Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

heap-buffer-overflow read in wtf_is_hangul() #77

Closed
kcwu opened this issue Dec 9, 2016 · 3 comments
Closed

heap-buffer-overflow read in wtf_is_hangul() #77

kcwu opened this issue Dec 9, 2016 · 3 comments

Comments

@kcwu
Copy link
Contributor

kcwu commented Dec 9, 2016

input (xxd cases/tats-w3m-77)

00000000: 3c6d 6574 6120 6368 6172 7365 743d 6762  <meta charset=gb
00000010: 3138 3033 303e 0af8 f8f8 30f8 40f8 f8f8  18030>....0.@...
00000020: f8f8 f8f8 f8f8 f8f8 3080 3030 3030 3030  ........0.000000
00000030: 3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
00000040: 80f8 f8f8 f8f8 f83c                      .......<

how to reproduce:

ASAN_OPTIONS=abort_on_error=1:detect_leaks=0 LD_LIBRARY_PATH=./notgc ./w3m-tats.asan -T text/html -dump cases/tats-w3m-77

stderr:

=================================================================
==3436904==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60700000d6cc at pc 0x00000075c836 bp 0x7ffe84655bd0 sp 0x7ffe84655bc8
READ of size 1 at 0x60700000d6cc thread T0
    #0 0x75c835 in wtf_is_hangul /targets/w3m-tats/libwc/wtf.c:554:30
    #1 0x594082 in HTMLlineproc0 /targets/w3m-tats/file.c:6579:16
    #2 0x5a5d4c in loadHTMLstream /targets/w3m-tats/file.c:7265:2
    #3 0x55bbf8 in loadHTMLBuffer /targets/w3m-tats/file.c:6794:5
    #4 0x55ee64 in loadSomething /targets/w3m-tats/file.c:224:16
    #5 0x5535ac in loadGeneralFile /targets/w3m-tats/file.c:2241:6
    #6 0x4f9202 in main /targets/w3m-tats/main.c:1017:12
    #7 0x7ff558976f44 in __libc_start_main /build/eglibc-oGUzwX/eglibc-2.19/csu/libc-start.c:287
    #8 0x41bf25 in _start (/w3m-tats.asan+0x41bf25)

0x60700000d6cc is located 0 bytes to the right of 76-byte region [0x60700000d680,0x60700000d6cc)
allocated by thread T0 here:
    #0 0x4c6288 in __interceptor_malloc (/w3m-tats.asan+0x4c6288)
    #1 0x7ff55a0c4c21 in GC_malloc_atomic /notgc/notgc.c:275
    #2 0x5d6b5b in read_token /targets/w3m-tats/etc.c:825:6
    #3 0x591315 in HTMLlineproc0 /targets/w3m-tats/file.c:6374:6
    #4 0x5a5d4c in loadHTMLstream /targets/w3m-tats/file.c:7265:2
    #5 0x55bbf8 in loadHTMLBuffer /targets/w3m-tats/file.c:6794:5
    #6 0x55ee64 in loadSomething /targets/w3m-tats/file.c:224:16
    #7 0x5535ac in loadGeneralFile /targets/w3m-tats/file.c:2241:6
    #8 0x4f9202 in main /targets/w3m-tats/main.c:1017:12
    #9 0x7ff558976f44 in __libc_start_main /build/eglibc-oGUzwX/eglibc-2.19/csu/libc-start.c:287

SUMMARY: AddressSanitizer: heap-buffer-overflow /targets/w3m-tats/libwc/wtf.c:554:30 in wtf_is_hangul
Shadow bytes around the buggy address:
  0x0c0e7fff9a80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e7fff9a90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e7fff9aa0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e7fff9ab0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e7fff9ac0: fa fa 00 00 00 00 00 00 00 00 00 03 fa fa fa fa
=>0x0c0e7fff9ad0: 00 00 00 00 00 00 00 00 00[04]fa fa fa fa fd fd
  0x0c0e7fff9ae0: fd fd fd fd fd fd fd fa fa fa fa fa 00 00 00 00
  0x0c0e7fff9af0: 00 00 00 00 01 fa fa fa fa fa 00 00 00 00 00 00
  0x0c0e7fff9b00: 00 00 00 03 fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c0e7fff9b10: 00 00 fa fa fa fa 00 00 00 00 00 00 00 00 00 fa
  0x0c0e7fff9b20: fa fa fa fa 00 00 00 00 00 00 00 00 00 fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==3436904==ABORTING

This is detected with help of dummy libgc wrapper. See http://github.com/kcwu/fuzzing-w3m/notgc for detail.
More detail to reproduce please see http://github.com/kcwu/fuzzing-w3m

For your convenience,
gdbline:
LD_LIBRARY_PATH=./notgc ASAN_OPTIONS=abort_on_error=1:detect_leaks=0 gdb --args ./w3m-tats.asan -T text/html -dump cases/tats-w3m-77

This is found by afl-fuzz
@kcwu
Copy link
Contributor Author

kcwu commented Dec 9, 2016

wtf.c

552             wc_uchar f = (*(++p) & 0x7f) >> 2;
553             if (f == WC_F_UCS2)
554                 return wc_is_ucs_hangul(wtf_to_wcs16(p));

At line 552, p[0]=0x89, p[1]=0.
At line 554, p[0]=0 (end of string). But wtf_to_wcs16() want to read p[0],p[1],and p[2].

tats added a commit that referenced this issue Dec 10, 2016
@tats
Prevent overflow beyond the end of string for wtf to wcs macros
b4d27ba 
Bug-Debian: #77
@tats
Copy link
Owner

tats commented Dec 10, 2016

Fixed, thank you.

@tats tats closed this as completed Dec 10, 2016
tats added a commit that referenced this issue Dec 15, 2016
@tats
Prevent overflow beyond the end of string for wtf to wcs macros
c3a3305 
Bug-Debian: #77
@tats
Copy link
Owner

tats commented Dec 15, 2016

Patch updated.

tats added a commit that referenced this issue May 5, 2017
@tats
Fix multiple vulnerabilities (closes: #850432)
d73f74e 
- New patch 934_menu.patch to fix buffer overflow (#49)
- New patch 935_shiftanchor.patch to fix buffer overflow (#62)
- New patch 936_metarefresh.patch to fix buffer overflow (#63)
- New patch 937_lineproc0.patch to fix buffer overflow (#67)
- New patch 938_lineproc2body.patch to fix buffer overflow (#61)
- New patch 939_textarea.patch to fix buffer overflow (#58)
- New patch 940_tabattr.patch to fix buffer overflow (#60)
- New patch 941_integeredwidth.patch to fix buffer overflow (#70)
- New patch 942_tridvalue.patch to fix buffer overflow (#71)
- New patch 943_pushlink.patch to fix buffer overflow (#64, #66)
- New patch 944_lineproc0.patch to fix use after free (#65)
- New patch 945_wtfstrwidth.patch to fix buffer overflow (#57)
- New patch 946_strnewsize.patch to fix buffer overflow (#72)
- New patch 947_realcolumn.patch to fix buffer overflow (#69)
- New patch 948_getmclen.patch to fix buffer overflow
  (#59, #73, #74, #75, #76, #78, #79, #80, #83, #84)
- New patch 949_wtftowcs.patch to fix buffer overflow (#77)
- New patch 950_textarea.patch to fix infinite loop (#85)
- New patch 951_lineproc0.patch to fix use after free (#81)
- New patch 952_formupdatebuffer.patch to fix buffer overflow (#82)
- New patch 953_formupdateline.patch to fix buffer overflow
  (#68#issuecomment-266214643)
- New patch 954_wtfparse1.patch to fix buffer overflow (#68)
tats added a commit that referenced this issue May 5, 2017
@tats
Prevent overflow beyond the end of string for wtf to wcs macros
7f086c4 
Bug-Debian: #77
Origin: https://anonscm.debian.org/cgit/collab-maint/w3m.git/commit/?id=c3a3305e0334f76626aeaca76bcfab04a94f851d
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@kcwu @tats