bug-ncurses
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Re: Bug: heap-buffer-overflow in function postprocess_terminfo

From: address@hidden
Subject: Re: Re: Bug: heap-buffer-overflow in function postprocess_terminfo
Date: Sat, 12 Oct 2019 10:34:58 +0800
thanks for pointing it out, that's really helpful.

I rebuild the program using afl-gcc without ASAN and here I attach the valgrind report for poc1.

I have pushed the updated docker image `zjuchenyuan/dockerized_poc:ncurses` to dockerhub, if you're willing to give it a try, you can:

```
# turn off ASLR may be not neccessary
# echo 0 | sudo tee /proc/sys/kernel/randomize_va_space 

docker run -it --rm zjuchenyuan/dockerized_poc:ncurses /bin/bash
# now we are in the container, the build binaries are placed in /tmp/infotocap and /tmp/noasan/infotocap, which is copied from /ncurses-snapshots/progs/tic
/tmp/infotocap fuzzpoc/infotocap_poc1
valgrind -v /tmp/noasan/infotocap fuzzpoc/infotocap_poc1
```

More information about the image and environment: Ubuntu16.04, gcc version 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.11), ASLR turned off

Updated Dockerfile:

```
FROM zjuchenyuan/afl

ENV AFL_USE_ASAN=1 ASAN_OPTIONS="detect_leaks=0"
RUN git clone https://github.com/ThomasDickey/ncurses-snapshots &&\
    cd ncurses-snapshots &&\
    git checkout 8805e9e &&\
    ./configure --disable-shared &&\
    make -j &&\
    cp ./progs/tic /tmp/infotocap

RUN git clone https://github.com/zjuchenyuan/fuzzpoc
RUN /tmp/infotocap fuzzpoc/infotocap_poc1 || exit 0
RUN /tmp/infotocap fuzzpoc/infotocap_poc2 || exit 0
RUN /tmp/infotocap fuzzpoc/infotocap_poc3 || exit 0
RUN /tmp/infotocap fuzzpoc/infotocap_poc4 || exit 0
RUN /tmp/infotocap fuzzpoc/infotocap_poc5 || exit 0
RUN /tmp/infotocap fuzzpoc/infotocap_poc6 || exit 0
RUN /tmp/infotocap fuzzpoc/infotocap_poc7 || exit 0

RUN apt install -y valgrind &&\
    cd ncurses-snapshots &&\
    make clean &&\
    unset AFL_USE_ASAN &&\
    make -j &&\
    mkdir /tmp/noasan &&\
    cp ./progs/tic /tmp/noasan/infotocap

RUN valgrind -v /tmp/noasan/infotocap fuzzpoc/infotocap_poc1 || exit 0
RUN valgrind -v /tmp/noasan/infotocap fuzzpoc/infotocap_poc2 || exit 0
RUN valgrind -v /tmp/noasan/infotocap fuzzpoc/infotocap_poc3 || exit 0
RUN valgrind -v /tmp/noasan/infotocap fuzzpoc/infotocap_poc4 || exit 0
RUN valgrind -v /tmp/noasan/infotocap fuzzpoc/infotocap_poc5 || exit 0
RUN valgrind -v /tmp/noasan/infotocap fuzzpoc/infotocap_poc6 || exit 0
RUN valgrind -v /tmp/noasan/infotocap fuzzpoc/infotocap_poc7 || exit 0
```

```
Step 13/19 : RUN valgrind -v /tmp/noasan/infotocap fuzzpoc/infotocap_poc1 || exit 0
 ---> Running in bce32ed27872
==6== Memcheck, a memory error detector
==6== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==6== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info
==6== Command: /tmp/noasan/infotocap fuzzpoc/infotocap_poc1
==6==
--6-- Valgrind options:
--6--    -v
--6-- Contents of /proc/version:
--6--   Linux version 4.9.87-xxxx-std-ipv6-64 (address@hidden) (gcc version 7.3.0 (GCC) ) #1 SMP Tue Mar 13 18:41:47 CET 2018
--6--
--6-- Arch and hwcaps: AMD64, LittleEndian, amd64-cx16-rdtscp-sse3-avx
--6-- Page sizes: currently 4096, max supported 4096
--6-- Valgrind library directory: /usr/lib/valgrind
--6-- Reading syms from /tmp/noasan/infotocap
--6-- Reading syms from /lib/x86_64-linux-gnu/ld-2.23.so
--6--   Considering /lib/x86_64-linux-gnu/ld-2.23.so ..
--6--   .. CRC mismatch (computed 10d8ea02 wanted 4fdda1aa)
--6--   Considering /usr/lib/debug/lib/x86_64-linux-gnu/ld-2.23.so ..
--6--   .. CRC is valid
--6-- Reading syms from /usr/lib/valgrind/memcheck-amd64-linux
--6--   Considering /usr/lib/valgrind/memcheck-amd64-linux ..
--6--   .. CRC mismatch (computed eea41ea9 wanted 2009db78)
--6--    object doesn't have a symbol table
--6--    object doesn't have a dynamic symbol table
--6-- Scheduler: using generic scheduler lock implementation.
--6-- Reading suppressions file: /usr/lib/valgrind/default.supp
==6== embedded gdbserver: reading from /tmp/vgdb-pipe-from-vgdb-to-6-by-???-on-bce32ed27872
==6== embedded gdbserver: writing to   /tmp/vgdb-pipe-to-vgdb-from-6-by-???-on-bce32ed27872
==6== embedded gdbserver: shared mem   /tmp/vgdb-pipe-shared-mem-vgdb-6-by-???-on-bce32ed27872
==6==
==6== TO CONTROL THIS PROCESS USING vgdb (which you probably
==6== don't want to do, unless you know exactly what you're doing,
==6== or are doing some strange experiment):
==6==   /usr/lib/valgrind/../../bin/vgdb --pid=6 ...command...
==6==
==6== TO DEBUG THIS PROCESS USING GDB: start GDB like this
==6==   /path/to/gdb /tmp/noasan/infotocap
==6== and then give GDB the following command
==6==   target remote | /usr/lib/valgrind/../../bin/vgdb --pid=6
==6== --pid is optional if only one valgrind process is running
==6==
--6-- REDIR: 0x401cf10 (ld-linux-x86-64.so.2:strlen) redirected to 0x3809e181 (???)
--6-- Reading syms from /usr/lib/valgrind/vgpreload_core-amd64-linux.so
--6--   Considering /usr/lib/valgrind/vgpreload_core-amd64-linux.so ..
--6--   .. CRC mismatch (computed 2567ccf6 wanted 49420590)
--6--    object doesn't have a symbol table
--6-- Reading syms from /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so
--6--   Considering /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so ..
--6--   .. CRC mismatch (computed 0e27c9a8 wanted ac585421)
--6--    object doesn't have a symbol table
==6== WARNING: new redirection conflicts with existing -- ignoring it
--6--     old: 0x0401cf10 (strlen              ) R-> (0000.0) 0x3809e181 ???
--6--     new: 0x0401cf10 (strlen              ) R-> (2007.0) 0x04c31020 strlen
--6-- REDIR: 0x401b860 (ld-linux-x86-64.so.2:index) redirected to 0x4c30bc0 (index)
--6-- REDIR: 0x401ba80 (ld-linux-x86-64.so.2:strcmp) redirected to 0x4c320d0 (strcmp)
--6-- REDIR: 0x401dc70 (ld-linux-x86-64.so.2:mempcpy) redirected to 0x4c35270 (mempcpy)
--6-- Reading syms from /lib/x86_64-linux-gnu/libc-2.23.so
--6--   Considering /lib/x86_64-linux-gnu/libc-2.23.so ..
--6--   .. CRC mismatch (computed 10016417 wanted 1f868c97)
--6--   Considering /usr/lib/debug/lib/x86_64-linux-gnu/libc-2.23.so ..
--6--   .. CRC is valid
--6-- REDIR: 0x4ec9a00 (libc.so.6:strcasecmp) redirected to 0x4a286f0 (_vgnU_ifunc_wrapper)
--6-- REDIR: 0x4ec5280 (libc.so.6:strcspn) redirected to 0x4a286f0 (_vgnU_ifunc_wrapper)
--6-- REDIR: 0x4ecbcf0 (libc.so.6:strncasecmp) redirected to 0x4a286f0 (_vgnU_ifunc_wrapper)
--6-- REDIR: 0x4ec76f0 (libc.so.6:strpbrk) redirected to 0x4a286f0 (_vgnU_ifunc_wrapper)
--6-- REDIR: 0x4ec7a80 (libc.so.6:strspn) redirected to 0x4a286f0 (_vgnU_ifunc_wrapper)
--6-- REDIR: 0x4ec914b (libc.so.6:memcpy@GLIBC_2.2.5) redirected to 0x4a286f0 (_vgnU_ifunc_wrapper)
--6-- REDIR: 0x4ec7400 (libc.so.6:rindex) redirected to 0x4c308a0 (rindex)
--6-- REDIR: 0x4ec5720 (libc.so.6:strlen) redirected to 0x4c30f60 (strlen)
--6-- REDIR: 0x4ec5b20 (libc.so.6:strncmp) redirected to 0x4a286f0 (_vgnU_ifunc_wrapper)
--6-- REDIR: 0x4f7fa90 (libc.so.6:__strncmp_sse42) redirected to 0x4c317f0 (__strncmp_sse42)
--6-- REDIR: 0x4ebe130 (libc.so.6:malloc) redirected to 0x4c2db20 (malloc)
--6-- REDIR: 0x4ec8060 (libc.so.6:__GI_strstr) redirected to 0x4c354d0 (__strstr_sse2)
--6-- REDIR: 0x4ece470 (libc.so.6:__GI_memcpy) redirected to 0x4c32b00 (__GI_memcpy)
--6-- REDIR: 0x4ec8860 (libc.so.6:memchr) redirected to 0x4c32170 (memchr)
--6-- REDIR: 0x4ebe6c0 (libc.so.6:realloc) redirected to 0x4c2fce0 (realloc)
--6-- REDIR: 0x4ec5ae0 (libc.so.6:strncat) redirected to 0x4a286f0 (_vgnU_ifunc_wrapper)
--6-- REDIR: 0x4ee30e0 (libc.so.6:__strncat_sse2_unaligned) redirected to 0x4c30dc0 (strncat)
--6-- REDIR: 0x4ec3a80 (libc.so.6:index) redirected to 0x4a286f0 (_vgnU_ifunc_wrapper)
--6-- REDIR: 0x4ec3ab0 (libc.so.6:__GI_strchr) redirected to 0x4c30a00 (__GI_strchr)
--6-- REDIR: 0x4ed0760 (libc.so.6:strchrnul) redirected to 0x4c34da0 (strchrnul)
--6-- REDIR: 0x4ec93b0 (libc.so.6:__GI_mempcpy) redirected to 0x4c34fa0 (__GI_mempcpy)
"fuzzpoc/infotocap_poc1", line 1, col 1689, terminal 'JE10JPYZY0KHHP5FIR1DBKQT1E66TKOBH3SH7ZYOREACE6FN24I0ZBGMQM2XLEDU3I6H5YUWJE5SDR4DVG3W6WU5I82SHPLZCC6W2HLWKPAM5FJFDWZZJIF6UKF8WW4CXU1Y4G29DRZ1A2ECW9OC8E9YZS7JGCQ0W64123X6QQQIBXL7KQ3DXM0BFY6Q812JEJ3E2FJPGJ9P4TQJ33Z6HKCDV49L4GYY2DIH9614IFMKHNSKEBLC9WVAANHM0EH0J81MAKX3D48DVAX0LR2SMRA5Q8NCN9MAEKXCBIK8GGBCIPJ325R33I5XPCX1R3239A0MHC2E480GFJFRDM2GNJR2B22O6R8DN9X7ZPD8XX9YJLNF083ZZWAVEI7Y4AHBX8TCLMA5KYOCJ4O5ASVERDE0J0KNMVDO437HEU3AWJEO89ZCM512BNMGB9VNDB3J95ZPZ7J409YF7C1ZX7UVQJ9VBZX3KYINC52TI7PV2N1NFUJFJIHVTOMSAWS7219X': dubious character `]' in name or alias field
--6-- REDIR: 0x4ece3f0 (libc.so.6:memcpy@@GLIBC_2.14) redirected to 0x4a286f0 (_vgnU_ifunc_wrapper)
--6-- REDIR: 0x4ed9820 (libc.so.6:__memcpy_sse2_unaligned) redirected to 0x4c324a0 (memcpy@@GLIBC_2.14)
"fuzzpoc/infotocap_poc1", line 1, col 1689, terminal 'JE10JPYZY0KHHP5FIR1DBKQT1E66TKOBH3SH7ZYOREACE6FN24I0ZBGMQM2XLEDU3I6H5YUWJE5SDR4DVG3W6WU5I82SHPLZCC6W2HLWKPAM5FJFDWZZJIF6UKF8WW4CXU1Y4G29DRZ1A2ECW9OC8E9YZS7JGCQ0W64123X6QQQIBXL7KQ3DXM0BFY6Q812JEJ3E2FJPGJ9P4TQJ33Z6HKCDV49L4GYY2DIH9614IFMKHNSKEBLC9WVAANHM0EH0J81MAKX3D48DVAX0LR2SMRA5Q8NCN9MAEKXCBIK8GGBCIPJ325R33I5XPCX1R3239A0MHC2E480GFJFRDM2GNJR2B22O6R8DN9X7ZPD8XX9YJLNF083ZZWAVEI7Y4AHBX8TCLMA5KYOCJ4O5ASVERDE0J0KNMVDO437HEU3AWJEO89ZCM512BNMGB9VNDB3J95ZPZ7J409YF7C1ZX7UVQJ9VBZX3KYINC52TI7PV2N1NFUJFJIHVTOMSAWS7219X': --6-- REDIR: 0x4ec58c0 (libc.so.6:strnlen) redirected to 0x4c30ee0 (strnlen)
primary name `JE10JPYZY0KHHP5FIR1DBKQT1E66TKOBH3SH7ZYOREACE6FN24I0ZBGMQM2XLEDU3I6H5YUWJE5SDR4DVG3W6WU5I82SHPLZCC6W2HLWKPAM5FJFDWZZJIF6UKF8WW4CXU1Y4G29DRZ1A2ECW9OC8E9YZS7JGCQ0W64123X6QQQIBXL7KQ3DXM0BFY6Q812JEJ3E2FJPGJ9P4TQJ33Z6HKCDV49L4GYY2DIH9614IFMKHNSKEBLC9WVAANHM0EH0J81MAKX3D48DVAX0LR2SMRA5Q8NCN9MAEKXCBIK8GGBCIPJ325R33I5XPCX1R3239A0MHC2E480GFJFRDM2GNJR2B22O6R8DN9X7ZPD8XX9YJLNF083ZZWAVEI7Y4AHBX8TCLMA5KYOCJ4O5ASVERDE0J0KNMVDO437HEU3AWJEO89ZCM512BNMGB9VNDB3J95ZPZ7J409YF7C1ZX7UVQJ9VBZX3KYINC52TI7PV2N1NFUJFJIHVTOMSAWS7219XL61K94KKPZTV665AY7W6ZFBU8YPQME4XIV9CSG1RKYZHRDDRCNNNOFENY7277GWPP2BXWJNQT1LGBSMGCMP20T4BDNPY9GL9MD7T1QS1P9FC9Y0LBQG8LL3EC4L14BA2WQK4GMV33DZ0GK6N9XDMQSPYBDNZRS4I7BKQ63KI2TYJYZ7IDGVQORYQYPVN27J2G7QM57MXXCXKK90849FK4ZVWTA0GTDI17M6LPO3P7P4VSJMAPZJ57M0GXCBWVJFFZZLSXM3DTKP7KFEGRGCUXZBKFVBUPNFNNM1WO26WWYJ09UY7GQG0A6CJCPF488LGUG4DPH72XUV8RGUWBHENI7K4H9DBD1M1HCPQ5Y2LMCGQOACD80PFVA6M4PZT41RXS10XTY2N47RCLTD19KY86EHYC2A2HCX193CJXQ094VYCLDGWLN2B40X049Y77BAF1E795VM07AKSTBB4BIUXWYX88Z7PMRNF3UB30JG5E5DKVAGQ900UD9LYNR1YS0X5QFJT06WRYWB4X5JXO2SVPF77UFOE56RA8VM2UZZK5EQCMPZ5V016AEEYH3Z0PMEU57JIP9GRB16COLFAI9R1TCOGERB2R7QEWA08VQOX8G6D67AAJQAO2BU4F1VVF7DB31GO4WSS0Y29YK9B80AM6FZ0IHVM1FPC4HOV4QAABFQTXUI90U1AFBROIFRB747IWL8XEY07NL44ZTKQ2C0303TBOJH]DI84GBRBAKCZEOCYSB3A786JUUJNWLS0NQEDW0EKUBF37AZXARLJRI5DU8SUHWAQ66GEZU0V7FLUX5QL4N8DW30IJPQ36X13QDOM1AXEAQADF���p▒▒

 ' may be too long
"fuzzpoc/infotocap_poc1", line 2, col 1, terminal 'JE10JPYZY0KHHP5FIR1DBKQT1E66TKOBH3SH7ZYOREACE6FN24I0ZBGMQM2XLEDU3I6H5YUWJE5SDR4DVG3W6WU5I82SHPLZCC6W2HLWKPAM5FJFDWZZJIF6UKF8WW4CXU1Y4G29DRZ1A2ECW9OC8E9YZS7JGCQ0W64123X6QQQIBXL7KQ3DXM0BFY6Q812JEJ3E2FJPGJ9P4TQJ33Z6HKCDV49L4GYY2DIH9614IFMKHNSKEBLC9WVAANHM0EH0J81MAKX3D48DVAX0LR2SMRA5Q8NCN9MAEKXCBIK8GGBCIPJ325R33I5XPCX1R3239A0MHC2E480GFJFRDM2GNJR2B22O6R8DN9X7ZPD8XX9YJLNF083ZZWAVEI7Y4AHBX8TCLMA5KYOCJ4O5ASVERDE0J0KNMVDO437HEU3AWJEO89ZCM512BNMGB9VNDB3J95ZPZ7J409YF7C1ZX7UVQJ9VBZX3KYINC52TI7PV2N1NFUJFJIHVTOMSAWS7219X': Illegal character (expected alphanumeric or @%&*!#) - 'M-u'
"fuzzpoc/infotocap_poc1", line 3, col 75, terminal 'JE10JPYZY0KHHP5FIR1DBKQT1E66TKOBH3SH7ZYOREACE6FN24I0ZBGMQM2XLEDU3I6H5YUWJE5SDR4DVG3W6WU5I82SHPLZCC6W2HLWKPAM5FJFDWZZJIF6UKF8WW4CXU1Y4G29DRZ1A2ECW9OC8E9YZS7JGCQ0W64123X6QQQIBXL7KQ3DXM0BFY6Q812JEJ3E2FJPGJ9P4TQJ33Z6HKCDV49L4GYY2DIH9614IFMKHNSKEBLC9WVAANHM0EH0J81MAKX3D48DVAX0LR2SMRA5Q8NCN9MAEKXCBIK8GGBCIPJ325R33I5XPCX1R3239A0MHC2E480GFJFRDM2GNJR2B22O6R8DN9X7ZPD8XX9YJLNF083ZZWAVEI7Y4AHBX8TCLMA5KYOCJ4O5ASVERDE0J0KNMVDO437HEU3AWJEO89ZCM512BNMGB9VNDB3J95ZPZ7J409YF7C1ZX7UVQJ9VBZX3KYINC52TI7PV2N1NFUJFJIHVTOMSAWS7219X': Illegal character - '~O'
--6-- REDIR: 0x4ebed10 (libc.so.6:calloc) redirected to 0x4c2faa0 (calloc)
--6-- REDIR: 0x4ec3cd0 (libc.so.6:strcmp) redirected to 0x4a286f0 (_vgnU_ifunc_wrapper)
--6-- REDIR: 0x4ed9570 (libc.so.6:__strcmp_sse2_unaligned) redirected to 0x4c31f90 (strcmp)
"fuzzpoc/infotocap_poc1", line 3, col 75, terminal 'JE10JPYZY0KHHP5FIR1DBKQT1E66TKOBH3SH7ZYOREACE6FN24I0ZBGMQM2XLEDU3I6H5YUWJE5SDR4DVG3W6WU5I82SHPLZCC6W2HLWKPAM5FJFDWZZJIF6UKF8WW4CXU1Y4G29DRZ1A2ECW9OC8E9YZS7JGCQ0W64123X6QQQIBXL7KQ3DXM0BFY6Q812JEJ3E2FJPGJ9P4TQJ33Z6HKCDV49L4GYY2DIH9614IFMKHNSKEBLC9WVAANHM0EH0J81MAKX3D48DVAX0LR2SMRA5Q8NCN9MAEKXCBIK8GGBCIPJ325R33I5XPCX1R3239A0MHC2E480GFJFRDM2GNJR2B22O6R8DN9X7ZPD8XX9YJLNF083ZZWAVEI7Y4AHBX8TCLMA5KYOCJ4O5ASVERDE0J0KNMVDO437HEU3AWJEO89ZCM512BNMGB9VNDB3J95ZPZ7J409YF7C1ZX7UVQJ9VBZX3KYINC52TI7PV2N1NFUJFJIHVTOMSAWS7219X': unknown capability 'F'
"fuzzpoc/infotocap_poc1", line 3, col 76, terminal 'JE10JPYZY0KHHP5FIR1DBKQT1E66TKOBH3SH7ZYOREACE6FN24I0ZBGMQM2XLEDU3I6H5YUWJE5SDR4DVG3W6WU5I82SHPLZCC6W2HLWKPAM5FJFDWZZJIF6UKF8WW4CXU1Y4G29DRZ1A2ECW9OC8E9YZS7JGCQ0W64123X6QQQIBXL7KQ3DXM0BFY6Q812JEJ3E2FJPGJ9P4TQJ33Z6HKCDV49L4GYY2DIH9614IFMKHNSKEBLC9WVAANHM0EH0J81MAKX3D48DVAX0LR2SMRA5Q8NCN9MAEKXCBIK8GGBCIPJ325R33I5XPCX1R3239A0MHC2E480GFJFRDM2GNJR2B22O6R8DN9X7ZPD8XX9YJLNF083ZZWAVEI7Y4AHBX8TCLMA5KYOCJ4O5ASVERDE0J0KNMVDO437HEU3AWJEO89ZCM512BNMGB9VNDB3J95ZPZ7J409YF7C1ZX7UVQJ9VBZX3KYINC52TI7PV2N1NFUJFJIHVTOMSAWS7219X': Illegal character (expected alphanumeric or @%&*!#) - '/'
"fuzzpoc/infotocap_poc1", line 3, col 329, terminal 'JE10JPYZY0KHHP5FIR1DBKQT1E66TKOBH3SH7ZYOREACE6FN24I0ZBGMQM2XLEDU3I6H5YUWJE5SDR4DVG3W6WU5I82SHPLZCC6W2HLWKPAM5FJFDWZZJIF6UKF8WW4CXU1Y4G29DRZ1A2ECW9OC8E9YZS7JGCQ0W64123X6QQQIBXL7KQ3DXM0BFY6Q812JEJ3E2FJPGJ9P4TQJ33Z6HKCDV49L4GYY2DIH9614IFMKHNSKEBLC9WVAANHM0EH0J81MAKX3D48DVAX0LR2SMRA5Q8NCN9MAEKXCBIK8GGBCIPJ325R33I5XPCX1R3239A0MHC2E480GFJFRDM2GNJR2B22O6R8DN9X7ZPD8XX9YJLNF083ZZWAVEI7Y4AHBX8TCLMA5KYOCJ4O5ASVERDE0J0KNMVDO437HEU3AWJEO89ZCM512BNMGB9VNDB3J95ZPZ7J409YF7C1ZX7UVQJ9VBZX3KYINC52TI7PV2N1NFUJFJIHVTOMSAWS7219X': Illegal character - '~W'
"fuzzpoc/infotocap_poc1", line 3, col 329, terminal 'JE10JPYZY0KHHP5FIR1DBKQT1E66TKOBH3SH7ZYOREACE6FN24I0ZBGMQM2XLEDU3I6H5YUWJE5SDR4DVG3W6WU5I82SHPLZCC6W2HLWKPAM5FJFDWZZJIF6UKF8WW4CXU1Y4G29DRZ1A2ECW9OC8E9YZS7JGCQ0W64123X6QQQIBXL7KQ3DXM0BFY6Q812JEJ3E2FJPGJ9P4TQJ33Z6HKCDV49L4GYY2DIH9614IFMKHNSKEBLC9WVAANHM0EH0J81MAKX3D48DVAX0LR2SMRA5Q8NCN9MAEKXCBIK8GGBCIPJ325R33I5XPCX1R3239A0MHC2E480GFJFRDM2GNJR2B22O6R8DN9X7ZPD8XX9YJLNF083ZZWAVEI7Y4AHBX8TCLMA5KYOCJ4O5ASVERDE0J0KNMVDO437HEU3AWJEO89ZCM512BNMGB9VNDB3J95ZPZ7J409YF7C1ZX7UVQJ9VBZX3KYINC52TI7PV2N1NFUJFJIHVTOMSAWS7219X': unknown capability 'fwd'
"fuzzpoc/infotocap_poc1", line 3, col 394, terminal 'JE10JPYZY0KHHP5FIR1DBKQT1E66TKOBH3SH7ZYOREACE6FN24I0ZBGMQM2XLEDU3I6H5YUWJE5SDR4DVG3W6WU5I82SHPLZCC6W2HLWKPAM5FJFDWZZJIF6UKF8WW4CXU1Y4G29DRZ1A2ECW9OC8E9YZS7JGCQ0W64123X6QQQIBXL7KQ3DXM0BFY6Q812JEJ3E2FJPGJ9P4TQJ33Z6HKCDV49L4GYY2DIH9614IFMKHNSKEBLC9WVAANHM0EH0J81MAKX3D48DVAX0LR2SMRA5Q8NCN9MAEKXCBIK8GGBCIPJ325R33I5XPCX1R3239A0MHC2E480GFJFRDM2GNJR2B22O6R8DN9X7ZPD8XX9YJLNF083ZZWAVEI7Y4AHBX8TCLMA5KYOCJ4O5ASVERDE0J0KNMVDO437HEU3AWJEO89ZCM512BNMGB9VNDB3J95ZPZ7J409YF7C1ZX7UVQJ9VBZX3KYINC52TI7PV2N1NFUJFJIHVTOMSAWS7219X': Missing separator
--6-- REDIR: 0x4ec9850 (libc.so.6:stpcpy) redirected to 0x4a286f0 (_vgnU_ifunc_wrapper)
--6-- REDIR: 0x4ee0fe0 (libc.so.6:__stpcpy_sse2_unaligned) redirected to 0x4c34120 (__stpcpy_sse2_unaligned)
--6-- REDIR: 0x4ec5160 (libc.so.6:strcpy) redirected to 0x4a286f0 (_vgnU_ifunc_wrapper)
--6-- REDIR: 0x4edf9d0 (libc.so.6:__strcpy_sse2_unaligned) redirected to 0x4c31040 (strcpy)
"fuzzpoc/infotocap_poc1", line 4, col 30, terminal 'L��GLٲ��Û�D��M����': older tic versions may treat the description field as an alias
--6-- REDIR: 0x4ebe4f0 (libc.so.6:free) redirected to 0x4c2ed80 (free)
"fuzzpoc/infotocap_poc1", line 4, col 30, terminal 'L��GLٲ��Û�D��M����': invalid entry name "L��GLٲ��Û�D��M����"
"fuzzpoc/infotocap_poc1", line 4, col 31, terminal 'invalid': Illegal character (expected alphanumeric or @%&*!#) - 'M-9'
"fuzzpoc/infotocap_poc1", line 4, col 40, terminal 'invalid': Illegal character (expected alphanumeric or @%&*!#) - '"'
"fuzzpoc/infotocap_poc1", line 4, col 180, terminal 'invalid': Illegal character (expected alphanumeric or @%&*!#) - 'M-B'
"fuzzpoc/infotocap_poc1", line 6, col 75, terminal 'invalid': Illegal character - '~O'
"fuzzpoc/infotocap_poc1", line 6, col 75, terminal 'invalid': unknown capability 'F'
"fuzzpoc/infotocap_poc1", line 6, col 76, terminal 'invalid': Illegal character (expected alphanumeric or @%&*!#) - '/'
"fuzzpoc/infotocap_poc1", line 6, col 329, terminal 'invalid': Illegal character - '~W'
"fuzzpoc/infotocap_poc1", line 6, col 329, terminal 'invalid': unknown capability 'fwd'
"fuzzpoc/infotocap_poc1", line 6, col 392, terminal 'invalid': Missing separator
"fuzzpoc/infotocap_poc1", line 8, col 30, terminal 'L��GLٲ��Û�D��M����': older tic versions may treat the description field as an alias
"fuzzpoc/infotocap_poc1", line 8, col 30, terminal 'L��GLٲ��Û�D��M����': invalid entry name "L��GLٲ��Û�D��M����"
"fuzzpoc/infotocap_poc1", line 8, col 31, terminal 'invalid': Illegal character (expected alphanumeric or @%&*!#) - 'M-9'
"fuzzpoc/infotocap_poc1", line 8, col 40, terminal 'invalid': Illegal character (expected alphanumeric or @%&*!#) - '"'
"fuzzpoc/infotocap_poc1", line 8, col 209, terminal 'invalid': Illegal character - '~O'
"fuzzpoc/infotocap_poc1", line 8, col 209, terminal 'invalid': unknown capability 'F'
"fuzzpoc/infotocap_poc1", line 8, col 210, terminal 'invalid': Illegal character (expected alphanumeric or @%&*!#) - '/'
"fuzzpoc/infotocap_poc1", line 8, col 465, terminal 'invalid': Illegal character - '~W'
"fuzzpoc/infotocap_poc1", line 8, col 465, terminal 'invalid': unknown capability 'fwd'
"fuzzpoc/infotocap_poc1", line 8, col 530, terminal 'invalid': Missing separator
"fuzzpoc/infotocap_poc1", line 9, col 30, terminal 'L��GLٲ��Û�D��M����': older tic versions may treat the description field as an alias
"fuzzpoc/infotocap_poc1", line 9, col 30, terminal 'L��GLٲ��Û�D��M����': invalid entry name "L��GLٲ��Û�D��M����"
--6-- REDIR: 0x4ec73c0 (libc.so.6:strncpy) redirected to 0x4a286f0 (_vgnU_ifunc_wrapper)
--6-- REDIR: 0x4ee0000 (libc.so.6:__strncpy_sse2_unaligned) redirected to 0x4c31570 (__strncpy_sse2_unaligned)
--6-- REDIR: 0x4ed0550 (libc.so.6:rawmemchr) redirected to 0x4c34dd0 (rawmemchr)
==6== Invalid read of size 1
==6==    at 0x4409DC: one_one_mapping (dump_entry.c:1399)
==6==    by 0x4409DC: purged_acs (dump_entry.c:1425)
==6==    by 0x4409DC: dump_entry (dump_entry.c:1587)
==6==    by 0x4045BA: main (tic.c:1039)
==6==  Address 0x520c54e is 0 bytes after a block of size 1,742 alloc'd
==6==    at 0x4C2DB8F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==6==    by 0x4F847F: _nc_wrap_entry (alloc_entry.c:177)
==6==    by 0x4BB4F5: _nc_parse_entry (parse_entry.c:601)
==6==    by 0x4A892B: _nc_read_entry_source (comp_parse.c:225)
==6==    by 0x4037C8: main (tic.c:961)
==6==
infotocap: JE10JPYZY0KHHP5FIR1DBKQT1E66TKOBH3SH7ZYOREACE6FN24I0ZBGMQM2XLEDU3I6H5YUWJE5SDR4DVG3W6WU5I82SHPLZCC6W2HLWKPAM5FJFDWZZJIF6UKF8WW4CXU1Y4G29DRZ1A2ECW9OC8E9YZS7JGCQ0W64123X6QQQIBXL7KQ3DXM0BFY6Q812JEJ3E2FJPGJ9P4TQJ33Z6HKCDV49L4GYY2DIH9614IFMKHNSKEBLC9WVAANHM0EH0J81MAKX3D48DVAX0LR2SMRA5Q8NCN9MAEKXCBIK8GGBCIPJ325R33I5XPCX1R3239A0MHC2E480GFJFRDM2GNJR2B22O6R8DN9X7ZPD8XX9YJLNF083ZZWAVEI7Y4AHBX8TCLMA5KYOCJ4O5ASVERDE0J0KNMVDO437HEU3AWJEO89ZCM512BNMGB9VNDB3J95ZPZ7J409YF7C1ZX7UVQJ9VBZX3KYINC52TI7PV2N1NFUJFJIHVTOMSAWS7219X entry is 1684 bytes long
==6== Invalid read of size 8
==6==    at 0x44F5E7: _nc_find_entry (comp_hash.c:70)
==6==    by 0x42D90D: nametrans (dump_entry.c:174)
==6==    by 0x40556F: put_translate (tic.c:339)
==6==    by 0x40556F: main (tic.c:1033)
==6==  Address 0x524ac70 is 206,112 bytes inside an unallocated block of size 4,110,480 in arena "client"
==6==
==6== Invalid read of size 1
==6==    at 0x4ED9570: __strcmp_sse2_unaligned (strcmp-sse2-unaligned.S:24)
==6==    by 0x44CF30: compare_info_names (comp_captab.c:3393)
==6==    by 0x44F5ED: _nc_find_entry (comp_hash.c:70)
==6==    by 0x42D90D: nametrans (dump_entry.c:174)
==6==    by 0x40556F: put_translate (tic.c:339)
==6==    by 0x40556F: main (tic.c:1033)
==6==  Address 0x0 is not stack'd, malloc'd or (recently) free'd
==6==
==6==
==6== Process terminating with default action of signal 11 (SIGSEGV)
==6==  Access not within mapped region at address 0x0
==6==    at 0x4ED9570: __strcmp_sse2_unaligned (strcmp-sse2-unaligned.S:24)
==6==    by 0x44CF30: compare_info_names (comp_captab.c:3393)
==6==    by 0x44F5ED: _nc_find_entry (comp_hash.c:70)
==6==    by 0x42D90D: nametrans (dump_entry.c:174)
==6==    by 0x40556F: put_translate (tic.c:339)
==6==    by 0x40556F: main (tic.c:1033)
==6==  If you believe this happened as a result of a stack
==6==  overflow in your program's main thread (unlikely but
==6==  possible), you can try to increase the size of the
==6==  main thread stack using the --main-stacksize= flag.
==6==  The main thread stack size used in this run was 8388608.
# (untranslatable capabilities removed to fit entry within 1023 bytes)
# (acsc removed to fit entry within 1023 bytes)
# (terminfo-only capabilities suppressed to fit entry within 1023 bytes)
# WARNING: this entry, 1684 bytes long, may core-dump older termcap libraries!
JE10JPYZY0KHHP5FIR1DBKQT1E66TKOBH3SH7ZYOREACE6FN24I0ZBGMQM2XLEDU3I6H5YUWJE5SDR4DVG3W6WU5I82SHPLZCC6W2HLWKPAM5FJFDWZZJIF6UKF8WW4CXU1Y4G29DRZ1A2ECW9OC8E9YZS7JGCQ0W64123X6QQQIBXL7KQ3DXM0BFY6Q812JEJ3E2FJPGJ9P4TQJ33Z6HKCDV49L4GYY2DIH9614IFMKHNSKEBLC9WVAANHM0EH0J81MAKX3D48DVAX0LR2SMRA5Q8NCN9MAEKXCBIK8GGBCIPJ325R33I5XPCX1R3239A0MHC2E480GFJFRDM2GNJR2B22O6R8DN9X7ZPD8XX9YJLNF083ZZWAVEI7Y4AHBX8TCLMA5KYOCJ4O5ASVERDE0J0KNMVDO437HEU3AWJEO89ZCM512BNMGB9VNDB3J95ZPZ7J409YF7C1ZX7UVQJ9VBZX3KYINC52TI7PV2N1NFUJFJIHVTOMSAWS7219XL61K94KKPZTV665AY7W6ZFBU8YPQME4XIV9CSG1RKYZHRDDRCNNNOFENY7277GWPP2BXWJNQT1LGBSMGCMP20T4BDNPY9GL9MD7T1QS1P9FC9Y0LBQG8LL3EC4L14BA2WQK4GMV33DZ0GK6N9XDMQSPYBDNZRS4I7BKQ63KI2TYJYZ7IDGVQORYQYPVN27J2G7QM57MXXCXKK90849FK4ZVWTA0GTDI17M6LPO3P7P4VSJMAPZJ57M0GXCBWVJFFZZLSXM3DTKP7KFEGRGCUXZBKFVBUPNFNNM1WO26WWYJ09UY7GQG0A6CJCPF488LGUG4DPH72XUV8RGUWBHENI7K4H9DBD1M1HCPQ5Y2LMCGQOACD80PFVA6M4PZT41RXS10XTY2N47RCLTD19KY86EHYC2A2HCX193CJXQ094VYCLDGWLN2B40X049Y77BAF1E795VM07AKSTBB4BIUXWYX88Z7PMRNF3UB30JG5E5DKVAGQ900UD9LYNR1YS0X5QFJT06WRYWB4X5JXO2SVPF77UFOE56RA8VM2UZZK5EQCMPZ5V016AEEYH3Z0PMEU57JIP9GRB16COLFAI9R1TCOGERB2R7QEWA08VQOX8G6D67AAJQAO2BU4F1VVF7DB31GO4WSS0Y29YK9B80AM6FZ0IHVM1FPC4HOV4QAABFQTXUI90U1AFBROIFRB747IWL8XEY07NL44ZTKQ2C0303TBOJH]DI84GBRBAKCZEOCYSB3A786JUUJNWLS0NQEDW0EKUBF37AZXARLJRI5DU8SUHWAQ66GEZU0V7FLUX5QL4N8DW30IJPQ36X13QDOM1AXEAQADF���p▒▒

 |���z  �x�����L5����Bf��}H�%v#��F�NneE5�j�4V敄��q+)M
"�{!���(�~"�2���-t�K��Q�hӇ!▒▒0f�H �k� Wl~z�/��ﱰ��u��ü�7�=l�������0o+��]W�q�d��g���W$���������3�Z%3�ƺ(��*�d�i@� �xP�7Қ��[�6-?7ڟ/�Z)ݑHp#��y���c��        ���r�����w8�▒▒E=Nw�C�t���kr�)�v/��
^����_׶8Rӂ�?wu�*�c:
L��GLٲ��Û�D��M����|z�:\
        :ac=\025,^V1\035\361 K0\33014253445678\32195H\334S\355`\350l0u\275z\223\0\001\216\326\227N\2564\347\272\355\203\360-\362\001\263:\
        :bl=^G:cr=\r:do=\n:kb=^H:kd=\n:kl=^H:nw=\r\n:sf=\n:ta=^I:
#�
  �F������8f�u+?�4/$Ʀ�#ٵ��W�y<�▒▒@�
R�'9��~��f�k��m��/�^>ir�o==6==     ��ZU
==6== HEAP SUMMARY:
==6==     in use at exit: 51,866 bytes in 35 blocks
==6==   total heap usage: 56 allocs, 21 frees, 79,904 bytes allocated
==6==
==6== Searching for pointers to 35 not-freed blocks
==6== Checked 106,600 bytes
==6==
==6== LEAK SUMMARY:
==6==    definitely lost: 0 bytes in 0 blocks
==6==    indirectly lost: 0 bytes in 0 blocks
==6==      possibly lost: 0 bytes in 0 blocks
==6==    still reachable: 51,866 bytes in 35 blocks
==6==         suppressed: 0 bytes in 0 blocks
==6== Rerun with --leak-check=full to see details of leaked memory
==6==
==6== ERROR SUMMARY: 3 errors from 3 contexts (suppressed: 0 from 0)
==6==
==6== 1 errors in context 1 of 3:
==6== Invalid read of size 1
==6==    at 0x4ED9570: __strcmp_sse2_unaligned (strcmp-sse2-unaligned.S:24)
==6==    by 0x44CF30: compare_info_names (comp_captab.c:3393)
==6==    by 0x44F5ED: _nc_find_entry (comp_hash.c:70)
==6==    by 0x42D90D: nametrans (dump_entry.c:174)
==6==    by 0x40556F: put_translate (tic.c:339)
==6==    by 0x40556F: main (tic.c:1033)
==6==  Address 0x0 is not stack'd, malloc'd or (recently) free'd
==6==
==6==
==6== 1 errors in context 2 of 3:
==6== Invalid read of size 8
==6==    at 0x44F5E7: _nc_find_entry (comp_hash.c:70)
==6==    by 0x42D90D: nametrans (dump_entry.c:174)
==6==    by 0x40556F: put_translate (tic.c:339)
==6==    by 0x40556F: main (tic.c:1033)
==6==  Address 0x524ac70 is 206,112 bytes inside an unallocated block of size 4,110,480 in arena "client"
==6==
==6==
==6== 1 errors in context 3 of 3:
==6== Invalid read of size 1
==6==    at 0x4409DC: one_one_mapping (dump_entry.c:1399)
==6==    by 0x4409DC: purged_acs (dump_entry.c:1425)
==6==    by 0x4409DC: dump_entry (dump_entry.c:1587)
==6==    by 0x4045BA: main (tic.c:1039)
==6==  Address 0x520c54e is 0 bytes after a block of size 1,742 alloc'd
==6==    at 0x4C2DB8F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==6==    by 0x4F847F: _nc_wrap_entry (alloc_entry.c:177)
==6==    by 0x4BB4F5: _nc_parse_entry (parse_entry.c:601)
==6==    by 0x4A892B: _nc_read_entry_source (comp_parse.c:225)
==6==    by 0x4037C8: main (tic.c:961)
==6==
==6== ERROR SUMMARY: 3 errors from 3 contexts (suppressed: 0 from 0)
/bin/bash: line 1:     6 Segmentation fault      valgrind -v /tmp/noasan/infotocap fuzzpoc/infotocap_poc1
```

zjuchenyuan
 
From: Thomas Dickey
Date: 2019-10-12 09:20
To: address@hidden
CC: bug-ncurses
Subject: Re: Bug: heap-buffer-overflow in function postprocess_terminfo
On Fri, Oct 11, 2019 at 09:04:08PM -0400, Thomas Dickey wrote:
> On Fri, Oct 11, 2019 at 08:49:12PM -0400, Thomas Dickey wrote:
> > On Fri, Oct 11, 2019 at 04:44:32PM +0800, address@hidden wrote:
> > > Version: snapshot label v6_1_20191005
> > >
> > > POC: https://github.com/zjuchenyuan/fuzzpoc/raw/master/infotocap_poc5
> > >
> > > ```
> > > # /tmp/infotocap fuzzpoc/infotocap_poc5
> > > =================================================================
> > > ==7==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62100001b500 at pc 0x0000004b9e95 bp 0x7fffffffafd0 sp 0x7fffffffafc0
> > > READ of size 1 at 0x62100001b500 thread T0
> >
> > hmm - not "heap-buffer-overflow" (that applies to writes).
>
> You might find this useful:
>
> https://cwe.mitre.org/data/definitions/122.html
>
> (I use asan occasionally, but valgrind frequently - it's slower but usually
> more accurate).
 
Looking at the reports, in each case asan states "buffer overflow",
but out-of-bounds-read (#125) is the apparent issue.  For pocs 1,3,5,
valgrind reports "Invalid read of size xx".
 
The distinction is worth keeping in mind, since heap/stack buffer
overflows are a more serious issue (since they modify something
unexpectedly) than reads.
 
The actual problem requires some analysis of course - that's only a symptom.
 
--
Thomas E. Dickey <address@hidden>
https://invisible-island.net
ftp://ftp.invisible-island.net
reply via email to
[Prev in Thread] Current Thread [Next in Thread]