Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

heap-use-after-free in HTMLlineproc0() #65

Closed
kcwu opened this issue Dec 2, 2016 · 2 comments
Closed

heap-use-after-free in HTMLlineproc0() #65

kcwu opened this issue Dec 2, 2016 · 2 comments

Comments

@kcwu
Copy link
Contributor

kcwu commented Dec 2, 2016

input (xxd cases/tats-w3m-65)

00000000: 303c 7461 626c 653e 303c 6361 7074 696f  0<table>0<captio
00000010: 6e3e 3c69 6e70 7574 3e0a 3c69 6e70 7574  n><input>.<input
00000020: 2074 7970 653d 2268 6964 6465 6e22 6964   type="hidden"id
00000030: 3d30 3022 3e                             =00">

how to reproduce:

ASAN_OPTIONS=abort_on_error=1:detect_leaks=0 LD_LIBRARY_PATH=./notgc ./w3m-tats.asan -T text/html -dump cases/tats-w3m-65

stderr:

=================================================================
==3694783==ERROR: AddressSanitizer: heap-use-after-free on address 0x61200000b345 at pc 0x00000044ba68 bp 0x7ffeac967a30 sp 0x7ffeac9671e0
READ of size 106 at 0x61200000b345 thread T0
    #0 0x44ba67 in strlen (/w3m-tats.asan+0x44ba67)
    #1 0x6e355d in Strnew_charp /targets/w3m-tats/Str.c:67:9
    #2 0x5952f4 in HTMLlineproc0 /targets/w3m-tats/file.c:6610:14
    #3 0x60c93c in make_caption /targets/w3m-tats/table.c:1698:5
    #4 0x609109 in renderTable /targets/w3m-tats/table.c:1870:5
    #5 0x59240b in HTMLlineproc0 /targets/w3m-tats/file.c:6452:3
    #6 0x5a7d14 in completeHTMLstream /targets/w3m-tats/file.c:7022:2
    #7 0x5a5b21 in loadHTMLstream /targets/w3m-tats/file.c:7258:5
    #8 0x55bbf8 in loadHTMLBuffer /targets/w3m-tats/file.c:6781:5
    #9 0x55ee64 in loadSomething /targets/w3m-tats/file.c:224:16
    #10 0x5535ac in loadGeneralFile /targets/w3m-tats/file.c:2241:6
    #11 0x4f9202 in main /targets/w3m-tats/main.c:1017:12
    #12 0x7f62f952af44 in __libc_start_main /build/eglibc-oGUzwX/eglibc-2.19/csu/libc-start.c:287
    #13 0x41bf25 in _start (/w3m-tats.asan+0x41bf25)

0x61200000b345 is located 133 bytes inside of 257-byte region [0x61200000b2c0,0x61200000b3c1)
freed by thread T0 here:
    #0 0x4c5f40 in free (/w3m-tats.asan+0x4c5f40)
    #1 0x6e4ab1 in Strcat_charp_n /targets/w3m-tats/Str.c:197:2
    #2 0x6e3b0c in Strcat_charp /targets/w3m-tats/Str.c:216:5
    #3 0x565c42 in append_tags /targets/w3m-tats/file.c:2508:2
    #4 0x5952e8 in HTMLlineproc0 /targets/w3m-tats/file.c:6609:7
    #5 0x60c93c in make_caption /targets/w3m-tats/table.c:1698:5
    #6 0x609109 in renderTable /targets/w3m-tats/table.c:1870:5
    #7 0x59240b in HTMLlineproc0 /targets/w3m-tats/file.c:6452:3
    #8 0x5a7d14 in completeHTMLstream /targets/w3m-tats/file.c:7022:2
    #9 0x5a5b21 in loadHTMLstream /targets/w3m-tats/file.c:7258:5
    #10 0x55bbf8 in loadHTMLBuffer /targets/w3m-tats/file.c:6781:5
    #11 0x55ee64 in loadSomething /targets/w3m-tats/file.c:224:16
    #12 0x5535ac in loadGeneralFile /targets/w3m-tats/file.c:2241:6
    #13 0x4f9202 in main /targets/w3m-tats/main.c:1017:12
    #14 0x7f62f952af44 in __libc_start_main /build/eglibc-oGUzwX/eglibc-2.19/csu/libc-start.c:287

previously allocated by thread T0 here:
    #0 0x4c6288 in __interceptor_malloc (/w3m-tats.asan+0x4c6288)
    #1 0x7f62fac78c21 in GC_malloc_atomic /notgc/notgc.c:275
    #2 0x563ebf in flushline /targets/w3m-tats/file.c:2973:18
    #3 0x589b15 in HTMLtagproc1 /targets/w3m-tats/file.c:5062:6
    #4 0x5927e3 in HTMLlineproc0 /targets/w3m-tats/file.c:6477:10
    #5 0x60c8d3 in make_caption /targets/w3m-tats/table.c:1697:5
    #6 0x609109 in renderTable /targets/w3m-tats/table.c:1870:5
    #7 0x59240b in HTMLlineproc0 /targets/w3m-tats/file.c:6452:3
    #8 0x5a7d14 in completeHTMLstream /targets/w3m-tats/file.c:7022:2
    #9 0x5a5b21 in loadHTMLstream /targets/w3m-tats/file.c:7258:5
    #10 0x55bbf8 in loadHTMLBuffer /targets/w3m-tats/file.c:6781:5
    #11 0x55ee64 in loadSomething /targets/w3m-tats/file.c:224:16
    #12 0x5535ac in loadGeneralFile /targets/w3m-tats/file.c:2241:6
    #13 0x4f9202 in main /targets/w3m-tats/main.c:1017:12
    #14 0x7f62f952af44 in __libc_start_main /build/eglibc-oGUzwX/eglibc-2.19/csu/libc-start.c:287

SUMMARY: AddressSanitizer: heap-use-after-free (/w3m-tats.asan+0x44ba67) in strlen
Shadow bytes around the buggy address:
  0x0c247fff9610: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c247fff9620: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c247fff9630: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c247fff9640: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c247fff9650: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
=>0x0c247fff9660: fd fd fd fd fd fd fd fd[fd]fd fd fd fd fd fd fd
  0x0c247fff9670: fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa
  0x0c247fff9680: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c247fff9690: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c247fff96a0: 00 00 00 00 00 00 00 00 01 fa fa fa fa fa fa fa
  0x0c247fff96b0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==3694783==ABORTING

This is detected with help of dummy libgc wrapper. See http://github.com/kcwu/fuzzing-w3m/notgc for detail.
More detail to reproduce please see http://github.com/kcwu/fuzzing-w3m

For your convenience,
gdbline:
LD_LIBRARY_PATH=./notgc ASAN_OPTIONS=abort_on_error=1:detect_leaks=0 gdb --args ./w3m-tats.asan -T text/html -dump cases/tats-w3m-65

This is found by afl-fuzz.

@kcwu
Copy link
Contributor Author

kcwu commented Dec 2, 2016

Detail: file.c

6599                    char *bp = obuf->line->ptr + obuf->bp.len;
6600                    char *tp = bp - obuf->bp.tlen;
6601                    int i = 0;
6602
6603                    if (tp > obuf->line->ptr && tp[-1] == ' ')
6604                        i = 1;
6605
6606                    indent = h_env->envs[h_env->envc].indent;
6607                    if (obuf->bp.pos - i > indent) {
6608                        Str line;
6609                        append_tags(obuf);
6610                        line = Strnew_charp(bp);

line 6599 save the pointer inside obuf->line->ptr.
line 6609 may reallocate the buffer (and free the old buffer).
line 6610 still use the old pointer.

tats added a commit that referenced this issue Dec 7, 2016
@tats
Copy link
Owner

tats commented Dec 7, 2016

Fixed, thank you.

@tats tats closed this as completed Dec 7, 2016
tats added a commit that referenced this issue May 5, 2017
- New patch 934_menu.patch to fix buffer overflow (#49)
- New patch 935_shiftanchor.patch to fix buffer overflow (#62)
- New patch 936_metarefresh.patch to fix buffer overflow (#63)
- New patch 937_lineproc0.patch to fix buffer overflow (#67)
- New patch 938_lineproc2body.patch to fix buffer overflow (#61)
- New patch 939_textarea.patch to fix buffer overflow (#58)
- New patch 940_tabattr.patch to fix buffer overflow (#60)
- New patch 941_integeredwidth.patch to fix buffer overflow (#70)
- New patch 942_tridvalue.patch to fix buffer overflow (#71)
- New patch 943_pushlink.patch to fix buffer overflow (#64, #66)
- New patch 944_lineproc0.patch to fix use after free (#65)
- New patch 945_wtfstrwidth.patch to fix buffer overflow (#57)
- New patch 946_strnewsize.patch to fix buffer overflow (#72)
- New patch 947_realcolumn.patch to fix buffer overflow (#69)
- New patch 948_getmclen.patch to fix buffer overflow
  (#59, #73, #74, #75, #76, #78, #79, #80, #83, #84)
- New patch 949_wtftowcs.patch to fix buffer overflow (#77)
- New patch 950_textarea.patch to fix infinite loop (#85)
- New patch 951_lineproc0.patch to fix use after free (#81)
- New patch 952_formupdatebuffer.patch to fix buffer overflow (#82)
- New patch 953_formupdateline.patch to fix buffer overflow
  (#68#issuecomment-266214643)
- New patch 954_wtfparse1.patch to fix buffer overflow (#68)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants