heap-buffer-overflow in shiftAnchorPosition

[kcwu]

input (xxd cases/tats-w3m-200)

00000000: 3c74 6162 6c65 3e30 3c62 7220 3c3e 303c  <table>0<br <>0<
00000010: 786d 703e c8ab 3c64 6976 3e3c 696e 7465  xmp>..<div><inte
00000020: 526e 616c 3e3c 696e 7075 745f 616c 7420  Rnal><input_alt 
00000030: 6669 643d 303e 3c64 6c3e 303c 646c 3e30  fid=0><dl>0<dl>0
00000040: 3c62 7574 746f 6e20 7661 6c75 653d 2722  <button value='"
00000050: 3e30 3030 3030 3030 3030 3030 3030 3030  >000000000000000   
00000060: 3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
00000070: 3030 3030 3030 3030 30ff 3030 3027 3e3c  000000000.000'><
00000080: 4120 6873 6571 3d2d 3930 2068 7265 663d  A hseq=-90 href=
00000090: 3e30 3c68 5220 616c 6967 6e3d 6d69 6464  >0<hR align=midd
000000a0: 6c65 3e                                  le>     

how to reproduce:

LD_LIBRARY_PATH=./notgc ASAN_OPTIONS=abort_on_error=1:detect_leaks=0 ./w3m-tats.asan -T text/html -dump cases/tats-w3m-200                                     

stderr:

=================================================================
==91135==ERROR: AddressSanitizer: heap-use-after-free on address 0x6130000007ec at pc 0x0000006b8747 bp 0x7ffc85f91ca0 sp 0x7ffc85f91c98                       
READ of size 4 at 0x6130000007ec thread T0         
    #0 0x6b8746 in shiftAnchorPosition /fuzzing-w3m/targets/w3m-tats/anchor.c:555:38                                                
    #1 0x611e91 in formUpdateBuffer /fuzzing-w3m/targets/w3m-tats/form.c:502:3                                                      
    #2 0x6130d5 in formResetBuffer /fuzzing-w3m/targets/w3m-tats/form.c:271:2
    #3 0x5302d9 in loadHTMLBuffer /fuzzing-w3m/targets/w3m-tats/file.c:6928:2
    #4 0x533654 in loadSomething /fuzzing-w3m/targets/w3m-tats/file.c:229:16
    #5 0x524fb6 in loadGeneralFile /fuzzing-w3m/targets/w3m-tats/file.c:2286:6
    #6 0x4cf6d6 in main /fuzzing-w3m/targets/w3m-tats/main.c:1048:12
    #7 0x7f0d02f94d09 in __libc_start_main csu/../csu/libc-start.c:308:16
    #8 0x420a89 in _start (/w3m-tats.asan+0x420a89)

0x6130000007ec is located 172 bytes inside of 382-byte region [0x613000000740,0x6130000008be)
freed by thread T0 here:
    #0 0x49ae19 in realloc (/w3m-tats.asan+0x49ae19)
    #1 0x5712e3 in HTMLlineproc2body /fuzzing-w3m/targets/w3m-tats/file.c:5675:6
    #2 0x570a7e in HTMLlineproc2 /fuzzing-w3m/targets/w3m-tats/file.c:6336:5
    #3 0x57f9f2 in loadHTMLstream /fuzzing-w3m/targets/w3m-tats/file.c:7431:5
    #4 0x5300e8 in loadHTMLBuffer /fuzzing-w3m/targets/w3m-tats/file.c:6922:5
    #5 0x533654 in loadSomething /fuzzing-w3m/targets/w3m-tats/file.c:229:16
    #6 0x524fb6 in loadGeneralFile /fuzzing-w3m/targets/w3m-tats/file.c:2286:6
    #7 0x4cf6d6 in main /fuzzing-w3m/targets/w3m-tats/main.c:1048:12
    #8 0x7f0d02f94d09 in __libc_start_main csu/../csu/libc-start.c:308:16

previously allocated by thread T0 here:
    #0 0x49ae19 in realloc (/w3m-tats.asan+0x49ae19)
    #1 0x5712e3 in HTMLlineproc2body /fuzzing-w3m/targets/w3m-tats/file.c:5675:6
    #2 0x570a7e in HTMLlineproc2 /fuzzing-w3m/targets/w3m-tats/file.c:6336:5
    #3 0x57f9f2 in loadHTMLstream /fuzzing-w3m/targets/w3m-tats/file.c:7431:5
    #4 0x5300e8 in loadHTMLBuffer /fuzzing-w3m/targets/w3m-tats/file.c:6922:5
    #5 0x533654 in loadSomething /fuzzing-w3m/targets/w3m-tats/file.c:229:16
    #6 0x524fb6 in loadGeneralFile /fuzzing-w3m/targets/w3m-tats/file.c:2286:6
    #7 0x4cf6d6 in main /fuzzing-w3m/targets/w3m-tats/main.c:1048:12
    #8 0x7f0d02f94d09 in __libc_start_main csu/../csu/libc-start.c:308:16

SUMMARY: AddressSanitizer: heap-use-after-free /fuzzing-w3m/targets/w3m-tats/anchor.c:555:38 in shiftAnchorPosition
Shadow bytes around the buggy address:
  0x0c267fff80a0: 00 00 00 00 00 fa fa fa fa fa fa fa fa fa fa fa
  0x0c267fff80b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c267fff80c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c267fff80d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fa fa
  0x0c267fff80e0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
=>0x0c267fff80f0: fd fd fd fd fd fd fd fd fd fd fd fd fd[fd]fd fd
  0x0c267fff8100: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c267fff8110: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
  0x0c267fff8120: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c267fff8130: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c267fff8140: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==91135==ABORTING

This is detected with help of dummy libgc wrapper. See https://github.com/kcwu/fuzzing-w3m/tree/master/notgc for detail.
More detail to reproduce please see https://github.com/kcwu/fuzzing-w3m

For your convenience,
gdbline:
ASAN_OPTIONS=abort_on_error=1:detect_leaks=0 LD_LIBRARY_PATH=./notgc gdb --args ./w3m-tats.asan -T text/html -dump cases/tats-w3m-200

found by afl++

[kcwu]

this heap-buffer-overflow (wild pointer) is also in shiftAnchorPosition, probably related?

input (xxd cases/tats-w3m-200.2)

00000000: 3c74 6162 6c65 3e30 3c62 7220 3c3e 303c  <table>0<br <>0< 
00000010: 786d 703e c8ab 3c64 6976 3e3c 696e 7465  xmp>..<div><inte
00000020: 526e 616c 3e3c 696e 7075 745f 616c 7420  Rnal><input_alt 
00000030: 6669 643d 303e 3c64 6c3e 303c 646c 3e30  fid=0><dl>0<dl>0
00000040: 3c62 7574 746f 6e3e 3c41 2068 7365 713d  <button><A hseq=
00000050: 2d39 3020 6872 6566 3d3e 30              -90 href=>0     

[rkta]

On Wed, Oct 13, 2021 at 08:28:56PM -0700, Kuang-che Wu wrote: input (`xxd cases/tats-w3m-200`) ``` 00000000: 3c74 6162 6c65 3e30 3c62 7220 3c3e 303c <table>0<br <>0< 00000010: 786d 703e c8ab 3c64 6976 3e3c 696e 7465 xmp>..<div><inte 00000020: 526e 616c 3e3c 696e 7075 745f 616c 7420 Rnal><input_alt 00000030: 6669 643d 303e 3c64 6c3e 303c 646c 3e30 fid=0><dl>0<dl>0 00000040: 3c62 7574 746f 6e20 7661 6c75 653d 2722 <button value='" 00000050: 3e30 3030 3030 3030 3030 3030 3030 3030 >000000000000000 00000060: 3030 3030 3030 3030 3030 3030 3030 3030 0000000000000000 00000070: 3030 3030 3030 3030 30ff 3030 3027 3e3c 000000000.000'>< 00000080: 4120 6873 6571 3d2d 3930 2068 7265 663d A hseq=-90 href= 00000090: 3e30 3c68 5220 616c 6967 6e3d 6d69 6464 >0<hR align=midd 000000a0: 6c65 3e le> ```

[...]

================================================================= ==91135==ERROR: AddressSanitizer: heap-use-after-free on address 0x6130000007ec at pc 0x0000006b8747 bp 0x7ffc85f91ca0 sp 0x7ffc85f91c98 READ of size 4 at 0x6130000007ec thread T0 #0 0x6b8746 in shiftAnchorPosition /btrfs2/z840-home-kcwu/fuzz/fuzzing-w3m/targets/w3m-tats/anchor.c:555:38 #1 0x611e91 in formUpdateBuffer /btrfs2/z840-home-kcwu/fuzz/fuzzing-w3m/targets/w3m-tats/form.c:502:3 #2 0x6130d5 in formResetBuffer /btrfs2/z840-home-kcwu/fuzz/fuzzing-w3m/targets/w3m-tats/form.c:271:2 #3 0x5302d9 in loadHTMLBuffer /btrfs2/z840-home-kcwu/fuzz/fuzzing-w3m/targets/w3m-tats/file.c:6928:2 #4 0x533654 in loadSomething /btrfs2/z840-home-kcwu/fuzz/fuzzing-w3m/targets/w3m-tats/file.c:229:16 #5 0x524fb6 in loadGeneralFile /btrfs2/z840-home-kcwu/fuzz/fuzzing-w3m/targets/w3m-tats/file.c:2286:6 #6 0x4cf6d6 in main /btrfs2/z840-home-kcwu/fuzz/fuzzing-w3m/targets/w3m-tats/main.c:1048:12 #7 0x7f0d02f94d09 in __libc_start_main csu/../csu/libc-start.c:308:16 #8 0x420a89 in _start (/w3m-tats.asan+0x420a89)

This is misleading. This is not a use-after-free but a out-of-bounds read. The 'hseq=-90' from the input ends as the value (89 actually) of 'a->hseq' in 'anchor.c:555'. Then 'hl->marks[a->hseq]' is out of bounds as there are only 30 entries in this list. Changing the input to something like 'hseq=-20' does not give any errors.

[tats]

Fixed by #217