Skip to content

Latest commit

 

History

History
80 lines (73 loc) · 3.06 KB

infotocap_poc1.md

File metadata and controls

80 lines (73 loc) · 3.06 KB
Raw

heap-buffer-overflow, one_one_mapping, progs/dump_entry.c:1373, ncurses 6.1

POC: https://github.com/zjuchenyuan/fuzzpoc/raw/master/infotocap_poc1

# ./infotocap -o /dev/null infotocap_poc1
==34599==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61c00000ff4e at pc 0x000000440933 bp 0x7ffffffeb1f0 sp 0x7ffffffeb1e0
READ of size 1 at 0x61c00000ff4e thread T0
    #0 0x440932 in one_one_mapping ../progs/dump_entry.c:1373
    #1 0x440932 in purged_acs ../progs/dump_entry.c:1399
    #2 0x440932 in dump_entry ../progs/dump_entry.c:1561
    #3 0x405006 in main ../progs/tic.c:1035
    #4 0x7ffff6ac082f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #5 0x408b98 in _start (/d/p/cveasan/infotocap+0x408b98)

0x61c00000ff4e is located 0 bytes to the right of 1742-byte region [0x61c00000f880,0x61c00000ff4e)
allocated by thread T0 here:
    #0 0x7ffff6f02602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
    #1 0x4f492c in _nc_wrap_entry ../ncurses/./tinfo/alloc_entry.c:177
    #2 0x62100001a4ff  (<unknown module>)

SUMMARY: AddressSanitizer: heap-buffer-overflow ../progs/dump_entry.c:1373 one_one_mapping
Shadow bytes around the buggy address:
  0x0c387fff9f90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c387fff9fa0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c387fff9fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c387fff9fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c387fff9fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c387fff9fe0: 00 00 00 00 00 00 00 00 00[06]fa fa fa fa fa fa
  0x0c387fff9ff0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c387fffa000: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c387fffa010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c387fffa020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c387fffa030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==34599==ABORTING

corresponding source code:

1366 static bool
1367 one_one_mapping(const char *mapping)
1368 {
1369     bool result = TRUE;
1370
1371     if (VALID_STRING(mapping)) {
1372         int n = 0;
1373         while (mapping[n] != '\0') {
1374             if (isLine(mapping[n]) &&
1375                 mapping[n] != mapping[n + 1]) {
1376                 result = FALSE;
1377                 break;
1378             }
1379             n += 2;
1380         }
1381     }
1382     return result;
1383 }

This bug was found by NESA Lab.