Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

heap-buffer-overflow read in flushline() #64

Closed
kcwu opened this issue Dec 2, 2016 · 2 comments
Closed

heap-buffer-overflow read in flushline() #64

kcwu opened this issue Dec 2, 2016 · 2 comments

Comments

@kcwu
Copy link
Contributor

kcwu commented Dec 2, 2016
edited
Loading

input (xxd cases/tats-w3m-64)

00000000: 3c74 6162 6c65 3e3c 4361 7074 696f 6e3e  <table><Caption>
00000010: 3c69 6d67 2073 7263 3d22 2277 6964 7468  <img src=""width
00000020: 3d33 3030 3030 3020 6865 6967 6874 3d30  =300000 height=0
00000030: 3e3c 693e                                ><i>

how to reproduce:

ASAN_OPTIONS=abort_on_error=1:detect_leaks=0 LD_LIBRARY_PATH=./notgc ./w3m-tats.asan -T text/html -dump cases/tats-w3m-64

stderr:

=================================================================
==3694705==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62e0000116c4 at pc 0x00000044ba68 bp 0x7ffee2207790 sp 0x7ffee2206f40
READ of size 1 at 0x62e0000116c4 thread T0
    #0 0x44ba67 in strlen (/w3m-tats.asan+0x44ba67)
    #1 0x6e355d in Strnew_charp /targets/w3m-tats/Str.c:67:9
    #2 0x56129c in flushline /targets/w3m-tats/file.c:2789:9
    #3 0x58a28a in HTMLtagproc1 /targets/w3m-tats/file.c:5069:6
    #4 0x5927e3 in HTMLlineproc0 /targets/w3m-tats/file.c:6477:10
    #5 0x60c63a in make_caption /targets/w3m-tats/table.c:1691:5
    #6 0x606cab in renderTable /targets/w3m-tats/table.c:1724:2
    #7 0x59240b in HTMLlineproc0 /targets/w3m-tats/file.c:6452:3
    #8 0x5a7d14 in completeHTMLstream /targets/w3m-tats/file.c:7022:2
    #9 0x5a5b21 in loadHTMLstream /targets/w3m-tats/file.c:7258:5
    #10 0x55bbf8 in loadHTMLBuffer /targets/w3m-tats/file.c:6781:5
    #11 0x55ee64 in loadSomething /targets/w3m-tats/file.c:224:16
    #12 0x5535ac in loadGeneralFile /targets/w3m-tats/file.c:2241:6
    #13 0x4f9202 in main /targets/w3m-tats/main.c:1017:12
    #14 0x7f220e53ff44 in __libc_start_main /build/eglibc-oGUzwX/eglibc-2.19/csu/libc-start.c:287
    #15 0x41bf25 in _start (/w3m-tats.asan+0x41bf25)

AddressSanitizer can not describe address in more detail (wild memory access suspected).
SUMMARY: AddressSanitizer: heap-buffer-overflow (/w3m-tats.asan+0x44ba67) in strlen
Shadow bytes around the buggy address:
  0x0c5c7fffa280: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c5c7fffa290: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c5c7fffa2a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c5c7fffa2b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c5c7fffa2c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c5c7fffa2d0: fa fa fa fa fa fa fa fa[fa]fa fa fa fa fa fa fa
  0x0c5c7fffa2e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c5c7fffa2f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c5c7fffa300: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c5c7fffa310: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c5c7fffa320: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==3694705==ABORTING

This is detected with help of dummy libgc wrapper. See http://github.com/kcwu/fuzzing-w3m/notgc for detail.
More detail to reproduce please see http://github.com/kcwu/fuzzing-w3m

For your convenience,
gdbline:
LD_LIBRARY_PATH=./notgc ASAN_OPTIONS=abort_on_error=1:detect_leaks=0 gdb --args ./w3m-tats.asan -T text/html -dump cases/tats-w3m-64

This is found by afl-fuzz.
@kcwu kcwu changed the title heap-buffer-overflow read in Strnew_charp() heap-buffer-overflow read in flushline() Dec 2, 2016
@kcwu
Copy link
Contributor Author

kcwu commented Dec 6, 2016

The string pointer is got from has_hidden_link()

2303          return line->ptr + p->offset;

where p->offset=-27964.

So, I think issue #66 is the same issue. Just because p->offset is out of boundary too much, ASan is unable to know they are actually identical. BTW, following test case is yet another and ASan say it is heap-use-after-free

00000000: 3c74 6162 6c65 3e3c 696e 7075 7420 7479  <table><input ty                                                                                                                                                                                                                                                 │·····················································
00000010: 7065 3d22 696d 6167 6522 6865 6967 6874  pe="image"height                                                                                                                                                                                                                                                 │·····················································
00000020: 3d30 2073 7263 3d30 2077 6964 7468 3d33  =0 src=0 width=3                                                                                                                                                                                                                                                 │·····················································
00000030: 3330 3030 303e 3c69 3e3c 703e 3c74 6162  30000><i><p><tab                                                                                                                                                                                                                                                 │·····················································
00000040: 6c65 3e3c 696e 7075 7420 7479 7065 3d22  le><input type="                                                                                                                                                                                                                                                 │·····················································
00000050: 696d 6167 6522 6865 6967 6874 3d30 2073  image"height=0 s                                                                                                                                                                                                                                                 │·····················································
00000060: 7263 3d30 2077 6964 7468 3d33 3030 3030  rc=0 width=30000                                                                                                                                                                                                                                                 │·····················································
00000070: 303e                                     0>

This case, p->offset=-24113.

@kcwu kcwu mentioned this issue Dec 6, 2016
Closed
tats added a commit that referenced this issue Dec 7, 2016
@tats
Prevent negative values for offset and pos in push_link()
ecf5771 
Bug-Debian: #64
@tats
Copy link
Owner

tats commented Dec 7, 2016

Fixed, thank you.

@tats tats closed this as completed Dec 7, 2016
tats added a commit that referenced this issue May 5, 2017
@tats
Fix multiple vulnerabilities (closes: #850432)
d73f74e 
- New patch 934_menu.patch to fix buffer overflow (#49)
- New patch 935_shiftanchor.patch to fix buffer overflow (#62)
- New patch 936_metarefresh.patch to fix buffer overflow (#63)
- New patch 937_lineproc0.patch to fix buffer overflow (#67)
- New patch 938_lineproc2body.patch to fix buffer overflow (#61)
- New patch 939_textarea.patch to fix buffer overflow (#58)
- New patch 940_tabattr.patch to fix buffer overflow (#60)
- New patch 941_integeredwidth.patch to fix buffer overflow (#70)
- New patch 942_tridvalue.patch to fix buffer overflow (#71)
- New patch 943_pushlink.patch to fix buffer overflow (#64, #66)
- New patch 944_lineproc0.patch to fix use after free (#65)
- New patch 945_wtfstrwidth.patch to fix buffer overflow (#57)
- New patch 946_strnewsize.patch to fix buffer overflow (#72)
- New patch 947_realcolumn.patch to fix buffer overflow (#69)
- New patch 948_getmclen.patch to fix buffer overflow
  (#59, #73, #74, #75, #76, #78, #79, #80, #83, #84)
- New patch 949_wtftowcs.patch to fix buffer overflow (#77)
- New patch 950_textarea.patch to fix infinite loop (#85)
- New patch 951_lineproc0.patch to fix use after free (#81)
- New patch 952_formupdatebuffer.patch to fix buffer overflow (#82)
- New patch 953_formupdateline.patch to fix buffer overflow
  (#68#issuecomment-266214643)
- New patch 954_wtfparse1.patch to fix buffer overflow (#68)
tats added a commit that referenced this issue May 5, 2017
@tats
Prevent negative values for offset and pos in push_link()
0e0c678 
Bug-Debian: #64
Bug-Debian: #66
Origin: https://anonscm.debian.org/cgit/collab-maint/w3m.git/commit/?id=ecf57714191b77142da74035b748262cdc80dfb7
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@kcwu @tats