[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: A heap-buffer-overflow in postprocess_termcap, ncurse
|
From: |
Thomas Dickey |
|
Subject: |
Re: A heap-buffer-overflow in postprocess_termcap, ncurse |
|
Date: |
Tue, 3 May 2022 04:15:04 -0400 |
|
User-agent: |
Mutt/1.10.1 (2018-07-13) |
On Tue, May 03, 2022 at 03:54:14PM +0800, 郑晗 wrote:
> Yeah, it's fixed now. Thanks.
sounds good.
I'm guessing that one or both of these items addressed this report:
+ improve valid_entryname() to disallow characters used in terminfo
syntax: '#', '=', '|', '\'.
+ use calloc in _nc_init_entry() when allocating stringbuf, to ensure
it is initialized.
> > -----原始邮件-----
> > 发件人: "Thomas Dickey" <dickey@his.com>
> > 发送时间: 2022-05-01 08:40:22 (星期日)
> > 收件人: "郑晗" <zhenghan20@mails.ucas.ac.cn>
> > 抄送: bug-ncurses@gnu.org
> > 主题: Re: A heap-buffer-overflow in postprocess_termcap, ncurse
> >
> > On Thu, Apr 28, 2022 at 04:36:38PM +0800, 郑晗 wrote:
> > >
> > > Hmm, maybe you could try docker's ubuntu 20.04 image, which is the
> > > 20.04.4 LTS.
> >
> > hmm - my first thought on this was that it wouldn't work well
> > (since my Linux machines already are virtual). But docker
> > might work adequately via MacPorts.
> >
> > However, I made some changes to the library which may have fixed
> > the issue which you reported.
> >
> > > In the attachment is the compiled tic binary from latest ncurse. Could
> > > you try to reproduce by following steps:
> > >
> > > (1) docker pull ubuntu:20.04
> > >
> > > (2) start a container in this docker, install gcc g++ package (to make
> > > sure we have asan runtime library)
> > >
> > > (3) copy the binary and poc in the attachment and execute.
> > >
> > > By follow the steps above I can reproduce this problem. Pls let me know
> > > if you cannot reproduce.
> > >
> > > Thanks and Best
> > >
> > > > -----原始邮件-----
> > > > 发件人: "郑晗" <zhenghan20@mails.ucas.ac.cn>
> > > > 发送时间: 2022-04-27 22:16:02 (星期三)
> > > > 收件人: bug-ncurses@gnu.org
> > > > 抄送:
> > > > 主题: A heap-buffer-overflow in postprocess_termcap, ncurse
> > > >
> > > > ear developers,
> > > >
> > > > I'm a security researcher and is now trying to test my new fuzzer. I've
> > > > just found an illegal memory access in the latest commit of ncurse,
> > > > tic. Here are the informations:
> > > >
> > > > (1) environment
> > > > Ubuntu 20.04.3 LTS
> > > > gcc 9.3.0
> > > > ncurse v6_3_20220423, which is also the latest commit
> > > > 7395e6deb0a2790cb2505669b2ae74751f926e7c
> > > >
> > > > (2) step to reproduce:
> > > > export CFLAGS="-fsanitze=address -g"
> > > > export CXXFLAGS="-fsanitize=address -g"
> > > > ./configure ; make -j$(nproc)
> > > > ./prog/tic $POC
> > > >
> > > > (3) ASAN Report
> > > > "crash.0", line 1, col 19: dubious character `]' in name or alias field
> > > > "crash.0", line 1, col 38, terminal 'appd=^177]Qcl=^LAc': Illegal
> > > > character (expected alphanumeric or @%&*!#) - '^K'
> > > > "crash.0", line 1, col 54, terminal 'appd=^177]Qcl=^LAc': Illegal
> > > > character - ' '
> > > > "crash.0", line 1, col 54, terminal 'appd=^177]Qcl=^LAc': wrong type
> > > > used for numeric capability 'liA0'
> > > > "crash.0", line 1, col 61, terminal 'appd=^177]Qcl=^LAc': Illegal
> > > > character - ' '
> > > > "crash.0", line 1, col 61, terminal 'appd=^177]Qcl=^LAc': wrong type
> > > > used for numeric capability 'column'
> > > > "crash.0", line 1, col 73, terminal 'appd=^177]Qcl=^LAc': Illegal
> > > > character - '^'
> > > > "crash.0", line 1, col 73, terminal 'appd=^177]Qcl=^LAc': Legacy
> > > > termcap allows only a trailing tc= clause
> > > > "crash.0", line 1, col 73, terminal 'appd=^177]Qcl=^LAc': unknown
> > > > capability 'firmwareeII'
> > > > "crash.0", line 1, col 75, terminal 'appd=^177]Qcl=^LAc': unknown
> > > > capability 'L'
> > > > "crash.0", line 1, col 83, terminal 'appd=^177]Qcl=^LAc': Missing
> > > > separator
> > > > "crash.0", line 6, col 10, terminal 'appd=^177]Qcl=^LAc': Missing
> > > > backslash before newline
> > > > "crash.0", line 6, col 13, terminal 'appd=^177]Qcl=^LAc': Missing
> > > > separator after `ae', have ^
> > > > "crash.0", line 6, col 15, terminal 'appd=^177]Qcl=^LAc': unknown
> > > > capability 'N'
> > > > "crash.0", line 7, col 16, terminal 'appd=^177]Qcl=^LAc': Illegal
> > > > character (expected alphanumeric or @%&*!#) - 'M--'
> > > > "crash.0", line 9, col 12, terminal 'appd=^177]Qcl=^LAc': Illegal
> > > > character - '^?'
> > > > "crash.0", line 9, col 12, terminal 'appd=^177]Qcl=^LAc': wrong type
> > > > used for string capability 'se'
> > > > "crash.0", line 9, col 13, terminal 'appd=^177]Qcl=^LAc': Illegal
> > > > character (expected alphanumeric or @%&*!#) - '^'
> > > > "crash.0", line 12, col 1, terminal 'appd=^177]Qcl=^LAc': Missing
> > > > separator
> > > > "crash.0", line 36, col 10, terminal 'acte#24': Illegal character
> > > > (expected alphanumeric or @%&*!#) - '|'
> > > > "crash.0", line 36, col 20, terminal 'acte#24': Illegal character
> > > > (expected alphanumeric or @%&*!#) - '^G'
> > > > "crash.0", line 36, col 53, terminal 'acte#24': Illegal character
> > > > (expected alphanumeric or @%&*!#) - '^K'
> > > > "crash.0", line 36, col 69, terminal 'acte#24': invalid name for
> > > > use-clause "Zit#8kC="
> > > > "crash.0", line 36, col 82, terminal 'acte#24': Illegal character
> > > > (expected alphanumeric or @%&*!#) - '^G'
> > > > "crash.0", line 36, col 103, terminal 'acte#24': unknown capability 'lr'
> > > > "crash.0", line 36, col 104, terminal 'acte#24': Illegal character
> > > > (expected alphanumeric or @%&*!#) - '~?'
> > > > "crash.0", line 36, col 112, terminal 'acte#24': Illegal character
> > > > (expected alphanumeric or @%&*!#) - '^'
> > > > "crash.0", line 36, col 124, terminal 'acte#24': Illegal character - '+'
> > > > "crash.0", line 36, col 124, terminal 'acte#24': unknown capability 'sl'
> > > > "crash.0", line 36, col 133, terminal 'acte#24': wrong type used for
> > > > numeric capability 'dBl'
> > > > "crash.0", line 36, col 151, terminal 'acte#24': Legacy termcap allows
> > > > only a trailing tc= clause
> > > > "crash.0", line 36, col 151, terminal 'acte#24': unknown capability
> > > > 'Iap'
> > > > "crash.0", line 36, col 161, terminal 'acte#24': Missing separator
> > > > "crash.0", line 37, col 27, terminal 'V': older tic versions may treat
> > > > the description field as an alias
> > > > "crash.0", line 37, col 40, terminal 'V': Illegal character (expected
> > > > alphanumeric or @%&*!#) - '='
> > > > "crash.0", line 37, col 183, terminal 'V': Illegal character (expected
> > > > alphanumeric or @%&*!#) - '='
> > > > "crash.0", line 37, col 192, terminal 'V': Legacy termcap allows only a
> > > > trailing tc= clause
> > > > "crash.0", line 37, col 370, terminal 'V': Illegal character (expected
> > > > alphanumeric or @%&*!#) - '^H'
> > > > "crash.0", line 37, col 380, terminal 'V': unknown capability 'Qm'
> > > > "crash.0", line 37, col 383, terminal 'V': unknown capability 'Pw'
> > > > "crash.0", line 37, col 403, terminal 'V': Missing separator
> > > > "crash.0", line 38, col 1, terminal 'V': Illegal character (expected
> > > > alphanumeric or @%&*!#) - 'M-<'
> > > > "crash.0", line 38, col 709, terminal 'V': Illegal character - '%'
> > > > "crash.0", line 38, col 709, terminal 'V': unknown capability
> > > > 'yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyzyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy'
> > > > "crash.0", line 38, col 711, terminal 'V': Illegal character - '*'
> > > > "crash.0", line 38, col 711, terminal 'V': unknown capability 'a'
> > > > "crash.0", line 38, col 714, terminal 'V': unknown capability 'pL'
> > > > "crash.0", line 38, col 807, terminal 'V': Illegal character - ' '
> > > > "crash.0", line 38, col 807, terminal 'V': unknown capability
> > > > 'yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy'
> > > > "crash.0", line 38, col 814, terminal 'V': wrong type used for boolean
> > > > capability 'ins'
> > > > "crash.0", line 38, col 817, terminal 'V': unknown capability 'A'
> > > > "crash.0", line 38, col 905, terminal 'V': Illegal character - '^P'
> > > > "crash.0", line 38, col 905, terminal 'V': unknown capability
> > > > 'yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy'
> > > > "crash.0", line 38, col 1652, terminal 'V': unknown capability
> > > > 'yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyzyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy177SOd'
> > > > "crash.0", line 39, col 72, terminal 'V': Illegal character - '~E'
> > > > "crash.0", line 39, col 72, terminal 'V': unknown capability
> > > > 'byyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyydyyyyyyyyyyyyyyyyyyyy'
> > > > "crash.0", line 39, col 311, terminal 'V': unknown capability
> > > > 'yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyl'
> > > > "crash.0", line 39, col 312, terminal 'V': Illegal character (expected
> > > > alphanumeric or @%&*!#) - '='
> > > > "crash.0", line 39, col 926, terminal 'V': Very long string found.
> > > > Missing separator?
> > > > "crash.0", line 39, col 1539, terminal 'V': Missing separator
> > > > "crash.0", line 40, col 1, terminal 'V': Illegal character (expected
> > > > alphanumeric or @%&*!#) - 'M-<'
> > > > =================================================================
> > > > ==3138955==ERROR: AddressSanitizer: heap-buffer-overflow on address
> > > > 0x621000003900 at pc 0x562f0dfc843f bp 0x7ffd7b41d7d0 sp 0x7ffd7b41d7c0
> > > > READ of size 1 at 0x621000003900 thread T0
> > > > #0 0x562f0dfc843e in postprocess_termcap
> > > > ../ncurses/./tinfo/parse_entry.c:947
> > > > #1 0x562f0dfc519a in _nc_parse_entry
> > > > ../ncurses/./tinfo/parse_entry.c:602
> > > > #2 0x562f0dfba294 in _nc_read_entry_source
> > > > ../ncurses/./tinfo/comp_parse.c:226
> > > > #3 0x562f0df76580 in main ../progs/tic.c:964
> > > > #4 0x7febf41320b2 in __libc_start_main
> > > > (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
> > > > #5 0x562f0df72e0d in _start
> > > > (/home/hzheng/real-validate/ncurses-snapshots/progs/tic+0x37e0d)
> > > >
> > > > 0x621000003900 is located 0 bytes to the right of 4096-byte region
> > > > [0x621000002900,0x621000003900)
> > > > allocated by thread T0 here:
> > > > #0 0x7febf440abc8 in malloc
> > > > (/lib/x86_64-linux-gnu/libasan.so.5+0x10dbc8)
> > > > #1 0x562f0dfd8d59 in _nc_init_entry
> > > > ../ncurses/./tinfo/alloc_entry.c:75
> > > > #2 0x562f0dfc3242 in _nc_parse_entry
> > > > ../ncurses/./tinfo/parse_entry.c:272
> > > > #3 0x562f0dfba294 in _nc_read_entry_source
> > > > ../ncurses/./tinfo/comp_parse.c:226
> > > > #4 0x562f0df76580 in main ../progs/tic.c:964
> > > > #5 0x7febf41320b2 in __libc_start_main
> > > > (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
> > > >
> > > > SUMMARY: AddressSanitizer: heap-buffer-overflow
> > > > ../ncurses/./tinfo/parse_entry.c:947 in postprocess_termcap
> > > > Shadow bytes around the buggy address:
> > > > 0x0c427fff86d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> > > > 0x0c427fff86e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> > > > 0x0c427fff86f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> > > > 0x0c427fff8700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> > > > 0x0c427fff8710: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> > > > =>0x0c427fff8720:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> > > > 0x0c427fff8730: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> > > > 0x0c427fff8740: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> > > > 0x0c427fff8750: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> > > > 0x0c427fff8760: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> > > > 0x0c427fff8770: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> > > > Shadow byte legend (one shadow byte represents 8 application bytes):
> > > > Addressable: 00
> > > > Partially addressable: 01 02 03 04 05 06 07
> > > > Heap left redzone: fa
> > > > Freed heap region: fd
> > > > Stack left redzone: f1
> > > > Stack mid redzone: f2
> > > > Stack right redzone: f3
> > > > Stack after return: f5
> > > > Stack use after scope: f8
> > > > Global redzone: f9
> > > > Global init order: f6
> > > > Poisoned by user: f7
> > > > Container overflow: fc
> > > > Array cookie: ac
> > > > Intra object redzone: bb
> > > > ASan internal: fe
> > > > Left alloca redzone: ca
> > > > Right alloca redzone: cb
> > > > Shadow gap: cc
> > > > ==3138955==ABORTING
> > > >
> > > > (4) POC
> > > > As shown in the attachment
> > > >
> > > > (5) Credit
> > > > NCNIPC of China
> > > > Hexhive
> > > </zhenghan20@mails.ucas.ac.cn>
> >
> >
> >
> > --
> > Thomas E. Dickey <dickey@invisible-island.net>
> > https://invisible-island.net
> > ftp://ftp.invisible-island.net
> </dickey@invisible-island.net></zhenghan20@mails.ucas.ac.cn></dickey@his.com>
--
Thomas E. Dickey <dickey@invisible-island.net>
https://invisible-island.net
ftp://ftp.invisible-island.net
signature.asc
Description: PGP signature