Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

infinite recursion with nested table and textarea #20

Closed
kcwu opened this issue Aug 19, 2016 · 7 comments
Closed

infinite recursion with nested table and textarea #20

kcwu opened this issue Aug 19, 2016 · 7 comments

Comments

@kcwu
Copy link
Contributor

kcwu commented Aug 19, 2016 

$ xxd infinite-recursion
00000000: 3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
00000010: 3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
00000020: 3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
00000030: 3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
00000040: 3030 3030 3030 3030 3030 3030 3030 30e0  000000000000000.
00000050: 3030 3030 3030 3030 3c2f 3e30 3030 3030  00000000</>00000
00000060: 3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
00000070: 3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
00000080: 3030 3030 3030 3030 3030 303c 7461 626c  00000000000<tabl
00000090: 653e 3c74 6578 7461 7265 613e 3c74 6162  e><textarea><tab
000000a0: 6c65 2030 3030 303c 7465 7874 6172 6561  le 0000<textarea
000000b0: 3e3c 7461 626c 6520 3030 3030 3030 3030  ><table 00000000
000000c0: 3030 3030 3030 3030 303c 7465 7874 6172  000000000<textar
000000d0: 6561 3e3c 7461 626c 6520 303c 7465 7874  ea><table 0<text
000000e0: 6172 6561 3e3c 7461 626c 6520 3030 3030  area><table 0000
000000f0: 3030 3030 3030 303c 7465 7874 6172 6561  0000000<textarea
00000100: 3e3c 7461 626c 6520 3030 3030 3030 3030  ><table 00000000
00000110: 3030 3c74 6578 7461 7265 613e 3c74 6162  00<textarea><tab
00000120: 6c65 2030 3030 3030 3030 3030 3030 3c74  le 00000000000<t
00000130: 6578 7461 7265 613e 3c74 6162 6c65 3e3c  extarea><table><
00000140: 2f74 6162 6c65 3e                        /table>
$ gdb --args ./w3m -T text/html -dump infinite-recursion
Program received signal SIGSEGV, Segmentation fault.
0x0000000000445ad2 in renderCoTable (tbl=<error reading variable: Cannot access memory at address 0x7fffff7fedf8>, maxlimit=<error reading variable: Cannot access memory at address 0x7fffff7fedf4>) at table.c:1629
1629    {
(gdb) up
#1  0x000000000044643e in renderTable (t=0x7bf000, max_width=79, h_env=0x7fffff7ff500) at table.c:1794
1794        renderCoTable(t, h_env->limit);
(gdb)
#2  0x0000000000445d13 in renderCoTable (tbl=0x7bf000, maxlimit=79) at table.c:1654
1654            renderTable(t, maxwidth, &h_env);
(gdb)
#3  0x000000000044643e in renderTable (t=0x7bf000, max_width=79, h_env=0x7fffff7ffbe0) at table.c:1794
1794        renderCoTable(t, h_env->limit);

I found w3m called pushTable (tbl=0x7bf000, tbl1=0x7bf000) earlier.

This is found by afl-fuzz
@tats
Copy link
Owner

tats commented Aug 24, 2016

Reproducible, but not yet fixed. Patches welcome.

@kcwu
Copy link
Contributor Author

kcwu commented Sep 5, 2016

Reduced test case

00000000: 3030 3030 3c6e 6f62 723e 3030 3030 3030  0000<nobr>000000
00000010: 3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
00000020: 3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
00000030: 3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
00000040: 3030 3030 303c 7461 626c 653e 3c74 6578  00000<table><tex
00000050: 7461 7265 613e 3c74 6162 6c65 2030 303c  tarea><table 00<
00000060: 7465 7874 6172 6561 3e3c 7461 626c 6520  textarea><table
00000070: 3e3c 2f74 6162 6c65 3e                   ></table>

tats added a commit that referenced this issue Nov 12, 2016
@tats
Prevent infinite recursion with nested table and textarea
f393faf 
Bug-Debian: #20
@tats
Copy link
Owner

tats commented Nov 12, 2016

Workaround added. Thank you.

@tats tats closed this as completed Nov 12, 2016
@kcwu
Copy link
Contributor Author

kcwu commented Nov 15, 2016

The workaround can only prevent one level of recursion loop. But it is possible to have more than one level. For example,

00000000: 3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
00000010: 3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
00000020: 3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
00000030: 3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
00000040: 3030 3030 3030 3030 3030 3030 3020 3030  0000000000000 00
00000050: 3c6e 6f62 723e 3030 3030 3030 3030 3030  <nobr>0000000000
00000060: 3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
00000070: 3030 3030 303c 7461 626c 653e 3c74 6578  00000<table><tex
00000080: 7461 7265 613e 3c74 6162 6c65 3e3c 7465  tarea><table><te
00000090: 7874 6172 6561 3e3c 7461 626c 6500 3030  xtarea><table.00
000000a0: 3030 3030 3030 3e3c 7465 7874 6172 6561  000000><textarea
000000b0: 3e3c 7461 626c 6520 3030 3030 3030 3030  ><table 00000000
000000c0: 3e3c 7465 7874 6172 6561 3e3c 7461 626c  ><textarea><tabl
000000d0: 6520 3e3c 2f74 6162 6c65 3e              e ></table>

is 4 levels.

#0  0x0000000000445efd in renderCoTable (tbl=<error reading variable: Cannot access memory at address 0x7fffff7fee98>,
    maxlimit=<error reading variable: Cannot access memory at address 0x7fffff7fee94>) at table.c:1628
#1  0x00000000004469b1 in renderTable (t=0x7e7800, max_width=79, h_env=0x7fffff7ff5a0) at table.c:1810
#2  0x0000000000446270 in renderCoTable (tbl=0x7e0000, maxlimit=79) at table.c:1666
#3  0x00000000004469b1 in renderTable (t=0x7e0000, max_width=79, h_env=0x7fffff7ffc80) at table.c:1810
#4  0x0000000000446270 in renderCoTable (tbl=0x7e0800, maxlimit=79) at table.c:1666
#5  0x00000000004469b1 in renderTable (t=0x7e0800, max_width=79, h_env=0x7fffff800360) at table.c:1810
#6  0x0000000000446270 in renderCoTable (tbl=0x7c0000, maxlimit=79) at table.c:1666
#7  0x00000000004469b1 in renderTable (t=0x7c0000, max_width=79, h_env=0x7fffff800a40) at table.c:1810
#8  0x0000000000446270 in renderCoTable (tbl=0x7e7800, maxlimit=79) at table.c:1666
#9  0x00000000004469b1 in renderTable (t=0x7e7800, max_width=79, h_env=0x7fffff801120) at table.c:1810
#10 0x0000000000446270 in renderCoTable (tbl=0x7e0000, maxlimit=79) at table.c:1666
#11 0x00000000004469b1 in renderTable (t=0x7e0000, max_width=79, h_env=0x7fffff801800) at table.c:1810
#12 0x0000000000446270 in renderCoTable (tbl=0x7e0800, maxlimit=79) at table.c:1666
#13 0x00000000004469b1 in renderTable (t=0x7e0800, max_width=79, h_env=0x7fffff801ee0) at table.c:1810
#14 0x0000000000446270 in renderCoTable (tbl=0x7c0000, maxlimit=79) at table.c:1666
#15 0x00000000004469b1 in renderTable (t=0x7c0000, max_width=79, h_env=0x7fffff8025c0) at table.c:1810
#16 0x0000000000446270 in renderCoTable (tbl=0x7e7800, maxlimit=79) at table.c:1666
#17 0x00000000004469b1 in renderTable (t=0x7e7800, max_width=79, h_env=0x7fffff802ca0) at table.c:1810
#18 0x0000000000446270 in renderCoTable (tbl=0x7e0000, maxlimit=79) at table.c:1666
#19 0x00000000004469b1 in renderTable (t=0x7e0000, max_width=79, h_env=0x7fffff803380) at table.c:1810

tats added a commit that referenced this issue Nov 15, 2016
@tats
Prevent infinite recursion with nested table and textarea
2a4a2fb 
Bug-Debian: #20 (comment)
@tats
Copy link
Owner

tats commented Nov 15, 2016

more than one level.

Fixed, thank you.

@kcwu
Copy link
Contributor Author

kcwu commented Nov 15, 2016

The workaround still cannot handle all cases.

00000000: 3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
00000010: 3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
00000020: 3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
00000030: 3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
00000040: 3030 3030 3030 3030 3030 3030 3030 30e3  000000000000000.
00000050: 3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
00000060: 3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
00000070: 3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
00000080: 3c6e 3e30 3030 3030 303c 7461 626c 653e  <n>000000<table>
00000090: 3c74 6578 7461 7265 613e 3c74 6162 6c65  <textarea><table
000000a0: 0030 3030 3030 3030 3030 3030 3c74 6578  .00000000000<tex
000000b0: 7461 7265 613e 3c74 6162 6c65 3e3c 2f74  tarea><table></t
000000c0: 6162 6c65 3e3c 7461 626c 653e            able><table>

gdb

Program received signal SIGSEGV, Segmentation fault.
0x00000000004460d2 in renderCoTable (tbl=0x7c0000, maxlimit=45) at table.c:1660
1660            if (t->total_width == 0)
(gdb) p t
$1 = (struct table *) 0x0
(gdb) p cotable_level
$2 = 100

@tats tats reopened this Nov 15, 2016
tats added a commit that referenced this issue Nov 15, 2016
@tats
Prevent deref null pointer in renderCoTable()
ec99f18 
Bug-Debian: #20 (comment)
@tats
Copy link
Owner

tats commented Nov 15, 2016

(gdb) p t
$1 = (struct table *) 0x0

Fixed, thank you.

@tats tats closed this as completed Nov 15, 2016
tats added a commit that referenced this issue Dec 18, 2016
@tats
Prevent infinite recursion with nested table and textarea
0a04bf8 
Bug-Debian: #20 [CVE-2016-9439]
Origin: https://anonscm.debian.org/cgit/collab-maint/w3m.git/commit/?id=2a4a2fb9f116b50e7c80d573db06c0fdc6c69272
tats added a commit that referenced this issue Dec 18, 2016
@tats
Prevent deref null pointer in renderCoTable()
f70aecd 
Bug-Debian: #20 (comment)
Origin: https://anonscm.debian.org/cgit/collab-maint/w3m.git/commit/?id=ec99f186380d26ebf791569fdbc56dae60632365
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@kcwu @tats