Bug 1484287
Summary: | There is an illegal address access in function dump_uses() of libncurses. | ||||||
---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | owl337 <v.owl337> | ||||
Component: | ncurses | Assignee: | Miroslav Lichvar <mlichvar> | ||||
Status: | CLOSED DUPLICATE | QA Contact: | qe-baseos-daemons | ||||
Severity: | unspecified | Docs Contact: | |||||
Priority: | unspecified | ||||||
Version: | 7.5-Alt | CC: | akhaitov, dickey | ||||
Target Milestone: | rc | ||||||
Target Release: | --- | ||||||
Hardware: | Unspecified | ||||||
OS: | Unspecified | ||||||
Whiteboard: | |||||||
Fixed In Version: | Doc Type: | If docs needed, set a value | |||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2018-07-27 15:24:48 UTC | Type: | Bug | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Bug Depends On: | |||||||
Bug Blocks: | 1488919 | ||||||
Attachments: |
|
I made a fix for this report which will be in the next set of updates. |
Created attachment 1316980 [details] Triggered by " ./captoinfo POC11 " Description of problem: There is an illegal address access in function dump_uses() of libncurses. Version-Release number of selected component (if applicable): <= latest version How reproducible: ./captoinfo POC11 Steps to Reproduce: $ ./../../../captoinfo POC11 "id:000147,sig:11,src:001048,op:havoc,rep:2", line 2, col 605, terminal 'a': Very long string found. Missing separator? "id:000147,sig:11,src:001048,op:havoc,rep:2", line 13, col 7, terminal 'a': Illegal character - '^J' "id:000147,sig:11,src:001048,op:havoc,rep:2", line 13, col 7, terminal 'a': Legacy termcap allows only a trailing tc= clause "id:000147,sig:11,src:001048,op:havoc,rep:2", line 13, col 7, terminal 'a': unknown capability 'k' "id:000147,sig:11,src:001048,op:havoc,rep:2", line 14, col 5, terminal 'a': Missing separator "id:000147,sig:11,src:001048,op:havoc,rep:2", line 14, col 7, terminal 'a': Illegal character (expected alphanumeric or @%&*!#) - 'M-4' Segmentation fault The GDB debugging information is as follows: (gdb) set args POC5 (gdb) r Starting program: /home/icy/secreal/ncurses-6.0-20170819/install/bin/captoinfo id:000147,sig:11,src:001048,op:havoc,rep:2 "id:000147,sig:11,src:001048,op:havoc,rep:2", line 2, col 605, terminal 'a': Very long string found. Missing separator? "id:000147,sig:11,src:001048,op:havoc,rep:2", line 13, col 7, terminal 'a': Illegal character - '^J' "id:000147,sig:11,src:001048,op:havoc,rep:2", line 13, col 7, terminal 'a': Legacy termcap allows only a trailing tc= clause "id:000147,sig:11,src:001048,op:havoc,rep:2", line 13, col 7, terminal 'a': unknown capability 'k' "id:000147,sig:11,src:001048,op:havoc,rep:2", line 14, col 5, terminal 'a': Missing separator "id:000147,sig:11,src:001048,op:havoc,rep:2", line 14, col 7, terminal 'a': Illegal character (expected alphanumeric or @%&*!#) - 'M-4' Program received signal SIGSEGV, Segmentation fault. 0x00007ffff7a5d462 in _IO_vfprintf_internal (s=s@entry=0x7fffffffa160, format=<optimized out>, format@entry=0x459f57 "%s%s", ap=ap@entry=0x7fffffffa288) at vfprintf.c:1642 1642 vfprintf.c: No such file or directory. (gdb) bt #0 0x00007ffff7a5d462 in _IO_vfprintf_internal (s=s@entry=0x7fffffffa160, format=<optimized out>, format@entry=0x459f57 "%s%s", ap=ap@entry=0x7fffffffa288) at vfprintf.c:1642 #1 0x00007ffff7a804eb in __IO_vsprintf (string=0x7fffffffa360 "use=\204", '\264' <repeats 195 times>..., format=0x459f57 "%s%s", args=args@entry=0x7fffffffa288) at iovsprintf.c:42 #2 0x00007ffff7a63d17 in __sprintf (s=<optimized out>, format=<optimized out>) at sprintf.c:32 #3 0x000000000041a732 in dump_uses ( name=0xb4b4b4b4b4b4b4b4 <error: Cannot access memory at address 0xb4b4b4b4b4b4b4b4>, infodump=<optimized out>) at ../progs/dump_entry.c:1618 #4 0x0000000000403ee3 in main (argc=<optimized out>, argv=<optimized out>) at ../progs/tic.c:1035 (gdb) Trigged in: dump_uses (name=0xb4b4b4b4b4b4b4b4 <error: Cannot access memory at address 0xb4b4b4b4b4b4b4b4>, infodump=true) at ../progs/dump_entry.c:1618 1618 _nc_SPRINTF(buffer, _nc_SLIMIT(sizeof(buffer)) (gdb) list 1613 { 1614 char buffer[MAX_TERMINFO_LENGTH]; 1615 1616 if (TcOutput()) 1617 trim_trailing(); 1618 _nc_SPRINTF(buffer, _nc_SLIMIT(sizeof(buffer)) 1619 "%s%s", infodump ? "use=" : "tc=", name); 1620 wrap_concat1(buffer); 1621 } 1622 (gdb) Actual results: crash Expected results: crash Additional info: This vulnerability is detected by team OWL337, with our custom fuzzer collAFL. Please contact ganshuitao and chaoz.cn if you need more info about the team, the tool or the vulnerability.