global-buffer-overflow in parseURL() #41

Closed
kcwu opened this Issue Nov 17, 2016 · 6 comments

Comments

Projects
None yet
2 participants
@kcwu
Contributor

kcwu commented Nov 17, 2016

input

00000000: 3c41 2068 7265 663d 2f2f 3e30 3030 3030  <A href=//>00000
00000010: 3030 3c62 6173 6520 6872 6566 3d3a 3e30  00<base href=:>0
00000020: 3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
00000030: 3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
00000040: 3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
00000050: 3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
00000060: 3030 3030 3030 3030                      00000000

build with Address sanitizer. the run result:

==1331653==ERROR: AddressSanitizer: global-buffer-overflow on address 0x0000007903fc at pc 0x0000006a2b14 bp 0x7ffda749a3b0 sp 0x7ffda749a3a8
READ of size 4 at 0x0000007903fc thread T0
    #0 0x6a2b13 in parseURL /home/kcwu/w3m/url.c:844:16
    #1 0x6a43db in parseURL2 /home/kcwu/w3m/url.c:999:5
    #2 0x6b0ec0 in url_to_charset /home/kcwu/w3m/url.c:2278:2
    #3 0x6b0ec0 in url_encode /home/kcwu/w3m/url.c:2293
    #4 0x5a83e3 in HTMLlineproc2body /home/kcwu/w3m/file.c:5684:8
    #5 0x5afe54 in HTMLlineproc2 /home/kcwu/w3m/file.c:6198:5
    #6 0x5afe54 in loadHTMLstream /home/kcwu/w3m/file.c:7289
    #7 0x56b9ec in loadHTMLBuffer /home/kcwu/w3m/file.c:6781:5
    #8 0x560a80 in loadSomething /home/kcwu/w3m/file.c:224:16
    #9 0x560a80 in loadGeneralFile /home/kcwu/w3m/file.c:2241
    #10 0x4f901a in main /home/kcwu/w3m/main.c:1020:12
    #11 0x7f3210f82f44 in __libc_start_main /build/eglibc-oGUzwX/eglibc-2.19/csu/libc-start.c:287
    #12 0x41c095 in _start (/home/kcwu/w3m/w3m+0x41c095)

0x0000007903fc is located 36 bytes to the left of global variable '<string literal>' defined in 'url.c:1747:10' (0x790420) of size 6
  '<string literal>' is ascii string 'url.c'
0x0000007903fc is located 5 bytes to the right of global variable '<string literal>' defined in 'url.c:1747:10' (0x7903e0) of size 23
  '<string literal>' is ascii string 'isprint(w3m_reqlog[0])'
SUMMARY: AddressSanitizer: global-buffer-overflow /home/kcwu/w3m/url.c:844:16 in parseURL
Shadow bytes around the buggy address:
  0x0000800ea020: f9 f9 f9 f9 01 f9 f9 f9 f9 f9 f9 f9 06 f9 f9 f9
  0x0000800ea030: f9 f9 f9 f9 02 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9
  0x0000800ea040: f9 f9 f9 f9 05 f9 f9 f9 f9 f9 f9 f9 05 f9 f9 f9
  0x0000800ea050: f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9
  0x0000800ea060: f9 f9 f9 f9 02 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9
=>0x0000800ea070: f9 f9 f9 f9 02 f9 f9 f9 f9 f9 f9 f9 00 00 07[f9]
  0x0000800ea080: f9 f9 f9 f9 06 f9 f9 f9 f9 f9 f9 f9 00 00 00 00
  0x0000800ea090: 00 00 00 00 00 00 00 00 00 00 00 07 f9 f9 f9 f9
  0x0000800ea0a0: 02 f9 f9 f9 f9 f9 f9 f9 00 00 00 f9 f9 f9 f9 f9
  0x0000800ea0b0: 00 00 00 04 f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9
  0x0000800ea0c0: 00 03 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 02
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==1331653==ABORTING
#11 0x0000000000463cfc in parseURL (url=0xd8d750 "//", p_url=0x7ffc377805d0, current=0xda2de0) at url.c:844
844             p_url->port = DefaultPort[p_url->scheme];
(rr) p p_url->scheme
$1 = 255

p_url->scheme=255=SCM_UNKNOWN, but length of DefaultPort is 13 or 14.

This is found by afl-fuzz.

@kcwu

This comment has been minimized.

Show comment
Hide comment
@kcwu

kcwu Nov 17, 2016

Contributor

reduced case

00000000: 3c62 6173 6520 6872 6566 3d3a 3e3c 4120  <base href=:><A
00000010: 6872 6566 3d2f 2f3e                      href=//>
Contributor

kcwu commented Nov 17, 2016

reduced case

00000000: 3c62 6173 6520 6872 6566 3d3a 3e3c 4120  <base href=:><A
00000010: 6872 6566 3d2f 2f3e                      href=//>

tats added a commit that referenced this issue Nov 17, 2016

@tats

This comment has been minimized.

Show comment
Hide comment
@tats

tats Nov 17, 2016

Owner

Fixed, though unreproducible for me.

Feel free to reopen the bug if the problem still occurs.

Owner

tats commented Nov 17, 2016

Fixed, though unreproducible for me.

Feel free to reopen the bug if the problem still occurs.

@tats tats closed this Nov 17, 2016

@kcwu

This comment has been minimized.

Show comment
Hide comment
@kcwu

kcwu Nov 17, 2016

Contributor

Can you reproduce if you replace

p_url->port = DefaultPort[p_url->scheme];

with

assert(p_url->scheme != SCM_UNKNOWN);
p_url->port = DefaultPort[p_url->scheme];

?

Contributor

kcwu commented Nov 17, 2016

Can you reproduce if you replace

p_url->port = DefaultPort[p_url->scheme];

with

assert(p_url->scheme != SCM_UNKNOWN);
p_url->port = DefaultPort[p_url->scheme];

?

@kcwu

This comment has been minimized.

Show comment
Hide comment
@kcwu

kcwu Nov 17, 2016

Contributor

ah, I found w3m will load cookie file. So it probably depends on the content of cookie. let me investigate more.

Contributor

kcwu commented Nov 17, 2016

ah, I found w3m will load cookie file. So it probably depends on the content of cookie. let me investigate more.

@tats

This comment has been minimized.

Show comment
Hide comment
@tats

tats Nov 17, 2016

Owner

Ah, sorry, I misunderstood.

Reproducible and fixed. Thank you.

Owner

tats commented Nov 17, 2016

Ah, sorry, I misunderstood.

Reproducible and fixed. Thank you.

@kcwu

This comment has been minimized.

Show comment
Hide comment
@kcwu

kcwu Nov 17, 2016

Contributor

Thanks.

Contributor

kcwu commented Nov 17, 2016

Thanks.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment