Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

heap-use-after-free read in HTMLlineproc0() #81

Closed
kcwu opened this issue Dec 11, 2016 · 2 comments

Comments

@kcwu
Copy link
Contributor

commented Dec 11, 2016

input (xxd cases/tats-w3m-81)

00000000: 3030 3c6e 6f62 723e 3c69 6d67 2073 7263  00<nobr><img src
00000010: 3d3c 2f30 3030 2069 643d 3030 3030 3030  =</000 id=000000
00000020: 3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
00000030: 3030 3030 30a7 a7a7 3c30 3030 3e30 3030  00000...<000>000
00000040: 3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
00000050: 3030 3030 3030 3030 3c74 6162 6c65 3e3c  00000000<table><
00000060: 7465 7874 6172 6561 3e3c 7461 626c 6520  textarea><table
00000070: 3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
00000080: 3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
00000090: 3030 3030 3030 3e                        000000>

how to reproduce:

ASAN_OPTIONS=abort_on_error=1:detect_leaks=0 LD_LIBRARY_PATH=./notgc ./w3m-tats.asan -T text/html -dump cases/tats-w3m-81

stderr:

=================================================================
==3130026==ERROR: AddressSanitizer: heap-use-after-free on address 0x606000001fce at pc 0x0000005b3883 bp 0x7ffe0a00b1f0 sp 0x7ffe0a00b1e8
READ of size 1 at 0x606000001fce thread T0
    #0 0x5b3882 in HTMLlineproc0 /targets/w3m-tats/file.c:6510:9
    #1 0x5c6699 in loadHTMLstream /targets/w3m-tats/file.c:7265:2
    #2 0x57be58 in loadHTMLBuffer /targets/w3m-tats/file.c:6794:5
    #3 0x57f0a4 in loadSomething /targets/w3m-tats/file.c:224:16
    #4 0x573833 in loadGeneralFile /targets/w3m-tats/file.c:2241:6
    #5 0x51967c in main /targets/w3m-tats/main.c:1017:12
    #6 0x7f0ec0064f44 in __libc_start_main /build/eglibc-oGUzwX/eglibc-2.19/csu/libc-start.c:287
    #7 0x41cf6b in _start (/w3m-tats.asan+0x41cf6b)

0x606000001fce is located 46 bytes inside of 54-byte region [0x606000001fa0,0x606000001fd6)
freed by thread T0 here:
    #0 0x4dfe60 in free /home/kcwu/clang/llvm/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:47
    #1 0x705707 in Strgrow /targets/w3m-tats/Str.c:243:5
    #2 0x5f7220 in read_token /targets/w3m-tats/etc.c:825:6
    #3 0x5b17a5 in HTMLlineproc0 /targets/w3m-tats/file.c:6355:3
    #4 0x5b6431 in HTMLlineproc0 /targets/w3m-tats/file.c:6634:7
    #5 0x5c6699 in loadHTMLstream /targets/w3m-tats/file.c:7265:2
    #6 0x57be58 in loadHTMLBuffer /targets/w3m-tats/file.c:6794:5
    #7 0x57f0a4 in loadSomething /targets/w3m-tats/file.c:224:16
    #8 0x573833 in loadGeneralFile /targets/w3m-tats/file.c:2241:6
    #9 0x51967c in main /targets/w3m-tats/main.c:1017:12
    #10 0x7f0ec0064f44 in __libc_start_main /build/eglibc-oGUzwX/eglibc-2.19/csu/libc-start.c:287

previously allocated by thread T0 here:
    #0 0x4e01a6 in __interceptor_malloc /home/kcwu/clang/llvm/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:64
    #1 0x7f0ec17b2c21 in GC_malloc_atomic /notgc/notgc.c:275
    #2 0x5f8119 in read_token /targets/w3m-tats/etc.c:851:3
    #3 0x5b17a5 in HTMLlineproc0 /targets/w3m-tats/file.c:6355:3
    #4 0x5c6699 in loadHTMLstream /targets/w3m-tats/file.c:7265:2
    #5 0x57be58 in loadHTMLBuffer /targets/w3m-tats/file.c:6794:5
    #6 0x57f0a4 in loadSomething /targets/w3m-tats/file.c:224:16
    #7 0x573833 in loadGeneralFile /targets/w3m-tats/file.c:2241:6
    #8 0x51967c in main /targets/w3m-tats/main.c:1017:12
    #9 0x7f0ec0064f44 in __libc_start_main /build/eglibc-oGUzwX/eglibc-2.19/csu/libc-start.c:287

SUMMARY: AddressSanitizer: heap-use-after-free /targets/w3m-tats/file.c:6510:9 in HTMLlineproc0
Shadow bytes around the buggy address:
  0x0c0c7fff83a0: 00 00 00 00 00 00 00 05 fa fa fa fa 00 00 00 00
  0x0c0c7fff83b0: 00 00 07 fa fa fa fa fa 00 00 00 00 00 00 00 fa
  0x0c0c7fff83c0: fa fa fa fa 00 00 00 00 00 00 00 00 fa fa fa fa
  0x0c0c7fff83d0: 00 00 00 00 00 00 00 07 fa fa fa fa 00 00 00 00
  0x0c0c7fff83e0: 00 00 00 fa fa fa fa fa 00 00 00 00 00 00 00 fa
=>0x0c0c7fff83f0: fa fa fa fa fd fd fd fd fd[fd]fd fa fa fa fa fa
  0x0c0c7fff8400: 00 00 00 00 00 00 00 fa fa fa fa fa 00 00 00 00
  0x0c0c7fff8410: 00 00 00 fa fa fa fa fa fd fd fd fd fd fd fd fa
  0x0c0c7fff8420: fa fa fa fa fd fd fd fd fd fd fd fd fa fa fa fa
  0x0c0c7fff8430: fd fd fd fd fd fd fd fa fa fa fa fa fd fd fd fd
  0x0c0c7fff8440: fd fd fd fa fa fa fa fa 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==3130026==ABORTING

This is detected with help of dummy libgc wrapper. See http://github.com/kcwu/fuzzing-w3m/notgc for detail.
More detail to reproduce please see http://github.com/kcwu/fuzzing-w3m

For your convenience,
gdbline:
LD_LIBRARY_PATH=./notgc ASAN_OPTIONS=abort_on_error=1:detect_leaks=0 gdb --args ./w3m-tats.asan -T text/html -dump cases/tats-w3m-81

this is found by afl-fuzz

@kcwu

This comment has been minimized.

Copy link
Contributor Author

commented Dec 11, 2016

This is a little tricky to analyze because HTMLlineproc0 is calling HTMLlineproc0 recursively.

file.c

HTMLlineproc0()
6340        while (*line != '\0') {
...
6355                    read_token(h_env->tagbuf, &line, &obuf->status,
6356                               pre_mode & RB_PREMODE, obuf->status != R_ST_NORMAL);
...
6362                str = h_env->tagbuf->ptr;
...
6510            while (*str) {
...
6634                        HTMLlineproc1(line->ptr, h_env);
...
6637            }
6638        }

Note, HTMLlineproc1 is actually HTMLlineproc0 (it is a macro).

What happened:

  1. line 6362, str save the pointer value of h_env->tagbuf->ptr.
  2. line 6634, recursive call
    1. line 6355, read_token() will reallocate h_env->tagbuf (and free the old buffer)
    2. function return
  3. line 6510, access str, which is invalid.
tats added a commit that referenced this issue Dec 17, 2016
@tats

This comment has been minimized.

Copy link
Owner

commented Dec 17, 2016

Fixed, thank you.

@tats tats closed this Dec 17, 2016
tats added a commit that referenced this issue May 5, 2017
- New patch 934_menu.patch to fix buffer overflow (#49)
- New patch 935_shiftanchor.patch to fix buffer overflow (#62)
- New patch 936_metarefresh.patch to fix buffer overflow (#63)
- New patch 937_lineproc0.patch to fix buffer overflow (#67)
- New patch 938_lineproc2body.patch to fix buffer overflow (#61)
- New patch 939_textarea.patch to fix buffer overflow (#58)
- New patch 940_tabattr.patch to fix buffer overflow (#60)
- New patch 941_integeredwidth.patch to fix buffer overflow (#70)
- New patch 942_tridvalue.patch to fix buffer overflow (#71)
- New patch 943_pushlink.patch to fix buffer overflow (#64, #66)
- New patch 944_lineproc0.patch to fix use after free (#65)
- New patch 945_wtfstrwidth.patch to fix buffer overflow (#57)
- New patch 946_strnewsize.patch to fix buffer overflow (#72)
- New patch 947_realcolumn.patch to fix buffer overflow (#69)
- New patch 948_getmclen.patch to fix buffer overflow
  (#59, #73, #74, #75, #76, #78, #79, #80, #83, #84)
- New patch 949_wtftowcs.patch to fix buffer overflow (#77)
- New patch 950_textarea.patch to fix infinite loop (#85)
- New patch 951_lineproc0.patch to fix use after free (#81)
- New patch 952_formupdatebuffer.patch to fix buffer overflow (#82)
- New patch 953_formupdateline.patch to fix buffer overflow
  (#68#issuecomment-266214643)
- New patch 954_wtfparse1.patch to fix buffer overflow (#68)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
2 participants
You can’t perform that action at this time.