan runtime library)
&gt; &gt; 
&gt; &gt; (3) copy the binary and poc in the attachment and execute.
&gt; &gt; 
&gt; &gt; By follow the steps above I can reproduce this problem. Pls let me 
know if you cannot reproduce.
&gt; &gt; 
&gt; &gt; Thanks and Best
&gt; &gt; 
&gt; &gt; &gt; -----原始邮件-----
&gt; &gt; &gt; 发件人: "郑晗" <zhenghan20@mails.ucas.ac.cn>
&gt; &gt; &gt; 发送时间: 2022-04-27 22:16:02 (星期三)
&gt; &gt; &gt; 收件人: bug-ncurses@gnu.org
&gt; &gt; &gt; 抄送: 
&gt; &gt; &gt; 主题: A heap-buffer-overflow in postprocess_termcap, ncurse
&gt; &gt; &gt; 
&gt; &gt; &gt; ear developers,
&gt; &gt; &gt; 
&gt; &gt; &gt; I'm a security researcher and is now trying to test my new 
fuzzer. I've just found an illegal memory access in the latest commit of 
ncurse, tic. Here are the informations:
&gt; &gt; &gt; 
&gt; &gt; &gt; (1) environment
&gt; &gt; &gt; Ubuntu 20.04.3 LTS
&gt; &gt; &gt; gcc 9.3.0
&gt; &gt; &gt; ncurse v6_3_20220423, which is also the latest commit 
7395e6deb0a2790cb2505669b2ae74751f926e7c 
&gt; &gt; &gt; 
&gt; &gt; &gt; (2) step to reproduce: 
&gt; &gt; &gt; export CFLAGS="-fsanitze=address -g"
&gt; &gt; &gt; export CXXFLAGS="-fsanitize=address -g"
&gt; &gt; &gt; ./configure ; make -j$(nproc)
&gt; &gt; &gt; ./prog/tic $POC
&gt; &gt; &gt; 
&gt; &gt; &gt; (3) ASAN Report
&gt; &gt; &gt; "crash.0", line 1, col 19: dubious character `]' in name or 
alias field
&gt; &gt; &gt; "crash.0", line 1, col 38, terminal 'appd=^177]Qcl=^LAc': 
Illegal character (expected alphanumeric or @%&amp;*!#) - '^K'
&gt; &gt; &gt; "crash.0", line 1, col 54, terminal 'appd=^177]Qcl=^LAc': 
Illegal character - ' '
&gt; &gt; &gt; "crash.0", line 1, col 54, terminal 'appd=^177]Qcl=^LAc': wrong 
type used for numeric capability 'liA0'
&gt; &gt; &gt; "crash.0", line 1, col 61, terminal 'appd=^177]Qcl=^LAc': 
Illegal character - ' '
&gt; &gt; &gt; "crash.0", line 1, col 61, terminal 'appd=^177]Qcl=^LAc': wrong 
type used for numeric capability 'column'
&gt; &gt; &gt; "crash.0", line 1, col 73, terminal 'appd=^177]Qcl=^LAc': 
Illegal character - '^'
&gt; &gt; &gt; "crash.0", line 1, col 73, terminal 'appd=^177]Qcl=^LAc': Legacy 
termcap allows only a trailing tc= clause
&gt; &gt; &gt; "crash.0", line 1, col 73, terminal 'appd=^177]Qcl=^LAc': 
unknown capability 'firmwareeII'
&gt; &gt; &gt; "crash.0", line 1, col 75, terminal 'appd=^177]Qcl=^LAc': 
unknown capability 'L'
&gt; &gt; &gt; "crash.0", line 1, col 83, terminal 'appd=^177]Qcl=^LAc': 
Missing separator
&gt; &gt; &gt; "crash.0", line 6, col 10, terminal 'appd=^177]Qcl=^LAc': 
Missing backslash before newline
&gt; &gt; &gt; "crash.0", line 6, col 13, terminal 'appd=^177]Qcl=^LAc': 
Missing separator after `ae', have ^
&gt; &gt; &gt; "crash.0", line 6, col 15, terminal 'appd=^177]Qcl=^LAc': 
unknown capability 'N'
&gt; &gt; &gt; "crash.0", line 7, col 16, terminal 'appd=^177]Qcl=^LAc': 
Illegal character (expected alphanumeric or @%&amp;*!#) - 'M--'
&gt; &gt; &gt; "crash.0", line 9, col 12, terminal 'appd=^177]Qcl=^LAc': 
Illegal character - '^?'
&gt; &gt; &gt; "crash.0", line 9, col 12, terminal 'appd=^177]Qcl=^LAc': wrong 
type used for string capability 'se'
&gt; &gt; &gt; "crash.0", line 9, col 13, terminal 'appd=^177]Qcl=^LAc': 
Illegal character (expected alphanumeric or @%&amp;*!#) - '^'
&gt; &gt; &gt; "crash.0", line 12, col 1, terminal 'appd=^177]Qcl=^LAc': 
Missing separator
&gt; &gt; &gt; "crash.0", line 36, col 10, terminal 'acte#24': Illegal 
character (expected alphanumeric or @%&amp;*!#) - '|'
&gt; &gt; &gt; "crash.0", line 36, col 20, terminal 'acte#24': Illegal 
character (expected alphanumeric or @%&amp;*!#) - '^G'
&gt; &gt; &gt; "crash.0", line 36, col 53, terminal 'acte#24': Illegal 
character (expected alphanumeric or @%&amp;*!#) - '^K'
&gt; &gt; &gt; "crash.0", line 36, col 69, terminal 'acte#24': invalid name for 
use-clause "Zit#8kC="
&gt; &gt; &gt; "crash.0", line 36, col 82, terminal 'acte#24': Illegal 
character (expected alphanumeric or @%&amp;*!#) - '^G'
&gt; &gt; &gt; "crash.0", line 36, col 103, terminal 'acte#24': unknown 
capability 'lr'
&gt; &gt; &gt; "crash.0", line 36, col 104, terminal 'acte#24': Illegal 
character (expected alphanumeric or @%&amp;*!#) - '~?'
&gt; &gt; &gt; "crash.0", line 36, col 112, terminal 'acte#24': Illegal 
character (expected alphanumeric or @%&amp;*!#) - '^'
&gt; &gt; &gt; "crash.0", line 36, col 124, terminal 'acte#24': Illegal 
character - '+'
&gt; &gt; &gt; "crash.0", line 36, col 124, terminal 'acte#24': unknown 
capability 'sl'
&gt; &gt; &gt; "crash.0", line 36, col 133, terminal 'acte#24': wrong type used 
for numeric capability 'dBl'
&gt; &gt; &gt; "crash.0", line 36, col 151, terminal 'acte#24': Legacy termcap 
allows only a trailing tc= clause
&gt; &gt; &gt; "crash.0", line 36, col 151, terminal 'acte#24': unknown 
capability 'Iap'
&gt; &gt; &gt; "crash.0", line 36, col 161, terminal 'acte#24': Missing 
separator
&gt; &gt; &gt; "crash.0", line 37, col 27, terminal 'V': older tic versions may 
treat the description field as an alias
&gt; &gt; &gt; "crash.0", line 37, col 40, terminal 'V': Illegal character 
(expected alphanumeric or @%&amp;*!#) - '='
&gt; &gt; &gt; "crash.0", line 37, col 183, terminal 'V': Illegal character 
(expected alphanumeric or @%&amp;*!#) - '='
&gt; &gt; &gt; "crash.0", line 37, col 192, terminal 'V': Legacy termcap allows 
only a trailing tc= clause
&gt; &gt; &gt; "crash.0", line 37, col 370, terminal 'V': Illegal character 
(expected alphanumeric or @%&amp;*!#) - '^H'
&gt; &gt; &gt; "crash.0", line 37, col 380, terminal 'V': unknown capability 
'Qm'
&gt; &gt; &gt; "crash.0", line 37, col 383, terminal 'V': unknown capability 
'Pw'
&gt; &gt; &gt; "crash.0", line 37, col 403, terminal 'V': Missing separator
&gt; &gt; &gt; "crash.0", line 38, col 1, terminal 'V': Illegal character 
(expected alphanumeric or @%&amp;*!#) - 'M-&lt;'
&gt; &gt; &gt; "crash.0", line 38, col 709, terminal 'V': Illegal character - 
'%'
&gt; &gt; &gt; "crash.0", line 38, col 709, terminal 'V': unknown capability 
'yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyzyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy'
&gt; &gt; &gt; "crash.0", line 38, col 711, terminal 'V': Illegal character - 
'*'
&gt; &gt; &gt; "crash.0", line 38, col 711, terminal 'V': unknown capability 'a'
&gt; &gt; &gt; "crash.0", line 38, col 714, terminal 'V': unknown capability 
'pL'
&gt; &gt; &gt; "crash.0", line 38, col 807, terminal 'V': Illegal character - ' 
'
&gt; &gt; &gt; "crash.0", line 38, col 807, terminal 'V': unknown capability 
'yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy'
&gt; &gt; &gt; "crash.0", line 38, col 814, terminal 'V': wrong type used for 
boolean capability 'ins'
&gt; &gt; &gt; "crash.0", line 38, col 817, terminal 'V': unknown capability 'A'
&gt; &gt; &gt; "crash.0", line 38, col 905, terminal 'V': Illegal character - 
'^P'
&gt; &gt; &gt; "crash.0", line 38, col 905, terminal 'V': unknown capability 
'yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy'
&gt; &gt; &gt; "crash.0", line 38, col 1652, terminal 'V': unknown capability 
'yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyzyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy177SOd'
&gt; &gt; &gt; "crash.0", line 39, col 72, terminal 'V': Illegal character - 
'~E'
&gt; &gt; &gt; "crash.0", line 39, col 72, terminal 'V': unknown capability 
'byyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyydyyyyyyyyyyyyyyyyyyyy'
&gt; &gt; &gt; "crash.0", line 39, col 311, terminal 'V': unknown capability 
'yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyl'
&gt; &gt; &gt; "crash.0", line 39, col 312, terminal 'V': Illegal character 
(expected alphanumeric or @%&amp;*!#) - '='
&gt; &gt; &gt; "crash.0", line 39, col 926, terminal 'V': Very long string 
found.  Missing separator?
&gt; &gt; &gt; "crash.0", line 39, col 1539, terminal 'V': Missing separator
&gt; &gt; &gt; "crash.0", line 40, col 1, terminal 'V': Illegal character 
(expected alphanumeric or @%&amp;*!#) - 'M-&lt;'
&gt; &gt; &gt; =================================================================
&gt; &gt; &gt; ==3138955==ERROR: AddressSanitizer: heap-buffer-overflow on 
address 0x621000003900 at pc 0x562f0dfc843f bp 0x7ffd7b41d7d0 sp 0x7ffd7b41d7c0
&gt; &gt; &gt; READ of size 1 at 0x621000003900 thread T0
&gt; &gt; &gt;     #0 0x562f0dfc843e in postprocess_termcap 
../ncurses/./tinfo/parse_entry.c:947
&gt; &gt; &gt;     #1 0x562f0dfc519a in _nc_parse_entry 
../ncurses/./tinfo/parse_entry.c:602
&gt; &gt; &gt;     #2 0x562f0dfba294 in _nc_read_entry_source 
../ncurses/./tinfo/comp_parse.c:226
&gt; &gt; &gt;     #3 0x562f0df76580 in main ../progs/tic.c:964
&gt; &gt; &gt;     #4 0x7febf41320b2 in __libc_start_main 
(/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
&gt; &gt; &gt;     #5 0x562f0df72e0d in _start 
(/home/hzheng/real-validate/ncurses-snapshots/progs/tic+0x37e0d)
&gt; &gt; &gt; 
&gt; &gt; &gt; 0x621000003900 is located 0 bytes to the right of 4096-byte 
region [0x621000002900,0x621000003900)
&gt; &gt; &gt; allocated by thread T0 here:
&gt; &gt; &gt;     #0 0x7febf440abc8 in malloc 
(/lib/x86_64-linux-gnu/libasan.so.5+0x10dbc8)
&gt; &gt; &gt;     #1 0x562f0dfd8d59 in _nc_init_entry 
../ncurses/./tinfo/alloc_entry.c:75
&gt; &gt; &gt;     #2 0x562f0dfc3242 in _nc_parse_entry 
../ncurses/./tinfo/parse_entry.c:272
&gt; &gt; &gt;     #3 0x562f0dfba294 in _nc_read_entry_source 
../ncurses/./tinfo/comp_parse.c:226
&gt; &gt; &gt;     #4 0x562f0df76580 in main ../progs/tic.c:964
&gt; &gt; &gt;     #5 0x7febf41320b2 in __libc_start_main 
(/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
&gt; &gt; &gt; 
&gt; &gt; &gt; SUMMARY: AddressSanitizer: heap-buffer-overflow 
../ncurses/./tinfo/parse_entry.c:947 in postprocess_termcap
&gt; &gt; &gt; Shadow bytes around the buggy address:
&gt; &gt; &gt;   0x0c427fff86d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
&gt; &gt; &gt;   0x0c427fff86e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
&gt; &gt; &gt;   0x0c427fff86f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
&gt; &gt; &gt;   0x0c427fff8700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
&gt; &gt; &gt;   0x0c427fff8710: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
&gt; &gt; &gt; =&gt;0x0c427fff8720:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa 
fa fa
&gt; &gt; &gt;   0x0c427fff8730: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
&gt; &gt; &gt;   0x0c427fff8740: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
&gt; &gt; &gt;   0x0c427fff8750: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
&gt; &gt; &gt;   0x0c427fff8760: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
&gt; &gt; &gt;   0x0c427fff8770: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
&gt; &gt; &gt; Shadow byte legend (one shadow byte represents 8 application 
bytes):
&gt; &gt; &gt;   Addressable:           00
&gt; &gt; &gt;   Partially addressable: 01 02 03 04 05 06 07
&gt; &gt; &gt;   Heap left redzone:       fa
&gt; &gt; &gt;   Freed heap region:       fd
&gt; &gt; &gt;   Stack left redzone:      f1
&gt; &gt; &gt;   Stack mid redzone:       f2
&gt; &gt; &gt;   Stack right redzone:     f3
&gt; &gt; &gt;   Stack after return:      f5
&gt; &gt; &gt;   Stack use after scope:   f8
&gt; &gt; &gt;   Global redzone:          f9
&gt; &gt; &gt;   Global init order:       f6
&gt; &gt; &gt;   Poisoned by user:        f7
&gt; &gt; &gt;   Container overflow:      fc
&gt; &gt; &gt;   Array cookie:            ac
&gt; &gt; &gt;   Intra object redzone:    bb
&gt; &gt; &gt;   ASan internal:           fe
&gt; &gt; &gt;   Left alloca redzone:     ca
&gt; &gt; &gt;   Right alloca redzone:    cb
&gt; &gt; &gt;   Shadow gap:              cc
&gt; &gt; &gt; ==3138955==ABORTING
&gt; &gt; &gt; 
&gt; &gt; &gt; (4) POC
&gt; &gt; &gt; As shown in the attachment
&gt; &gt; &gt; 
&gt; &gt; &gt; (5) Credit
&gt; &gt; &gt; NCNIPC of China 
&gt; &gt; &gt; Hexhive
&gt; &gt; </zhenghan20@mails.ucas.ac.cn>
&gt; 
&gt; 
&gt; 
&gt; -- 
&gt; Thomas E. Dickey <dickey@invisible-island.net>
&gt; https://invisible-island.net
&gt; ftp://ftp.invisible-island.net
</dickey@invisible-island.net></zhenghan20@mails.ucas.ac.cn></dickey@his.com>