Bug 1484285
| Summary: | There is an illegal address access in function postprocess_termcap() of libncurses. | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | owl337 <v.owl337> | ||||
| Component: | ncurses | Assignee: | Miroslav Lichvar <mlichvar> | ||||
| Status: | CLOSED DUPLICATE | QA Contact: | qe-baseos-daemons | ||||
| Severity: | unspecified | Docs Contact: | |||||
| Priority: | unspecified | ||||||
| Version: | 7.5-Alt | CC: | akhaitov, dickey | ||||
| Target Milestone: | rc | ||||||
| Target Release: | --- | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Unspecified | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2018-07-27 15:24:32 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Bug Depends On: | |||||||
| Bug Blocks: | 1488918 | ||||||
| Attachments: |
|
||||||
I made a fix for this report which will be in the next set of updates. |
Created attachment 1316978 [details] Triggered by " ./tic POC10 " Description of problem: There is an illegal address access in function postprocess_termcap() of libncurses. Version-Release number of selected component (if applicable): <= latest version How reproducible: ./tic POC10 Steps to Reproduce: $ ./tic POC10 Starting program: /home/icy/secreal/ncurses-6.0-20170819/install/bin/tic id:000142,sig:11,src:002264,op:havoc,rep:2 "id:000142,sig:11,src:002264,op:havoc,rep:2", line 1, col 5, terminal 't': Illegal character - '^]' "id:000142,sig:11,src:002264,op:havoc,rep:2", line 1, col 5, terminal 't': unknown capability 'b' "id:000142,sig:11,src:002264,op:havoc,rep:2", line 1, col 24, terminal 't': Illegal character - '^M' "id:000142,sig:11,src:002264,op:havoc,rep:2", line 1, col 24, terminal 't': wrong type used for string capability 'kdod' "id:000142,sig:11,src:002264,op:havoc,rep:2", line 1, col 28, terminal 't': Missing separator after `do', have , "id:000142,sig:11,src:002264,op:havoc,rep:2", line 1, col 31, terminal 't': Illegal character - '^J' "id:000142,sig:11,src:002264,op:havoc,rep:2", line 1, col 31, terminal 't': unknown capability '@V' "id:000142,sig:11,src:002264,op:havoc,rep:2", line 1, col 31, terminal 't': unknown capability `' in ko string Program received signal SIGSEGV, Segmentation fault. The GDB debugging information is as follows: (gdb) set args POC4 (gdb) r ... Starting program: /home/icy/secreal/ncurses-6.0-20170819/install/bin/tic id:000142,sig:11,src:002264,op:havoc,rep:2 "id:000142,sig:11,src:002264,op:havoc,rep:2", line 1, col 5, terminal 't': Illegal character - '^]' "id:000142,sig:11,src:002264,op:havoc,rep:2", line 1, col 5, terminal 't': unknown capability 'b' "id:000142,sig:11,src:002264,op:havoc,rep:2", line 1, col 24, terminal 't': Illegal character - '^M' "id:000142,sig:11,src:002264,op:havoc,rep:2", line 1, col 24, terminal 't': wrong type used for string capability 'kdod' "id:000142,sig:11,src:002264,op:havoc,rep:2", line 1, col 28, terminal 't': Missing separator after `do', have , "id:000142,sig:11,src:002264,op:havoc,rep:2", line 1, col 31, terminal 't': Illegal character - '^J' "id:000142,sig:11,src:002264,op:havoc,rep:2", line 1, col 31, terminal 't': unknown capability '@V' "id:000142,sig:11,src:002264,op:havoc,rep:2", line 1, col 31, terminal 't': unknown capability `' in ko string Breakpoint 1, postprocess_termcap (tp=<optimized out>, has_base=<optimized out>) at ../ncurses/./tinfo/parse_entry.c:870 870 for (dp = buf2, bp = tp->Strings[from_ptr->nte_index]; *bp; bp++) { (gdb) n Program received signal SIGSEGV, Segmentation fault. 0x00000000004463ab in postprocess_termcap (tp=<optimized out>, has_base=<optimized out>) at ../ncurses/./tinfo/parse_entry.c:870 870 for (dp = buf2, bp = tp->Strings[from_ptr->nte_index]; *bp; bp++) { (gdb) bt #0 0x00000000004463ab in postprocess_termcap (tp=<optimized out>, has_base=<optimized out>) at ../ncurses/./tinfo/parse_entry.c:870 #1 _nc_parse_entry (entryp=0x7fffffffaf48, literal=<optimized out>, silent=<optimized out>) at ../ncurses/./tinfo/parse_entry.c:520 #2 0x000000000043db23 in _nc_read_entry_source (fp=<optimized out>, buf=<optimized out>, literal=0, silent=false, hook=0x40e230 <immedhook>) at ../ncurses/./tinfo/comp_parse.c:225 #3 0x0000000000403039 in main (argc=<optimized out>, argv=<optimized out>) at ../progs/tic.c:958 (gdb) list 865 866 /* 867 * The magic moment -- copy the mapped key string over, 868 * stripping out padding. 869 */ 870 for (dp = buf2, bp = tp->Strings[from_ptr->nte_index]; *bp; bp++) { 871 if (bp[0] == '$' && bp[1] == '<') { 872 while (*bp && *bp != '>') { 873 ++bp; 874 } (gdb) Trigged in: postprocess_termcap (tp=<optimized out>, has_base=<optimized out>) at ../ncurses/./tinfo/parse_entry.c:870 870 for (dp = buf2, bp = tp->Strings[from_ptr->nte_index]; *bp; bp++) { Actual results: crash Expected results: crash Additional info: Credits: This vulnerability is detected by team OWL337, with our custom fuzzer collAFL. Please contact ganshuitao and chaoz.cn if you need more info about the team, the tool or the vulnerability.