Bug 1484276

Summary: There is an illegal address access in alloc_entry.c of libncurses.
Product: Red Hat Enterprise Linux 7 Reporter: owl337 <v.owl337>
Component: ncursesAssignee: Miroslav Lichvar <mlichvar>
Status: CLOSED DUPLICATE QA Contact: qe-baseos-daemons
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.5-AltCC: akhaitov, dickey
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-07-27 15:24:06 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On:    
Bug Blocks: 1488916    
Attachments:
Description Flags
Triggered by " ./tic POC8 " none

Description owl337 2017-08-23 07:47:37 UTC
Created attachment 1316976 [details]
Triggered by " ./tic POC8 "

Description of problem:

There is an illegal address access in alloc_entry.c of libncurses.

Version-Release number of selected component (if applicable):

<= latest version

How reproducible:

 ./tic POC8

Steps to Reproduce:


$ ./tic POC8
"id:000018,sig:11,src:000518,op:arith8,pos:6,val:+3", line 1, col 10, terminal 'l': Missing separator after `rs', have c
"id:000018,sig:11,src:000518,op:arith8,pos:6,val:+3", line 1, col 13, terminal 'l': Illegal character - '^J'
"id:000018,sig:11,src:000518,op:arith8,pos:6,val:+3", line 1, col 13, terminal 'l': wrong type used for string capability 'll'
Segmentation fault


The GDB debugging information is as follows:
(gdb) r 
...
Breakpoint 1, _nc_save_str (string=0x67c690 "l") at ../ncurses/./tinfo/alloc_entry.c:103
103	    len = strlen(string) + 1;
(gdb) n
105	    if (len == 1 && next_free != 0) {
(gdb) c
Continuing.
"id:000018,sig:11,src:000518,op:arith8,pos:6,val:+3", line 1, col 10, terminal 'l': Missing separator after `rs', have c
"id:000018,sig:11,src:000518,op:arith8,pos:6,val:+3", line 1, col 13, terminal 'l': Illegal character - '^J'
"id:000018,sig:11,src:000518,op:arith8,pos:6,val:+3", line 1, col 13, terminal 'l': wrong type used for string capability 'll'

Breakpoint 1, _nc_save_str (string=0xffffffffffffffff <error: Cannot access memory at address 0xffffffffffffffff>)
    at ../ncurses/./tinfo/alloc_entry.c:103
103	    len = strlen(string) + 1;
(gdb) n

Program received signal SIGSEGV, Segmentation fault.
strlen () at ../sysdeps/x86_64/strlen.S:137
137	../sysdeps/x86_64/strlen.S: No such file or directory.
(gdb) bt
#0  strlen () at ../sysdeps/x86_64/strlen.S:137
#1  0x0000000000453602 in _nc_save_str (
    string=0xffffffffffffffff <error: Cannot access memory at address 0xffffffffffffffff>)
    at ../ncurses/./tinfo/alloc_entry.c:103
#2  0x0000000000445566 in postprocess_termcap (tp=<optimized out>, has_base=<optimized out>)
    at ../ncurses/./tinfo/parse_entry.c:679
#3  _nc_parse_entry (entryp=0x7fffffffaf28, literal=<optimized out>, silent=<optimized out>)
    at ../ncurses/./tinfo/parse_entry.c:520
#4  0x000000000043db23 in _nc_read_entry_source (fp=<optimized out>, buf=<optimized out>, literal=0, silent=false, 
    hook=0x40e230 <immedhook>) at ../ncurses/./tinfo/comp_parse.c:225
#5  0x0000000000403039 in main (argc=<optimized out>, argv=<optimized out>) at ../progs/tic.c:958
(gdb) 

Trigged in:
_nc_save_str (string=0xffffffffffffffff <error: Cannot access memory at address 0xffffffffffffffff>)
    at ../ncurses/./tinfo/alloc_entry.c:103
103	    len = strlen(string) + 1;

Actual results:

crash

Expected results:

crash

Additional info:

Credits:

This vulnerability is detected by team OWL337, with our custom fuzzer collAFL. Please contact ganshuitao@gmail.com   and chaoz@tsinghua.edu.cn if you need more info about the team, the tool or the vulnerability.

Comment 2 Thomas E. Dickey 2017-08-26 00:37:16 UTC
I made a fix for this report which will be in the next set of updates.