Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[BUG] out of bound write in checkType, etc.c:441 #242

Closed
kdsjZh opened this issue Aug 7, 2022 · 13 comments
Closed

[BUG] out of bound write in checkType, etc.c:441 #242

kdsjZh opened this issue Aug 7, 2022 · 13 comments

Comments

@kdsjZh
Copy link

kdsjZh commented Aug 7, 2022

Hello, I found a out of bound write in w3m, function checkType, etc.c:441 while testing my new fuzzer.

step to reproduce

export CC="gcc -fsanitize=address -g" ./configure --disable-shared && make -j8
./w3m $POC

Environment

  • Ubuntu 22.04 (docker image)
  • w3m latest commit c515ea8
  • gcc 11.2.0

ASan log

AddressSanitizer:DEADLYSIGNAL
=================================================================
==1795279==ERROR: AddressSanitizer: BUS on unknown address (pc 0x5639811267b7 bp 0x7f4212857ffe sp 0x7ffdc528ad90 T0)
==1795279==The signal is caused by a WRITE memory access.
==1795279==Hint: this fault was caused by a dereference of a high value address (see register values below).  Dissassemble the provided pc to learn which register was used.
    #0 0x5639811267b7 in checkType /validate/w3m/etc.c:441
    #1 0x5639810ea5e2 in loadBuffer /validate/w3m/file.c:7717
    #2 0x563981110094 in loadSomething /validate/w3m/file.c:230
    #3 0x563981110094 in loadGeneralFile /validate/w3m/file.c:2286
    #4 0x5639810ab87d in main /validate/w3m/main.c:1053
    #5 0x7f42159b4d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    #6 0x7f42159b4e3f in __libc_start_main_impl ../csu/libc-start.c:392
    #7 0x5639810af284 in _start (/validate/w3m/w3m+0xb3284)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: BUS /validate/w3m/etc.c:441 in checkType
==1795279==ABORTING

Credit

Han Zheng
NCNIPC of China
Hexhive

POC

poc0.zip

@rkta
Copy link
Contributor

rkta commented Aug 9, 2022 via email

@kdsjZh
Copy link
Author

kdsjZh commented Aug 9, 2022

Sorry, I write the wrong command, the command is ./w3m -dump $POC.

@kdsjZh
Copy link
Author

kdsjZh commented Aug 9, 2022

if it didn't work, could you try docker ubuntu 22.04 image with following command? Or you could give me the debian version you use

apt update && apt install wget git unzip gcc g++ make libgc-dev libtinfo-dev -y
git clone https://github.com/tats/w3m && pushd w3m
export CC="gcc -fsanitize=address -g" && ./configure --disable-shared && make -j8
./w3m -dump $PATH_TO_POC

I try again and it works for me.

@rkta
Copy link
Contributor

rkta commented Aug 9, 2022 via email

@kdsjZh
Copy link
Author

kdsjZh commented Aug 9, 2022

I try debian stable in docker image and it still works.

I currently don't have time to setup a VM, maybe at the weekend, sorry.

I mean you can install docker in your debian and copy following command :

docker pull ubuntu:22.04 && docker run -it ubuntu:22.04 bash
## now step into the container
apt update && apt install wget git unzip gcc g++ make libgc-dev libtinfo-dev -y
git clone https://github.com/tats/w3m && pushd w3m
export CC="gcc -fsanitize=address -g" && ./configure --disable-shared && make -j8
wget https://github.com/tats/w3m/files/9276657/poc0.zip && unzip poc0.zip
./w3m -dump ./poc0

Pls told me if it's still not available. I could try to reduce the input file later. But I guess it's environment's fault.

@rkta
Copy link
Contributor

rkta commented Aug 10, 2022 via email

@kdsjZh
Copy link
Author

kdsjZh commented Aug 10, 2022

I guess it's not docker. I try to reproduce it in my psychical Desktop (ubuntu 21.10) and success with following command

./w3m -dump crashes/id\:000001\,sig\:11\,src\:000876\,time\:8063946\,execs\:818201\,op\:MOpt_core_havoc\,rep\:8
AddressSanitizer:DEADLYSIGNAL
=================================================================
==3904622==ERROR: AddressSanitizer: SEGV on unknown address 0x7f186ce09ffe (pc 0x55c246d22787 bp 0x7f186ce09ffe sp 0x7ffe334beb20 T0)
==3904622==The signal is caused by a WRITE memory access.
    #0 0x55c246d22787 in checkType /home/kdsj/workspace/benchmarks/reproduce/w3m/etc.c:441
    #1 0x55c246ce65c2 in loadBuffer /home/kdsj/workspace/benchmarks/reproduce/w3m/file.c:7717
    #2 0x55c246d0c074 in loadSomething /home/kdsj/workspace/benchmarks/reproduce/w3m/file.c:230
    #3 0x55c246d0c074 in loadGeneralFile /home/kdsj/workspace/benchmarks/reproduce/w3m/file.c:2286
    #4 0x55c246ca785d in main /home/kdsj/workspace/benchmarks/reproduce/w3m/main.c:1053
    #5 0x7f186fc77fcf in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    #6 0x7f186fc7807c in __libc_start_main_impl ../csu/libc-start.c:409
    #7 0x55c246cab264 in _start (/home/kdsj/workspace/benchmarks/reproduce/w3m/w3m+0xb3264)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/kdsj/workspace/benchmarks/reproduce/w3m/etc.c:441 in checkType
==3904622==ABORTING

but when try to rename it to poc0, it failed

./w3m -dump crashes/poc0
        ???????????p???�???*��?&?*?p???�???     �???????????????????���???????

Although I check again and make sure they're the same crash with same hash....
I guess the name is to be blamed? or there might be some random factor?

@N-R-K
Copy link
Contributor

N-R-K commented Aug 16, 2022

@kdsjZh Hi, could you please provide the output of ./w3m -version, I'm not able to reproduce on my system. And the suspect code snippet is filled with various #ifdefs so it might be related to a specific configuration.

P.S: --disable-shared doesn't seem to be a valid option and gives me the following warning on master:

configure: WARNING: unrecognized options: --disable-shared

@N-R-K
Copy link
Contributor

N-R-K commented Aug 16, 2022

Also since I'm not able to reproduce on my end, please also check if the following patch fixes the issue or not:

diff --git a/etc.c b/etc.c
index 805bfa0..bbad19c 100644
--- a/etc.c
+++ b/etc.c
@@ -438,12 +438,13 @@ checkType(Str s, Lineprop **oprop, Linecolor **ocolor)
 	    mode |= ceffect;
 	}
 #endif
-	*(prop++) = mode;
+	if (prop < prop_buffer + prop_size)
+		*(prop++) = mode;
 #ifdef USE_M17N
 	plen = get_mclen(str);
 	if (plen > 1) {
 	    mode = (mode & ~PC_WCHAR1) | PC_WCHAR2;
-	    for (i = 1; i < plen; i++) {
+	    for (i = 1; i < plen && prop < prop_buffer + prop_size; i++) {
 		*(prop++) = mode;
 #ifdef USE_ANSI_COLOR
 		if (color)

@kdsjZh
Copy link
Author

kdsjZh commented Aug 16, 2022

could you please provide the output of ./w3m -version

./w3m --version
w3m version w3m/0.5.3+git20220429, options lang=en,m17n,image,color,ansi-color,mouse,menu,cookie,external-uri-loader,w3mmailer,nntp,gopher,ipv6,alarm,mark

P.S: --disable-shared doesn't seem to be a valid option and gives me the following warning on master:

Sorry, this is a typo, you can remove this arg.

check if the following patch fixes the issue or not:

It seems not. I try to use gdb and it shows that pointer prop itself is valid.

gdb-peda$ set args -dump poc0
gdb-peda$ r
Starting program: /home/kdsj/workspace/fuzz/verify/w3m/w3m -dump poc0
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
[New Thread 0x7ffff3dff640 (LWP 331510)]
[New Thread 0x7ffff35fe640 (LWP 331511)]
[New Thread 0x7ffff2dfd640 (LWP 331512)]
[New Thread 0x7ffff25fc640 (LWP 331513)]
[New Thread 0x7ffff1dfb640 (LWP 331514)]
[New Thread 0x7ffff15fa640 (LWP 331515)]
[New Thread 0x7ffff0df9640 (LWP 331516)]
[New Thread 0x7ffff05f8640 (LWP 331517)]
[New Thread 0x7fffefdf7640 (LWP 331518)]
[New Thread 0x7fffef5f6640 (LWP 331519)]
[New Thread 0x7fffeedf5640 (LWP 331520)]

Thread 1 "w3m" received signal SIGSEGV, Segmentation fault.
[----------------------------------registers-----------------------------------]
RAX: 0x7
RBX: 0x7ffff441cc5a --> 0x808080808080808
RCX: 0x0
RDX: 0x1200
RSI: 0x7ffff4404000 --> 0x100000001000100
RDI: 0x5555558d9a85 --> 0x200a020a020a0212
RBP: 0x7ffff4403ffe
RSP: 0x7fffffffd720 --> 0x0
RIP: 0x55555567e7bb (<checkType+1403>:  mov    WORD PTR [rbp+0x0],dx)
R8 : 0x7ffff4404000 --> 0x100000001000100
R9 : 0x0
R10: 0x555555754e40 --> 0x5f5f08
R11: 0x2
R12: 0x7ffff441cc57 --> 0x808080808e88085
R13: 0x0
R14: 0x5fca
R15: 0x0
EFLAGS: 0x10246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x55555567e7b1 <checkType+1393>:     jl     0x55555567e7bb <checkType+1403>
   0x55555567e7b3 <checkType+1395>:     test   cl,cl
   0x55555567e7b5 <checkType+1397>:     jne    0x55555567f4b2 <checkType+4722>
=> 0x55555567e7bb <checkType+1403>:     mov    WORD PTR [rbp+0x0],dx
   0x55555567e7bf <checkType+1407>:     mov    rbp,rsi
   0x55555567e7c2 <checkType+1410>:     mov    rdi,r12
   0x55555567e7c5 <checkType+1413>:     mov    DWORD PTR [rsp+0x18],edx
   0x55555567e7c9 <checkType+1417>:     call   0x55555573a340 <wtf_len1>
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffd720 --> 0x0
0008| 0x7fffffffd728 --> 0x7ffff4420fca --> 0x808080808080000
0016| 0x7fffffffd730 --> 0x7ffff463a900 --> 0x7ffff4410000 --> 0x1b1d001b1b001b00
0024| 0x7fffffffd738 --> 0x7ffff4400000
0032| 0x7fffffffd740 --> 0x0
0040| 0x7fffffffd748 --> 0x39e6470e00000003
0048| 0x7fffffffd750 --> 0x100010000 --> 0x0
0056| 0x7fffffffd758 --> 0x7ffff4404000 --> 0x100000001000100
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x000055555567e7bb in checkType (s=<optimized out>, s@entry=0x7ffff463a920, oprop=oprop@entry=0x7fffffffd8c0, ocolor=ocolor@entry=0x0) at etc.c:442
warning: Source file is more recent than executable.
442                     *(prop++) = mode;
gdb-peda$ display prop
1: prop = (Lineprop *) 0x7ffff4404000
gdb-peda$ display prop_buffer
2: prop_buffer = (Lineprop *) 0x7ffff4404000
gdb-peda$ display prop_size
3: prop_size = 0x5fca

I'm not able to reproduce on my system.

Could you try docker when you're available? Considering that there are many environment factors it's better to start from empty docker image. Sometimes even the crash seed's name matters...

docker pull ubuntu:22.04 && docker run -it ubuntu:22.04 bash
## now step into the container
apt update && apt install wget git unzip gcc g++ make libgc-dev libtinfo-dev -y
git clone https://github.com/tats/w3m && pushd w3m
export CC="gcc -fsanitize=address -g" && ./configure --disable-shared && make -j8
wget https://github.com/tats/w3m/files/9276657/poc0.zip && unzip poc0.zip
./w3m -dump ./poc0

@ismaell
Copy link

ismaell commented Oct 22, 2022

At first sight, the checkType function is a little bit obscure, what is it supposed to do exactly? can someone comment on the variables and their use?

@tats
Copy link
Owner

tats commented Dec 20, 2022

Fixed by 419ca82

@tats tats closed this as completed Dec 20, 2022
@tats
Copy link
Owner

tats commented Dec 21, 2022

Assigned to CVE-2022-38232, though the Debian security team manages
this bug as a minor issue, no advisory.
cf. https://security-tracker.debian.org/tracker/CVE-2022-38223

netbsd-srcmastr pushed a commit to NetBSD/pkgsrc that referenced this issue Apr 27, 2023
2023-01-21  Tatsuya Kinoshita  <tats@debian.org>

	* NEWS: Update NEWS to 0.5.3+git20230121.

2023-01-15  Tatsuya Kinoshita  <tats@debian.org>

	* scripts/w3mman/w3mman2html.cgi.in:
	Add GROFF_NO_SGR=1 to w3mman2html.cgi for non-Debian groff.
	Bug-Debian: tats/w3m#238
	Bug-Debian: tats/w3m#201

	* scripts/w3mman/w3mman2html.cgi.in:
	Revert "Turn ansi escape sequences into html tags".
	This reverts commit 44af9271e0e984544762e2212549f134c86b4418.
	cf. tats/w3m#238

2023-01-12  Tatsuya Kinoshita  <tats@debian.org>

	* fm.h, rc.c: Do not expand config value of tmp_dir.

	* config.h.dist, config.h.in, configure, configure.ac, rc.c:
	Use faccessat for rc_dir and tmp_dir.

	* local.c: Allow writeLocalCookie even when no_rc_dir.

	* main.c, rc.c: Call wtf_init in sync_with_option.

	* rc.c: Avoid modifying read-only rc_dir.

	* fm.h, main.c, proto.h, rc.c: Make tmp_dir if not found.

2023-01-09  Tatsuya Kinoshita  <tats@debian.org>

	* NEWS: Prepare NEWS for w3m 0.5.3+git202301XX.

	* doc-de/FAQ.html, doc-jp/FAQ.html, doc/FAQ.html:
	Remove obsolete documents.

	* doc-de/FAQ.html, doc-de/MANUAL.html:
	Wrap long lines to avoid Lintian warnings.

2023-01-07  Tatsuya Kinoshita  <tats@debian.org>

	* file.c: Only read a first title.
	* file.c, fm.h: Revert "Only read title when in head".
	This reverts commit 0189e8aa5c4c4919a9bbc4dcbe0e521aada51e3c.
	Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1020215

2023-01-06  Tatsuya Kinoshita  <tats@debian.org>

	* file.c: Indentation fix for HTMLtagproc1.

2023-01-06  Robert Alm Nilsson  <robert@robalni.org>

	* file.c, fm.h: Only read title when in head.
	Origin: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1020215

2023-01-06  Tatsuya Kinoshita  <tats@debian.org>

	* libwc/charset.c: Avoid locale sensitive tolower in wc_charset_to_ces.

2023-01-06  Sertaç Ö. Yıldız  <sertacyildiz@gmail.com>

	* libwc/charset.c:
	Fix charset declaration parser fails with turkish locale.
	Origin: https://bugzilla-attachments.redhat.com/attachment.cgi?id=160014
	Bug-Fedora: https://bugzilla.redhat.com/show_bug.cgi?id=249675

	* history.c: Use st_mtime instead of st_mtim.tv_sec to compile on macos.
	cf. tats/w3m#247

2023-01-06  Rene Kita  <mail@rkta.de>

	* html.c, html.h, tagtable.tab: Recognize link targets in dfn elements.
	Refactor html.c.  Align in html.c.
	Origin: tats/w3m#259
	Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1018696

	* Makefile.in, form.c, main.c, util.c, util.h:
	Handle failed system calls.
	* display.c, display.h, file.c, form.c, main.c, proto.h, terms.h:
	Move declarations to appropiate header files.
	Origin: tats/w3m#257
	Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=398989

	* entity.js, etc.c, table.c, tests/allentity.expected:
	* tests/allentity.html: Skip soft hyphen when reading token.
	Fix generated HTML for entity test.
	Origin: tats/w3m#256
	Bug-Debian: tats/w3m#224
	Bug-Debian: tats/w3m#258
	Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=830173

	* file.c: Check LESSOPEN to avoid undefined behaviour.
	Refactor lessopen_stream.
	Origin: tats/w3m#254
	Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=991608

2023-01-05  Markus Hiereth  <translation@hiereth.de>

	* po/de.po: Update German message catalogue.
	Origin: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1011945#10

2023-01-05  Rene Kita  <mail@rkta.de>

	* buffer.c: Exit with error if a new buffer can't be allocated.
	Origin: https://git.sr.ht/~rkta/w3m/commit/1f88544c1a009ed2088ff20973bcfffe6cbcb5de
	Bug-Debian: tats/w3m#232
	Bug-Debian: tats/w3m#233

	* history.c, history.h:
	Merge history file if it was modified after start.
	* history.h, proto.h: Move declarations to the appropriate header file.
	* history.c: Add comment to explain placement of the ifdef.
	* history.c, proto.h: Let loadHistory return an error code.
	* history.c: Use 'goto fail' to remove code duplication.
	Origin: tats/w3m#247
	Bug-Debian: tats/w3m#176

2023-01-05  Alberto Fanjul  <albertofanjul@gmail.com>

	* scripts/w3mman/w3mman2html.cgi.in:
	Turn ansi escape sequences into html tags.
	Origin: tats/w3m#238
	Bug-Debian: tats/w3m#201

2023-01-04  Tatsuya Kinoshita  <tats@debian.org>

	* po/de.po, po/it.po, po/ja.po, po/sv_SE.po, po/w3m.pot, po/zh_CN.po:
	* po/zh_TW.po: Update PO strings.

	* doc/MANUAL.html, doc/README.img, libwc/wc_types.h, main.c, rc.c:
	English fixes.
	cf. tats/w3m#241

2023-01-04  Rene Kita  <mail@rkta.de>

	* rc.c: Remove unused variable.
	* table.c: Remove a warning for bzero with GCC 12.
	* file.c: Fix potential null pointer dereference.
	* .github/workflows/build.yml:
	Don't error out on deprecated declaration warnings.
	Origin: tats/w3m#255
	cf. tats/w3m#252

2023-01-04  nico  <smnicolas@gmail.com>

	* doc/MANUAL.html, doc/w3m.1, fm.h, main.c, rc.c, terms.c:
	Add high-intensity colors option and cli flag.
	Origin: tats/w3m#251
	cf. tats/w3m#250
	Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=626291

2023-01-04  Trafficone  <trafficone@gmail.com>

	* doc/README.SSL, doc/README.keymap, doc/README.menu: Translate from
	doc-jp.
	* doc/README.cookie, doc/README.func, doc/README.img, doc/README.m17n:
	* doc/README.passwd: Clarified wording.  Minor grammar changes.
	Origin: tats/w3m#241

2022-12-25  Tatsuya Kinoshita  <tats@debian.org>

	* configure: Update configure with acinclude.m4.

2022-12-25  Sam James  <sam@gentoo.org>

	* acinclude.m4: Fix configure tests broken with Clang 16.
	Origin: tats/w3m#248

2022-12-25  Rin Okuyama  <rokuyama.rk@gmail.com>

	* image.c, terms.c:
	For sixel, no need to round image size to multiple of character size.
	Origin: tats/w3m#246

	* image.c: Display resized image for OSC 5379 (mlterm).
	Origin: tats/w3m#245

2022-12-25  Rene Kita  <mail@rkta.de>

	* doc/README.siteconf: Say what the comment character is.
	Use the comment character in Examples.
	Origin: tats/w3m#237

	* main.c: Retry if loading of a file fails when argv_is_url.
	Origin: tats/w3m#235
	Bug-Debian: tats/w3m#210
	Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=537761
	Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=946440

2022-12-25  NRK  <nrk@disroot.org>

	* image.c: remove duplicate declaration.
	* cookie.c, entity.c, file.c, frame.c, func.c, image.c, linein.c:
	* mailcap.c, main.c, rc.c, rc.h, table.c, terms.c, terms.h:
	* w3mbookmark.c, w3mhelperpanel.c:
	fix all -Wmissing-prototypes warnings.
	* file.c, history.c, history.h, indep.c, indep.h, mailcap.c, proto.h:
	* rc.c, terms.c, url.c: fix some -Wstrict-prototypes warnings.
	Origin: tats/w3m#234

2022-12-25  Rene Kita  <mail@rkta.de>

	* .github/workflows/build.yml:
	Add GitHub Action to build source when pushing.
	Origin: tats/w3m#228

2022-12-21  Tatsuya Kinoshita  <tats@debian.org>

	* po/de.po, po/it.po, po/ja.po, po/sv_SE.po, po/w3m.pot, po/zh_CN.po:
	* po/zh_TW.po: Update PO strings.

2022-12-21  Rene Kita  <mail@rkta.de>

	* etc.c, fm.h, history.c, rc.c:
	Add option to set directory for temporary files.
	Origin: tats/w3m#219
	cf. tats/w3m#130

2022-12-21  Yash Lala  <yashlala@gmail.com>

	* rc.c: Use `Strnew_charp()` to create `char *` instead of `strdup()`.

	* rc.c:
	refactor: Substitute some clunky code with a `strdup()`.

	* doc/FAQ.html, doc/MANUAL.html, doc/w3m.1, rc.c:
	Set `rc_dir` based on `W3M_DIR` environment variable.
	Origin: tats/w3m#207
	cf. tats/w3m#130

2022-12-20  Tatsuya Kinoshita  <tats@debian.org>

	* etc.c: Fix potential overflow in checkType.

	* etc.c:
	Fix m17n backspace handling causes out-of-bounds write in checkType.
	[CVE-2022-38223]
	Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1019599
	Bug-Debian: tats/w3m#242
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

5 participants