A heap-buffer-overflow in postprocess

bug-ncurses
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
A heap-buffer-overflow in postprocess_termcap, ncurse

From:	郑晗
Subject:	A heap-buffer-overflow in postprocess_termcap, ncurse
Date:	Wed, 27 Apr 2022 22:16:02 +0800 (GMT+08:00)
ear developers,

I'm a security researcher and is now trying to test my new fuzzer. I've just 
found an illegal memory access in the latest commit of ncurse, tic. Here are 
the informations:

(1) environment
Ubuntu 20.04.3 LTS
gcc 9.3.0
ncurse v6_3_20220423, which is also the latest commit 
7395e6deb0a2790cb2505669b2ae74751f926e7c 

(2) step to reproduce: 
export CFLAGS="-fsanitze=address -g"
export CXXFLAGS="-fsanitize=address -g"
./configure ; make -j$(nproc)
./prog/tic $POC

(3) ASAN Report
"crash.0", line 1, col 19: dubious character `]' in name or alias field
"crash.0", line 1, col 38, terminal 'appd=^177]Qcl=^LAc': Illegal character 
(expected alphanumeric or @%&amp;*!#) - '^K'
"crash.0", line 1, col 54, terminal 'appd=^177]Qcl=^LAc': Illegal character - ' 
'
"crash.0", line 1, col 54, terminal 'appd=^177]Qcl=^LAc': wrong type used for 
numeric capability 'liA0'
"crash.0", line 1, col 61, terminal 'appd=^177]Qcl=^LAc': Illegal character - ' 
'
"crash.0", line 1, col 61, terminal 'appd=^177]Qcl=^LAc': wrong type used for 
numeric capability 'column'
"crash.0", line 1, col 73, terminal 'appd=^177]Qcl=^LAc': Illegal character - 
'^'
"crash.0", line 1, col 73, terminal 'appd=^177]Qcl=^LAc': Legacy termcap allows 
only a trailing tc= clause
"crash.0", line 1, col 73, terminal 'appd=^177]Qcl=^LAc': unknown capability 
'firmwareeII'
"crash.0", line 1, col 75, terminal 'appd=^177]Qcl=^LAc': unknown capability 'L'
"crash.0", line 1, col 83, terminal 'appd=^177]Qcl=^LAc': Missing separator
"crash.0", line 6, col 10, terminal 'appd=^177]Qcl=^LAc': Missing backslash 
before newline
"crash.0", line 6, col 13, terminal 'appd=^177]Qcl=^LAc': Missing separator 
after `ae', have ^
"crash.0", line 6, col 15, terminal 'appd=^177]Qcl=^LAc': unknown capability 'N'
"crash.0", line 7, col 16, terminal 'appd=^177]Qcl=^LAc': Illegal character 
(expected alphanumeric or @%&amp;*!#) - 'M--'
"crash.0", line 9, col 12, terminal 'appd=^177]Qcl=^LAc': Illegal character - 
'^?'
"crash.0", line 9, col 12, terminal 'appd=^177]Qcl=^LAc': wrong type used for 
string capability 'se'
"crash.0", line 9, col 13, terminal 'appd=^177]Qcl=^LAc': Illegal character 
(expected alphanumeric or @%&amp;*!#) - '^'
"crash.0", line 12, col 1, terminal 'appd=^177]Qcl=^LAc': Missing separator
"crash.0", line 36, col 10, terminal 'acte#24': Illegal character (expected 
alphanumeric or @%&amp;*!#) - '|'
"crash.0", line 36, col 20, terminal 'acte#24': Illegal character (expected 
alphanumeric or @%&amp;*!#) - '^G'
"crash.0", line 36, col 53, terminal 'acte#24': Illegal character (expected 
alphanumeric or @%&amp;*!#) - '^K'
"crash.0", line 36, col 69, terminal 'acte#24': invalid name for use-clause 
"Zit#8kC="
"crash.0", line 36, col 82, terminal 'acte#24': Illegal character (expected 
alphanumeric or @%&amp;*!#) - '^G'
"crash.0", line 36, col 103, terminal 'acte#24': unknown capability 'lr'
"crash.0", line 36, col 104, terminal 'acte#24': Illegal character (expected 
alphanumeric or @%&amp;*!#) - '~?'
"crash.0", line 36, col 112, terminal 'acte#24': Illegal character (expected 
alphanumeric or @%&amp;*!#) - '^'
"crash.0", line 36, col 124, terminal 'acte#24': Illegal character - '+'
"crash.0", line 36, col 124, terminal 'acte#24': unknown capability 'sl'
"crash.0", line 36, col 133, terminal 'acte#24': wrong type used for numeric 
capability 'dBl'
"crash.0", line 36, col 151, terminal 'acte#24': Legacy termcap allows only a 
trailing tc= clause
"crash.0", line 36, col 151, terminal 'acte#24': unknown capability 'Iap'
"crash.0", line 36, col 161, terminal 'acte#24': Missing separator
"crash.0", line 37, col 27, terminal 'V': older tic versions may treat the 
description field as an alias
"crash.0", line 37, col 40, terminal 'V': Illegal character (expected 
alphanumeric or @%&amp;*!#) - '='
"crash.0", line 37, col 183, terminal 'V': Illegal character (expected 
alphanumeric or @%&amp;*!#) - '='
"crash.0", line 37, col 192, terminal 'V': Legacy termcap allows only a 
trailing tc= clause
"crash.0", line 37, col 370, terminal 'V': Illegal character (expected 
alphanumeric or @%&amp;*!#) - '^H'
"crash.0", line 37, col 380, terminal 'V': unknown capability 'Qm'
"crash.0", line 37, col 383, terminal 'V': unknown capability 'Pw'
"crash.0", line 37, col 403, terminal 'V': Missing separator
"crash.0", line 38, col 1, terminal 'V': Illegal character (expected 
alphanumeric or @%&amp;*!#) - 'M-&lt;'
"crash.0", line 38, col 709, terminal 'V': Illegal character - '%'
"crash.0", line 38, col 709, terminal 'V': unknown capability 
'yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyzyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy'
"crash.0", line 38, col 711, terminal 'V': Illegal character - '*'
"crash.0", line 38, col 711, terminal 'V': unknown capability 'a'
"crash.0", line 38, col 714, terminal 'V': unknown capability 'pL'
"crash.0", line 38, col 807, terminal 'V': Illegal character - ' '
"crash.0", line 38, col 807, terminal 'V': unknown capability 
'yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy'
"crash.0", line 38, col 814, terminal 'V': wrong type used for boolean 
capability 'ins'
"crash.0", line 38, col 817, terminal 'V': unknown capability 'A'
"crash.0", line 38, col 905, terminal 'V': Illegal character - '^P'
"crash.0", line 38, col 905, terminal 'V': unknown capability 
'yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy'
"crash.0", line 38, col 1652, terminal 'V': unknown capability 
'yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyzyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy177SOd'
"crash.0", line 39, col 72, terminal 'V': Illegal character - '~E'
"crash.0", line 39, col 72, terminal 'V': unknown capability 
'byyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyydyyyyyyyyyyyyyyyyyyyy'
"crash.0", line 39, col 311, terminal 'V': unknown capability 
'yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyl'
"crash.0", line 39, col 312, terminal 'V': Illegal character (expected 
alphanumeric or @%&amp;*!#) - '='
"crash.0", line 39, col 926, terminal 'V': Very long string found.  Missing 
separator?
"crash.0", line 39, col 1539, terminal 'V': Missing separator
"crash.0", line 40, col 1, terminal 'V': Illegal character (expected 
alphanumeric or @%&amp;*!#) - 'M-&lt;'
=================================================================
==3138955==ERROR: AddressSanitizer: heap-buffer-overflow on address 
0x621000003900 at pc 0x562f0dfc843f bp 0x7ffd7b41d7d0 sp 0x7ffd7b41d7c0
READ of size 1 at 0x621000003900 thread T0
    #0 0x562f0dfc843e in postprocess_termcap 
../ncurses/./tinfo/parse_entry.c:947
    #1 0x562f0dfc519a in _nc_parse_entry ../ncurses/./tinfo/parse_entry.c:602
    #2 0x562f0dfba294 in _nc_read_entry_source 
../ncurses/./tinfo/comp_parse.c:226
    #3 0x562f0df76580 in main ../progs/tic.c:964
    #4 0x7febf41320b2 in __libc_start_main 
(/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
    #5 0x562f0df72e0d in _start 
(/home/hzheng/real-validate/ncurses-snapshots/progs/tic+0x37e0d)

0x621000003900 is located 0 bytes to the right of 4096-byte region 
[0x621000002900,0x621000003900)
allocated by thread T0 here:
    #0 0x7febf440abc8 in malloc (/lib/x86_64-linux-gnu/libasan.so.5+0x10dbc8)
    #1 0x562f0dfd8d59 in _nc_init_entry ../ncurses/./tinfo/alloc_entry.c:75
    #2 0x562f0dfc3242 in _nc_parse_entry ../ncurses/./tinfo/parse_entry.c:272
    #3 0x562f0dfba294 in _nc_read_entry_source 
../ncurses/./tinfo/comp_parse.c:226
    #4 0x562f0df76580 in main ../progs/tic.c:964
    #5 0x7febf41320b2 in __libc_start_main 
(/lib/x86_64-linux-gnu/libc.so.6+0x270b2)

SUMMARY: AddressSanitizer: heap-buffer-overflow 
../ncurses/./tinfo/parse_entry.c:947 in postprocess_termcap
Shadow bytes around the buggy address:
  0x0c427fff86d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c427fff86e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c427fff86f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c427fff8700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c427fff8710: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=&gt;0x0c427fff8720:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c427fff8730: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c427fff8740: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c427fff8750: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c427fff8760: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c427fff8770: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==3138955==ABORTING

(4) POC
As shown in the attachment

(5) Credit
NCNIPC of China 
Hexhive
poc1.zip
Description: Zip compressed data
[Prev in Thread]
Current Thread
[Next in Thread]
A heap-buffer-overflow in postprocess_termcap, ncurse, 郑晗 <=
- Re: A heap-buffer-overflow in postprocess_termcap, ncurse, Thomas Dickey, 2022/04/28
- Re: A heap-buffer-overflow in postprocess_termcap, ncurse, 郑晗, 2022/04/28
  - Re: A heap-buffer-overflow in postprocess_termcap, ncurse, Thomas Dickey, 2022/04/30
Prev by Date: Re: SGR (1006) all events (1003) mouse tracking issue
Next by Date: Re: A heap-buffer-overflow in postprocess_termcap, ncurse
Previous by thread: SGR (1006) all events (1003) mouse tracking issue
Next by thread: Re: A heap-buffer-overflow in postprocess_termcap, ncurse
Index(es):
- Date
- Thread