[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Bug: global-buffer-overflow in function _nc_find_entry
From: |
address@hidden |
Subject: |
Bug: global-buffer-overflow in function _nc_find_entry |
Date: |
Fri, 11 Oct 2019 16:37:56 +0800 |
Version: snapshot label v6_1_20191005
POC: https://github.com/zjuchenyuan/fuzzpoc/raw/master/infotocap_poc2
```
Step 6/11 : RUN /tmp/infotocap fuzzpoc/infotocap_poc2 || exit 0
---> Running in 0cb51266360c
"fuzzpoc/infotocap_poc2", line 3, col 12: invalid entry name "1Q5Q51Q5Q5"
=================================================================
==7==ERROR: AddressSanitizer: global-buffer-overflow on address 0x000000515e06 at pc 0x00000044c544 bp 0x7fffffffb9f0 sp 0x7fffffffb9e0
READ of size 2 at 0x000000515e06 thread T0
#0 0x44c543 in _nc_find_entry ../ncurses/./tinfo/comp_hash.c:66
#1 0x42daad in nametrans ../progs/dump_entry.c:174
#2 0x405c1c in put_translate ../progs/tic.c:339
#3 0x405c1c in main ../progs/tic.c:1033
#4 0x7ffff6ac082f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#5 0x408cd8 in _start (/tmp/infotocap+0x408cd8)
0x000000515e06 is located 26 bytes to the left of global variable '_nc_info_hash_table' defined in '../ncurses/comp_captab.c:585:24' (0x515e20) of size 1990
0x000000515e06 is located 18 bytes to the right of global variable 'cap_names_text' defined in '../ncurses/comp_captab.c:1590:19' (0x515820) of size 1492
SUMMARY: AddressSanitizer: global-buffer-overflow ../ncurses/./tinfo/comp_hash.c:66 _nc_find_entry
Shadow bytes around the buggy address:
0x00008009ab70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x00008009ab80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x00008009ab90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x00008009aba0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x00008009abb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 f9
=>0x00008009abc0:[f9]f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00
0x00008009abd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x00008009abe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x00008009abf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x00008009ac00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x00008009ac10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==7==ABORTING
```
Reproducible Docker image has been pushed to `zjuchenyuan/dockerized_poc:ncurses`, Dockerfile:
```
FROM zjuchenyuan/afl
ENV AFL_USE_ASAN=1 ASAN_OPTIONS="detect_leaks=0"
RUN git clone https://github.com/ThomasDickey/ncurses-snapshots &&\
cd ncurses-snapshots &&\
git checkout 8805e9e &&\
./configure --disable-shared &&\
make -j &&\
cp ./progs/tic /tmp/infotocap
RUN git clone https://github.com/zjuchenyuan/fuzzpoc
RUN /tmp/infotocap fuzzpoc/infotocap_poc2 || exit 0
```
- Bug: global-buffer-overflow in function _nc_find_entry,
address@hidden <=