Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

heap-buffer-overflow in Strnew_size() #72

Closed
kcwu opened this issue Dec 7, 2016 · 2 comments
Closed

heap-buffer-overflow in Strnew_size() #72

kcwu opened this issue Dec 7, 2016 · 2 comments

Comments

@kcwu
Copy link
Contributor

kcwu commented Dec 7, 2016

input (xxd cases/tats-w3m-72)

00000000: 3c69 6e70 7574 2076 616c 7565 3d30 2073  <input value=0 s
00000010: 697a 653d 2d33 3e                        ize=-3>

how to reproduce:

ASAN_OPTIONS=abort_on_error=1:detect_leaks=0 LD_LIBRARY_PATH=./notgc ./w3m-tats.asan -T text/html -dump cases/tats-w3m-72

stderr:

ASAN:DEADLYSIGNAL
=================================================================
==3858606==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x0000006e37be bp 0x7fffc98f4e60 sp 0x7fffc98f4e00 T0)
    #0 0x6e37bd in Strnew_size /targets/w3m-tats/Str.c:52:15
    #1 0x63367e in textfieldrep /targets/w3m-tats/form.c:520:13
    #2 0x56f366 in process_input /targets/w3m-tats/file.c:3699:15
    #3 0x58c9ba in HTMLtagproc1 /targets/w3m-tats/file.c:5111:8
    #4 0x5928ff in HTMLlineproc0 /targets/w3m-tats/file.c:6480:10
    #5 0x5a5bbc in loadHTMLstream /targets/w3m-tats/file.c:7255:2
    #6 0x55bbf8 in loadHTMLBuffer /targets/w3m-tats/file.c:6784:5
    #7 0x55ee64 in loadSomething /targets/w3m-tats/file.c:224:16
    #8 0x5535ac in loadGeneralFile /targets/w3m-tats/file.c:2241:6
    #9 0x4f9202 in main /targets/w3m-tats/main.c:1017:12
    #10 0x7f7619dcef44 in __libc_start_main /build/eglibc-oGUzwX/eglibc-2.19/csu/libc-start.c:287
    #11 0x41bf25 in _start (/w3m-tats.asan+0x41bf25)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /targets/w3m-tats/Str.c:52:15 in Strnew_size
==3858606==ABORTING

This is detected with help of dummy libgc wrapper. See http://github.com/kcwu/fuzzing-w3m/notgc for detail.
More detail to reproduce please see http://github.com/kcwu/fuzzing-w3m

For your convenience,
gdbline:
LD_LIBRARY_PATH=./notgc ASAN_OPTIONS=abort_on_error=1:detect_leaks=0 gdb --args ./w3m-tats.asan -T text/html -dump cases/tats-w3m-72

This is found by afl-fuzz
@kcwu
Copy link
Contributor Author

kcwu commented Dec 7, 2016
edited
Loading 

0x00000000006e37be in Strnew_size (n=-1) at Str.c:52
51          x->ptr = GC_MALLOC_ATOMIC(n + 1);
52          x->ptr[0] = '\0';

w3m allocate a buffer of size 0 and write one byte to the said pointer.

Here my dummy libgc wrapper return NULL, so it SEGV. Real libgc will return a dummy pointer and won't crash. Anyway, w3m still shouldn't write to it.

tats added a commit that referenced this issue Dec 10, 2016
@tats
Prevent heap-buffer-overflow in Strnew_size()
4381dff 
Bug-Debian: #72
@tats
Copy link
Owner

tats commented Dec 10, 2016

Fixed, thank you.

@tats tats closed this as completed Dec 10, 2016
tats added a commit that referenced this issue May 5, 2017
@tats
Fix multiple vulnerabilities (closes: #850432)
d73f74e 
- New patch 934_menu.patch to fix buffer overflow (#49)
- New patch 935_shiftanchor.patch to fix buffer overflow (#62)
- New patch 936_metarefresh.patch to fix buffer overflow (#63)
- New patch 937_lineproc0.patch to fix buffer overflow (#67)
- New patch 938_lineproc2body.patch to fix buffer overflow (#61)
- New patch 939_textarea.patch to fix buffer overflow (#58)
- New patch 940_tabattr.patch to fix buffer overflow (#60)
- New patch 941_integeredwidth.patch to fix buffer overflow (#70)
- New patch 942_tridvalue.patch to fix buffer overflow (#71)
- New patch 943_pushlink.patch to fix buffer overflow (#64, #66)
- New patch 944_lineproc0.patch to fix use after free (#65)
- New patch 945_wtfstrwidth.patch to fix buffer overflow (#57)
- New patch 946_strnewsize.patch to fix buffer overflow (#72)
- New patch 947_realcolumn.patch to fix buffer overflow (#69)
- New patch 948_getmclen.patch to fix buffer overflow
  (#59, #73, #74, #75, #76, #78, #79, #80, #83, #84)
- New patch 949_wtftowcs.patch to fix buffer overflow (#77)
- New patch 950_textarea.patch to fix infinite loop (#85)
- New patch 951_lineproc0.patch to fix use after free (#81)
- New patch 952_formupdatebuffer.patch to fix buffer overflow (#82)
- New patch 953_formupdateline.patch to fix buffer overflow
  (#68#issuecomment-266214643)
- New patch 954_wtfparse1.patch to fix buffer overflow (#68)
tats added a commit that referenced this issue May 5, 2017
@tats
Prevent heap-buffer-overflow in Strnew_size()
738854a 
Bug-Debian: #72
Origin: https://anonscm.debian.org/cgit/collab-maint/w3m.git/commit/?id=4381dffaa3fdf94c384f3588b5c7dff3ba1cc4ae
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@kcwu @tats