heap-buffer-overflow write in feed_table_tag() #71

kcwu · 2016-12-03T08:46:12Z

input (xxd cases/tats-w3m-71)

00000000: 3c74 6162 6c65 3e30 3c74 723e 3c74 723e  <table>0<tr><tr>
00000010: 3c74 723e 3c74 723e 3c74 723e 3c74 723e  <tr><tr><tr><tr>
00000020: 3c74 723e 3c74 723e 3c74 723e 3c74 723e  <tr><tr><tr><tr>
00000030: 3c74 723e 3c74 723e 3c74 723e 3c74 723e  <tr><tr><tr><tr>
00000040: 3c74 723e 3c74 723e 3c74 723e 3c74 723e  <tr><tr><tr><tr>
00000050: 3c74 723e 3c74 723e 3c74 723e 3c74 723e  <tr><tr><tr><tr>
00000060: 3c74 723e 3c74 723e 3c74 723e 3c74 723e  <tr><tr><tr><tr>
00000070: 3c74 723e 3c74 723e 3c74 723e 3c74 723e  <tr><tr><tr><tr>
00000080: 3c74 723e 3c74 723e 3c74 723e 3c74 723e  <tr><tr><tr><tr>
00000090: 3c74 723e 3c74 723e 3c74 723e 3c74 723e  <tr><tr><tr><tr>
000000a0: 3c74 723e 3c74 723e 3c74 723e 3c74 723e  <tr><tr><tr><tr>
000000b0: 3c74 723e 3c74 723e 3c74 723e 3c74 723e  <tr><tr><tr><tr>
000000c0: 3c74 723e 3c74 723e 3c74 723e 3c74 7220  <tr><tr><tr><tr
000000d0: 6964 3d3e                                id=>

how to reproduce:

ASAN_OPTIONS=abort_on_error=1:detect_leaks=0 LD_LIBRARY_PATH=./notgc ./w3m-tats.asan -T text/html -dump cases/tats-w3m-71

stderr:

=================================================================
==2450670==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61400000edd0 at pc 0x0000006185ff bp 0x7ffe77f290d0 sp 0x7ffe77f290c8
WRITE of size 8 at 0x61400000edd0 thread T0
    #0 0x6185fe in feed_table_tag /targets/w3m-tats/table.c:2570:31
    #1 0x6145d5 in feed_table /targets/w3m-tats/table.c:3145:14
    #2 0x591bcc in HTMLlineproc0 /targets/w3m-tats/file.c:6424:14
    #3 0x5a5a0c in loadHTMLstream /targets/w3m-tats/file.c:7252:2
    #4 0x55bbf8 in loadHTMLBuffer /targets/w3m-tats/file.c:6781:5
    #5 0x55ee64 in loadSomething /targets/w3m-tats/file.c:224:16
    #6 0x5535ac in loadGeneralFile /targets/w3m-tats/file.c:2241:6
    #7 0x4f9202 in main /targets/w3m-tats/main.c:1017:12
    #8 0x7fbeda0faf44 in __libc_start_main /build/eglibc-oGUzwX/eglibc-2.19/csu/libc-start.c:287
    #9 0x41bf25 in _start (/w3m-tats.asan+0x41bf25)

0x61400000edd0 is located 0 bytes to the right of 400-byte region [0x61400000ec40,0x61400000edd0)
allocated by thread T0 here:
    #0 0x4c63fc in calloc (/w3m-tats.asan+0x4c63fc)
    #1 0x7fbedb848b05 in GC_malloc /notgc/notgc.c:259
    #2 0x60f8f5 in begin_table /targets/w3m-tats/table.c:1998:9
    #3 0x588e40 in HTMLtagproc1 /targets/w3m-tats/file.c:5039:30
    #4 0x5927e3 in HTMLlineproc0 /targets/w3m-tats/file.c:6477:10
    #5 0x5a5a0c in loadHTMLstream /targets/w3m-tats/file.c:7252:2
    #6 0x55bbf8 in loadHTMLBuffer /targets/w3m-tats/file.c:6781:5
    #7 0x55ee64 in loadSomething /targets/w3m-tats/file.c:224:16
    #8 0x5535ac in loadGeneralFile /targets/w3m-tats/file.c:2241:6
    #9 0x4f9202 in main /targets/w3m-tats/main.c:1017:12
    #10 0x7fbeda0faf44 in __libc_start_main /build/eglibc-oGUzwX/eglibc-2.19/csu/libc-start.c:287

SUMMARY: AddressSanitizer: heap-buffer-overflow /targets/w3m-tats/table.c:2570:31 in feed_table_tag
Shadow bytes around the buggy address:
  0x0c287fff9d60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c287fff9d70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c287fff9d80: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c287fff9d90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c287fff9da0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c287fff9db0: 00 00 00 00 00 00 00 00 00 00[fa]fa fa fa fa fa
  0x0c287fff9dc0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c287fff9dd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c287fff9de0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c287fff9df0: 00 00 00 00 00 00 00 00 00 00 fa fa fa fa fa fa
  0x0c287fff9e00: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==2450670==ABORTING

This is detected with help of dummy libgc wrapper. See http://github.com/kcwu/fuzzing-w3m/notgc for detail.
More detail to reproduce please see http://github.com/kcwu/fuzzing-w3m

For your convenience,
gdbline:
LD_LIBRARY_PATH=./notgc ASAN_OPTIONS=abort_on_error=1:detect_leaks=0 gdb --args ./w3m-tats.asan -T text/html -dump cases/tats-w3m-71

This is found by afl-fuzz.

The text was updated successfully, but these errors were encountered:

kcwu · 2016-12-03T16:22:17Z

#6  0x00000000006185ff in feed_table_tag (tbl=0x61d00001cc80, line=0x60300000d1e0 "<tr id=>", mode=0x178dfa0 <table_mode>, width=79, tag=0x60400000c510) at table.c:2570
2570                tbl->tridvalue[tbl->row] = Strnew_charp(p);
(gdb) p tbl->row
$1 = 50

but tbl->tridvalue[] is allocated in newTable() with fixed value MAXROW=50.

284         t->tridvalue = New_N(Str, MAXROW);

BTW, there are 50 tr tag in the input. <tr id=> is the 50th.

Bug-Debian: #71

tats · 2016-12-05T13:50:46Z

Fixed, thank you.

- New patch 934_menu.patch to fix buffer overflow (#49) - New patch 935_shiftanchor.patch to fix buffer overflow (#62) - New patch 936_metarefresh.patch to fix buffer overflow (#63) - New patch 937_lineproc0.patch to fix buffer overflow (#67) - New patch 938_lineproc2body.patch to fix buffer overflow (#61) - New patch 939_textarea.patch to fix buffer overflow (#58) - New patch 940_tabattr.patch to fix buffer overflow (#60) - New patch 941_integeredwidth.patch to fix buffer overflow (#70) - New patch 942_tridvalue.patch to fix buffer overflow (#71) - New patch 943_pushlink.patch to fix buffer overflow (#64, #66) - New patch 944_lineproc0.patch to fix use after free (#65) - New patch 945_wtfstrwidth.patch to fix buffer overflow (#57) - New patch 946_strnewsize.patch to fix buffer overflow (#72) - New patch 947_realcolumn.patch to fix buffer overflow (#69) - New patch 948_getmclen.patch to fix buffer overflow (#59, #73, #74, #75, #76, #78, #79, #80, #83, #84) - New patch 949_wtftowcs.patch to fix buffer overflow (#77) - New patch 950_textarea.patch to fix infinite loop (#85) - New patch 951_lineproc0.patch to fix use after free (#81) - New patch 952_formupdatebuffer.patch to fix buffer overflow (#82) - New patch 953_formupdateline.patch to fix buffer overflow (#68#issuecomment-266214643) - New patch 954_wtfparse1.patch to fix buffer overflow (#68)

Bug-Debian: #71 Origin: https://anonscm.debian.org/cgit/collab-maint/w3m.git/commit/?id=30b0c971676e229dabd2715c200f76bcfe27a714

tats added a commit that referenced this issue Dec 5, 2016

Prevent array index out of bounds for tridvalue in feed_table_tag()

30b0c97

Bug-Debian: #71

tats closed this as completed Dec 5, 2016

tats added a commit that referenced this issue May 5, 2017

Prevent array index out of bounds for tridvalue in feed_table_tag()

738f32c

Bug-Debian: #71 Origin: https://anonscm.debian.org/cgit/collab-maint/w3m.git/commit/?id=30b0c971676e229dabd2715c200f76bcfe27a714

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

heap-buffer-overflow write in feed_table_tag() #71

heap-buffer-overflow write in feed_table_tag() #71

kcwu commented Dec 3, 2016

kcwu commented Dec 3, 2016

tats commented Dec 5, 2016

heap-buffer-overflow write in feed_table_tag() #71

heap-buffer-overflow write in feed_table_tag() #71

Comments

kcwu commented Dec 3, 2016

kcwu commented Dec 3, 2016

tats commented Dec 5, 2016