Re: A heap-buffer-overflow in postprocess_termcap, ncurse

[郑晗]

Hmm, maybe you could try docker's ubuntu 20.04 image, which is the 20.04.4 LTS.

In the attachment is the compiled tic binary from latest ncurse. Could you try 
to reproduce by following steps:

(1) docker pull ubuntu:20.04 

(2) start a container in this docker, install gcc g++ package (to make sure we 
have asan runtime library)

(3) copy the binary and poc in the attachment and execute.

By follow the steps above I can reproduce this problem. Pls let me know if you 
cannot reproduce.

Thanks and Best

> -----原始邮件-----
&gt; 发件人: "郑晗" <zhenghan20@mails.ucas.ac.cn>
&gt; 发送时间: 2022-04-27 22:16:02 (星期三)
&gt; 收件人: bug-ncurses@gnu.org
&gt; 抄送: 
&gt; 主题: A heap-buffer-overflow in postprocess_termcap, ncurse
&gt; 
&gt; ear developers,
&gt; 
&gt; I'm a security researcher and is now trying to test my new fuzzer. I've 
just found an illegal memory access in the latest commit of ncurse, tic. Here 
are the informations:
&gt; 
&gt; (1) environment
&gt; Ubuntu 20.04.3 LTS
&gt; gcc 9.3.0
&gt; ncurse v6_3_20220423, which is also the latest commit 
7395e6deb0a2790cb2505669b2ae74751f926e7c 
&gt; 
&gt; (2) step to reproduce: 
&gt; export CFLAGS="-fsanitze=address -g"
&gt; export CXXFLAGS="-fsanitize=address -g"
&gt; ./configure ; make -j$(nproc)
&gt; ./prog/tic $POC
&gt; 
&gt; (3) ASAN Report
&gt; "crash.0", line 1, col 19: dubious character `]' in name or alias field
&gt; "crash.0", line 1, col 38, terminal 'appd=^177]Qcl=^LAc': Illegal 
character (expected alphanumeric or @%&amp;*!#) - '^K'
&gt; "crash.0", line 1, col 54, terminal 'appd=^177]Qcl=^LAc': Illegal 
character - ' '
&gt; "crash.0", line 1, col 54, terminal 'appd=^177]Qcl=^LAc': wrong type used 
for numeric capability 'liA0'
&gt; "crash.0", line 1, col 61, terminal 'appd=^177]Qcl=^LAc': Illegal 
character - ' '
&gt; "crash.0", line 1, col 61, terminal 'appd=^177]Qcl=^LAc': wrong type used 
for numeric capability 'column'
&gt; "crash.0", line 1, col 73, terminal 'appd=^177]Qcl=^LAc': Illegal 
character - '^'
&gt; "crash.0", line 1, col 73, terminal 'appd=^177]Qcl=^LAc': Legacy termcap 
allows only a trailing tc= clause
&gt; "crash.0", line 1, col 73, terminal 'appd=^177]Qcl=^LAc': unknown 
capability 'firmwareeII'
&gt; "crash.0", line 1, col 75, terminal 'appd=^177]Qcl=^LAc': unknown 
capability 'L'
&gt; "crash.0", line 1, col 83, terminal 'appd=^177]Qcl=^LAc': Missing separator
&gt; "crash.0", line 6, col 10, terminal 'appd=^177]Qcl=^LAc': Missing 
backslash before newline
&gt; "crash.0", line 6, col 13, terminal 'appd=^177]Qcl=^LAc': Missing 
separator after `ae', have ^
&gt; "crash.0", line 6, col 15, terminal 'appd=^177]Qcl=^LAc': unknown 
capability 'N'
&gt; "crash.0", line 7, col 16, terminal 'appd=^177]Qcl=^LAc': Illegal 
character (expected alphanumeric or @%&amp;*!#) - 'M--'
&gt; "crash.0", line 9, col 12, terminal 'appd=^177]Qcl=^LAc': Illegal 
character - '^?'
&gt; "crash.0", line 9, col 12, terminal 'appd=^177]Qcl=^LAc': wrong type used 
for string capability 'se'
&gt; "crash.0", line 9, col 13, terminal 'appd=^177]Qcl=^LAc': Illegal 
character (expected alphanumeric or @%&amp;*!#) - '^'
&gt; "crash.0", line 12, col 1, terminal 'appd=^177]Qcl=^LAc': Missing separator
&gt; "crash.0", line 36, col 10, terminal 'acte#24': Illegal character 
(expected alphanumeric or @%&amp;*!#) - '|'
&gt; "crash.0", line 36, col 20, terminal 'acte#24': Illegal character 
(expected alphanumeric or @%&amp;*!#) - '^G'
&gt; "crash.0", line 36, col 53, terminal 'acte#24': Illegal character 
(expected alphanumeric or @%&amp;*!#) - '^K'
&gt; "crash.0", line 36, col 69, terminal 'acte#24': invalid name for 
use-clause "Zit#8kC="
&gt; "crash.0", line 36, col 82, terminal 'acte#24': Illegal character 
(expected alphanumeric or @%&amp;*!#) - '^G'
&gt; "crash.0", line 36, col 103, terminal 'acte#24': unknown capability 'lr'
&gt; "crash.0", line 36, col 104, terminal 'acte#24': Illegal character 
(expected alphanumeric or @%&amp;*!#) - '~?'
&gt; "crash.0", line 36, col 112, terminal 'acte#24': Illegal character 
(expected alphanumeric or @%&amp;*!#) - '^'
&gt; "crash.0", line 36, col 124, terminal 'acte#24': Illegal character - '+'
&gt; "crash.0", line 36, col 124, terminal 'acte#24': unknown capability 'sl'
&gt; "crash.0", line 36, col 133, terminal 'acte#24': wrong type used for 
numeric capability 'dBl'
&gt; "crash.0", line 36, col 151, terminal 'acte#24': Legacy termcap allows 
only a trailing tc= clause
&gt; "crash.0", line 36, col 151, terminal 'acte#24': unknown capability 'Iap'
&gt; "crash.0", line 36, col 161, terminal 'acte#24': Missing separator
&gt; "crash.0", line 37, col 27, terminal 'V': older tic versions may treat the 
description field as an alias
&gt; "crash.0", line 37, col 40, terminal 'V': Illegal character (expected 
alphanumeric or @%&amp;*!#) - '='
&gt; "crash.0", line 37, col 183, terminal 'V': Illegal character (expected 
alphanumeric or @%&amp;*!#) - '='
&gt; "crash.0", line 37, col 192, terminal 'V': Legacy termcap allows only a 
trailing tc= clause
&gt; "crash.0", line 37, col 370, terminal 'V': Illegal character (expected 
alphanumeric or @%&amp;*!#) - '^H'
&gt; "crash.0", line 37, col 380, terminal 'V': unknown capability 'Qm'
&gt; "crash.0", line 37, col 383, terminal 'V': unknown capability 'Pw'
&gt; "crash.0", line 37, col 403, terminal 'V': Missing separator
&gt; "crash.0", line 38, col 1, terminal 'V': Illegal character (expected 
alphanumeric or @%&amp;*!#) - 'M-&lt;'
&gt; "crash.0", line 38, col 709, terminal 'V': Illegal character - '%'
&gt; "crash.0", line 38, col 709, terminal 'V': unknown capability 
'yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyzyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy'
&gt; "crash.0", line 38, col 711, terminal 'V': Illegal character - '*'
&gt; "crash.0", line 38, col 711, terminal 'V': unknown capability 'a'
&gt; "crash.0", line 38, col 714, terminal 'V': unknown capability 'pL'
&gt; "crash.0", line 38, col 807, terminal 'V': Illegal character - ' '
&gt; "crash.0", line 38, col 807, terminal 'V': unknown capability 
'yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy'
&gt; "crash.0", line 38, col 814, terminal 'V': wrong type used for boolean 
capability 'ins'
&gt; "crash.0", line 38, col 817, terminal 'V': unknown capability 'A'
&gt; "crash.0", line 38, col 905, terminal 'V': Illegal character - '^P'
&gt; "crash.0", line 38, col 905, terminal 'V': unknown capability 
'yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy'
&gt; "crash.0", line 38, col 1652, terminal 'V': unknown capability 
'yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyzyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy177SOd'
&gt; "crash.0", line 39, col 72, terminal 'V': Illegal character - '~E'
&gt; "crash.0", line 39, col 72, terminal 'V': unknown capability 
'byyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyydyyyyyyyyyyyyyyyyyyyy'
&gt; "crash.0", line 39, col 311, terminal 'V': unknown capability 
'yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyl'
&gt; "crash.0", line 39, col 312, terminal 'V': Illegal character (expected 
alphanumeric or @%&amp;*!#) - '='
&gt; "crash.0", line 39, col 926, terminal 'V': Very long string found.  
Missing separator?
&gt; "crash.0", line 39, col 1539, terminal 'V': Missing separator
&gt; "crash.0", line 40, col 1, terminal 'V': Illegal character (expected 
alphanumeric or @%&amp;*!#) - 'M-&lt;'
&gt; =================================================================
&gt; ==3138955==ERROR: AddressSanitizer: heap-buffer-overflow on address 
0x621000003900 at pc 0x562f0dfc843f bp 0x7ffd7b41d7d0 sp 0x7ffd7b41d7c0
&gt; READ of size 1 at 0x621000003900 thread T0
&gt;     #0 0x562f0dfc843e in postprocess_termcap 
../ncurses/./tinfo/parse_entry.c:947
&gt;     #1 0x562f0dfc519a in _nc_parse_entry 
../ncurses/./tinfo/parse_entry.c:602
&gt;     #2 0x562f0dfba294 in _nc_read_entry_source 
../ncurses/./tinfo/comp_parse.c:226
&gt;     #3 0x562f0df76580 in main ../progs/tic.c:964
&gt;     #4 0x7febf41320b2 in __libc_start_main 
(/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
&gt;     #5 0x562f0df72e0d in _start 
(/home/hzheng/real-validate/ncurses-snapshots/progs/tic+0x37e0d)
&gt; 
&gt; 0x621000003900 is located 0 bytes to the right of 4096-byte region 
[0x621000002900,0x621000003900)
&gt; allocated by thread T0 here:
&gt;     #0 0x7febf440abc8 in malloc 
(/lib/x86_64-linux-gnu/libasan.so.5+0x10dbc8)
&gt;     #1 0x562f0dfd8d59 in _nc_init_entry ../ncurses/./tinfo/alloc_entry.c:75
&gt;     #2 0x562f0dfc3242 in _nc_parse_entry 
../ncurses/./tinfo/parse_entry.c:272
&gt;     #3 0x562f0dfba294 in _nc_read_entry_source 
../ncurses/./tinfo/comp_parse.c:226
&gt;     #4 0x562f0df76580 in main ../progs/tic.c:964
&gt;     #5 0x7febf41320b2 in __libc_start_main 
(/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
&gt; 
&gt; SUMMARY: AddressSanitizer: heap-buffer-overflow 
../ncurses/./tinfo/parse_entry.c:947 in postprocess_termcap
&gt; Shadow bytes around the buggy address:
&gt;   0x0c427fff86d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
&gt;   0x0c427fff86e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
&gt;   0x0c427fff86f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
&gt;   0x0c427fff8700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
&gt;   0x0c427fff8710: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
&gt; =&gt;0x0c427fff8720:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
&gt;   0x0c427fff8730: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
&gt;   0x0c427fff8740: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
&gt;   0x0c427fff8750: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
&gt;   0x0c427fff8760: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
&gt;   0x0c427fff8770: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
&gt; Shadow byte legend (one shadow byte represents 8 application bytes):
&gt;   Addressable:           00
&gt;   Partially addressable: 01 02 03 04 05 06 07
&gt;   Heap left redzone:       fa
&gt;   Freed heap region:       fd
&gt;   Stack left redzone:      f1
&gt;   Stack mid redzone:       f2
&gt;   Stack right redzone:     f3
&gt;   Stack after return:      f5
&gt;   Stack use after scope:   f8
&gt;   Global redzone:          f9
&gt;   Global init order:       f6
&gt;   Poisoned by user:        f7
&gt;   Container overflow:      fc
&gt;   Array cookie:            ac
&gt;   Intra object redzone:    bb
&gt;   ASan internal:           fe
&gt;   Left alloca redzone:     ca
&gt;   Right alloca redzone:    cb
&gt;   Shadow gap:              cc
&gt; ==3138955==ABORTING
&gt; 
&gt; (4) POC
&gt; As shown in the attachment
&gt; 
&gt; (5) Credit
&gt; NCNIPC of China 
&gt; Hexhive
</zhenghan20@mails.ucas.ac.cn>

tic.zip
Description: Zip compressed data