[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: A heap-buffer-overflow in postprocess_termcap, ncurse
From: |
郑晗 |
Subject: |
Re: A heap-buffer-overflow in postprocess_termcap, ncurse |
Date: |
Tue, 3 May 2022 15:54:14 +0800 (GMT+08:00) |
Yeah, it's fixed now. Thanks.
> -----原始邮件-----
> 发件人: "Thomas Dickey" <dickey@his.com>
> 发送时间: 2022-05-01 08:40:22 (星期日)
> 收件人: "郑晗" <zhenghan20@mails.ucas.ac.cn>
> 抄送: bug-ncurses@gnu.org
> 主题: Re: A heap-buffer-overflow in postprocess_termcap, ncurse
>
> On Thu, Apr 28, 2022 at 04:36:38PM +0800, 郑晗 wrote:
> >
> > Hmm, maybe you could try docker's ubuntu 20.04 image, which is the
20.04.4 LTS.
>
> hmm - my first thought on this was that it wouldn't work well
> (since my Linux machines already are virtual). But docker
> might work adequately via MacPorts.
>
> However, I made some changes to the library which may have fixed
> the issue which you reported.
>
> > In the attachment is the compiled tic binary from latest ncurse.
Could you try to reproduce by following steps:
> >
> > (1) docker pull ubuntu:20.04
> >
> > (2) start a container in this docker, install gcc g++ package (to
make sure we have asan runtime library)
> >
> > (3) copy the binary and poc in the attachment and execute.
> >
> > By follow the steps above I can reproduce this problem. Pls let me
know if you cannot reproduce.
> >
> > Thanks and Best
> >
> > > -----原始邮件-----
> > > 发件人: "郑晗" <zhenghan20@mails.ucas.ac.cn>
> > > 发送时间: 2022-04-27 22:16:02 (星期三)
> > > 收件人: bug-ncurses@gnu.org
> > > 抄送:
> > > 主题: A heap-buffer-overflow in postprocess_termcap, ncurse
> > >
> > > ear developers,
> > >
> > > I'm a security researcher and is now trying to test my new
fuzzer. I've just found an illegal memory access in the latest commit of
ncurse, tic. Here are the informations:
> > >
> > > (1) environment
> > > Ubuntu 20.04.3 LTS
> > > gcc 9.3.0
> > > ncurse v6_3_20220423, which is also the latest commit
7395e6deb0a2790cb2505669b2ae74751f926e7c
> > >
> > > (2) step to reproduce:
> > > export CFLAGS="-fsanitze=address -g"
> > > export CXXFLAGS="-fsanitize=address -g"
> > > ./configure ; make -j$(nproc)
> > > ./prog/tic $POC
> > >
> > > (3) ASAN Report
> > > "crash.0", line 1, col 19: dubious character `]' in name or
alias field
> > > "crash.0", line 1, col 38, terminal 'appd=^177]Qcl=^LAc':
Illegal character (expected alphanumeric or @%&*!#) - '^K'
> > > "crash.0", line 1, col 54, terminal 'appd=^177]Qcl=^LAc':
Illegal character - ' '
> > > "crash.0", line 1, col 54, terminal 'appd=^177]Qcl=^LAc': wrong
type used for numeric capability 'liA0'
> > > "crash.0", line 1, col 61, terminal 'appd=^177]Qcl=^LAc':
Illegal character - ' '
> > > "crash.0", line 1, col 61, terminal 'appd=^177]Qcl=^LAc': wrong
type used for numeric capability 'column'
> > > "crash.0", line 1, col 73, terminal 'appd=^177]Qcl=^LAc':
Illegal character - '^'
> > > "crash.0", line 1, col 73, terminal 'appd=^177]Qcl=^LAc': Legacy
termcap allows only a trailing tc= clause
> > > "crash.0", line 1, col 73, terminal 'appd=^177]Qcl=^LAc':
unknown capability 'firmwareeII'
> > > "crash.0", line 1, col 75, terminal 'appd=^177]Qcl=^LAc':
unknown capability 'L'
> > > "crash.0", line 1, col 83, terminal 'appd=^177]Qcl=^LAc':
Missing separator
> > > "crash.0", line 6, col 10, terminal 'appd=^177]Qcl=^LAc':
Missing backslash before newline
> > > "crash.0", line 6, col 13, terminal 'appd=^177]Qcl=^LAc':
Missing separator after `ae', have ^
> > > "crash.0", line 6, col 15, terminal 'appd=^177]Qcl=^LAc':
unknown capability 'N'
> > > "crash.0", line 7, col 16, terminal 'appd=^177]Qcl=^LAc':
Illegal character (expected alphanumeric or @%&*!#) - 'M--'
> > > "crash.0", line 9, col 12, terminal 'appd=^177]Qcl=^LAc':
Illegal character - '^?'
> > > "crash.0", line 9, col 12, terminal 'appd=^177]Qcl=^LAc': wrong
type used for string capability 'se'
> > > "crash.0", line 9, col 13, terminal 'appd=^177]Qcl=^LAc':
Illegal character (expected alphanumeric or @%&*!#) - '^'
> > > "crash.0", line 12, col 1, terminal 'appd=^177]Qcl=^LAc':
Missing separator
> > > "crash.0", line 36, col 10, terminal 'acte#24': Illegal
character (expected alphanumeric or @%&*!#) - '|'
> > > "crash.0", line 36, col 20, terminal 'acte#24': Illegal
character (expected alphanumeric or @%&*!#) - '^G'
> > > "crash.0", line 36, col 53, terminal 'acte#24': Illegal
character (expected alphanumeric or @%&*!#) - '^K'
> > > "crash.0", line 36, col 69, terminal 'acte#24': invalid name for
use-clause "Zit#8kC="
> > > "crash.0", line 36, col 82, terminal 'acte#24': Illegal
character (expected alphanumeric or @%&*!#) - '^G'
> > > "crash.0", line 36, col 103, terminal 'acte#24': unknown
capability 'lr'
> > > "crash.0", line 36, col 104, terminal 'acte#24': Illegal
character (expected alphanumeric or @%&*!#) - '~?'
> > > "crash.0", line 36, col 112, terminal 'acte#24': Illegal
character (expected alphanumeric or @%&*!#) - '^'
> > > "crash.0", line 36, col 124, terminal 'acte#24': Illegal
character - '+'
> > > "crash.0", line 36, col 124, terminal 'acte#24': unknown
capability 'sl'
> > > "crash.0", line 36, col 133, terminal 'acte#24': wrong type used
for numeric capability 'dBl'
> > > "crash.0", line 36, col 151, terminal 'acte#24': Legacy termcap
allows only a trailing tc= clause
> > > "crash.0", line 36, col 151, terminal 'acte#24': unknown
capability 'Iap'
> > > "crash.0", line 36, col 161, terminal 'acte#24': Missing
separator
> > > "crash.0", line 37, col 27, terminal 'V': older tic versions may
treat the description field as an alias
> > > "crash.0", line 37, col 40, terminal 'V': Illegal character
(expected alphanumeric or @%&*!#) - '='
> > > "crash.0", line 37, col 183, terminal 'V': Illegal character
(expected alphanumeric or @%&*!#) - '='
> > > "crash.0", line 37, col 192, terminal 'V': Legacy termcap allows
only a trailing tc= clause
> > > "crash.0", line 37, col 370, terminal 'V': Illegal character
(expected alphanumeric or @%&*!#) - '^H'
> > > "crash.0", line 37, col 380, terminal 'V': unknown capability
'Qm'
> > > "crash.0", line 37, col 383, terminal 'V': unknown capability
'Pw'
> > > "crash.0", line 37, col 403, terminal 'V': Missing separator
> > > "crash.0", line 38, col 1, terminal 'V': Illegal character
(expected alphanumeric or @%&*!#) - 'M-<'
> > > "crash.0", line 38, col 709, terminal 'V': Illegal character -
'%'
> > > "crash.0", line 38, col 709, terminal 'V': unknown capability
'yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyzyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy'
> > > "crash.0", line 38, col 711, terminal 'V': Illegal character -
'*'
> > > "crash.0", line 38, col 711, terminal 'V': unknown capability 'a'
> > > "crash.0", line 38, col 714, terminal 'V': unknown capability
'pL'
> > > "crash.0", line 38, col 807, terminal 'V': Illegal character - '
'
> > > "crash.0", line 38, col 807, terminal 'V': unknown capability
'yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy'
> > > "crash.0", line 38, col 814, terminal 'V': wrong type used for
boolean capability 'ins'
> > > "crash.0", line 38, col 817, terminal 'V': unknown capability 'A'
> > > "crash.0", line 38, col 905, terminal 'V': Illegal character -
'^P'
> > > "crash.0", line 38, col 905, terminal 'V': unknown capability
'yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy'
> > > "crash.0", line 38, col 1652, terminal 'V': unknown capability
'yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyzyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy177SOd'
> > > "crash.0", line 39, col 72, terminal 'V': Illegal character -
'~E'
> > > "crash.0", line 39, col 72, terminal 'V': unknown capability
'byyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyydyyyyyyyyyyyyyyyyyyyy'
> > > "crash.0", line 39, col 311, terminal 'V': unknown capability
'yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyl'
> > > "crash.0", line 39, col 312, terminal 'V': Illegal character
(expected alphanumeric or @%&*!#) - '='
> > > "crash.0", line 39, col 926, terminal 'V': Very long string
found. Missing separator?
> > > "crash.0", line 39, col 1539, terminal 'V': Missing separator
> > > "crash.0", line 40, col 1, terminal 'V': Illegal character
(expected alphanumeric or @%&*!#) - 'M-<'
> > > =================================================================
> > > ==3138955==ERROR: AddressSanitizer: heap-buffer-overflow on
address 0x621000003900 at pc 0x562f0dfc843f bp 0x7ffd7b41d7d0 sp 0x7ffd7b41d7c0
> > > READ of size 1 at 0x621000003900 thread T0
> > > #0 0x562f0dfc843e in postprocess_termcap
../ncurses/./tinfo/parse_entry.c:947
> > > #1 0x562f0dfc519a in _nc_parse_entry
../ncurses/./tinfo/parse_entry.c:602
> > > #2 0x562f0dfba294 in _nc_read_entry_source
../ncurses/./tinfo/comp_parse.c:226
> > > #3 0x562f0df76580 in main ../progs/tic.c:964
> > > #4 0x7febf41320b2 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
> > > #5 0x562f0df72e0d in _start
(/home/hzheng/real-validate/ncurses-snapshots/progs/tic+0x37e0d)
> > >
> > > 0x621000003900 is located 0 bytes to the right of 4096-byte
region [0x621000002900,0x621000003900)
> > > allocated by thread T0 here:
> > > #0 0x7febf440abc8 in malloc
(/lib/x86_64-linux-gnu/libasan.so.5+0x10dbc8)
> > > #1 0x562f0dfd8d59 in _nc_init_entry
../ncurses/./tinfo/alloc_entry.c:75
> > > #2 0x562f0dfc3242 in _nc_parse_entry
../ncurses/./tinfo/parse_entry.c:272
> > > #3 0x562f0dfba294 in _nc_read_entry_source
../ncurses/./tinfo/comp_parse.c:226
> > > #4 0x562f0df76580 in main ../progs/tic.c:964
> > > #5 0x7febf41320b2 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
> > >
> > > SUMMARY: AddressSanitizer: heap-buffer-overflow
../ncurses/./tinfo/parse_entry.c:947 in postprocess_termcap
> > > Shadow bytes around the buggy address:
> > > 0x0c427fff86d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> > > 0x0c427fff86e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> > > 0x0c427fff86f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> > > 0x0c427fff8700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> > > 0x0c427fff8710: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> > > =>0x0c427fff8720:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa
fa fa
> > > 0x0c427fff8730: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> > > 0x0c427fff8740: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> > > 0x0c427fff8750: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> > > 0x0c427fff8760: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> > > 0x0c427fff8770: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> > > Shadow byte legend (one shadow byte represents 8 application
bytes):
> > > Addressable: 00
> > > Partially addressable: 01 02 03 04 05 06 07
> > > Heap left redzone: fa
> > > Freed heap region: fd
> > > Stack left redzone: f1
> > > Stack mid redzone: f2
> > > Stack right redzone: f3
> > > Stack after return: f5
> > > Stack use after scope: f8
> > > Global redzone: f9
> > > Global init order: f6
> > > Poisoned by user: f7
> > > Container overflow: fc
> > > Array cookie: ac
> > > Intra object redzone: bb
> > > ASan internal: fe
> > > Left alloca redzone: ca
> > > Right alloca redzone: cb
> > > Shadow gap: cc
> > > ==3138955==ABORTING
> > >
> > > (4) POC
> > > As shown in the attachment
> > >
> > > (5) Credit
> > > NCNIPC of China
> > > Hexhive
> > </zhenghan20@mails.ucas.ac.cn>
>
>
>
> --
> Thomas E. Dickey <dickey@invisible-island.net>
> https://invisible-island.net
> ftp://ftp.invisible-island.net
</dickey@invisible-island.net></zhenghan20@mails.ucas.ac.cn></dickey@his.com>
- Re: A heap-buffer-overflow in postprocess_termcap, ncurse,
郑晗 <=