Bug 1484287
| Summary: | There is an illegal address access in function dump_uses() of libncurses. | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | owl337 <v.owl337> | ||||
| Component: | ncurses | Assignee: | Miroslav Lichvar <mlichvar> | ||||
| Status: | CLOSED DUPLICATE | QA Contact: | qe-baseos-daemons | ||||
| Severity: | unspecified | Docs Contact: | |||||
| Priority: | unspecified | ||||||
| Version: | 7.5-Alt | CC: | akhaitov, dickey | ||||
| Target Milestone: | rc | ||||||
| Target Release: | --- | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Unspecified | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2018-07-27 15:24:48 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Bug Depends On: | |||||||
| Bug Blocks: | 1488919 | ||||||
| Attachments: |
|
||||||
I made a fix for this report which will be in the next set of updates. |
Created attachment 1316980 [details] Triggered by " ./captoinfo POC11 " Description of problem: There is an illegal address access in function dump_uses() of libncurses. Version-Release number of selected component (if applicable): <= latest version How reproducible: ./captoinfo POC11 Steps to Reproduce: $ ./../../../captoinfo POC11 "id:000147,sig:11,src:001048,op:havoc,rep:2", line 2, col 605, terminal 'a': Very long string found. Missing separator? "id:000147,sig:11,src:001048,op:havoc,rep:2", line 13, col 7, terminal 'a': Illegal character - '^J' "id:000147,sig:11,src:001048,op:havoc,rep:2", line 13, col 7, terminal 'a': Legacy termcap allows only a trailing tc= clause "id:000147,sig:11,src:001048,op:havoc,rep:2", line 13, col 7, terminal 'a': unknown capability 'k' "id:000147,sig:11,src:001048,op:havoc,rep:2", line 14, col 5, terminal 'a': Missing separator "id:000147,sig:11,src:001048,op:havoc,rep:2", line 14, col 7, terminal 'a': Illegal character (expected alphanumeric or @%&*!#) - 'M-4' Segmentation fault The GDB debugging information is as follows: (gdb) set args POC5 (gdb) r Starting program: /home/icy/secreal/ncurses-6.0-20170819/install/bin/captoinfo id:000147,sig:11,src:001048,op:havoc,rep:2 "id:000147,sig:11,src:001048,op:havoc,rep:2", line 2, col 605, terminal 'a': Very long string found. Missing separator? "id:000147,sig:11,src:001048,op:havoc,rep:2", line 13, col 7, terminal 'a': Illegal character - '^J' "id:000147,sig:11,src:001048,op:havoc,rep:2", line 13, col 7, terminal 'a': Legacy termcap allows only a trailing tc= clause "id:000147,sig:11,src:001048,op:havoc,rep:2", line 13, col 7, terminal 'a': unknown capability 'k' "id:000147,sig:11,src:001048,op:havoc,rep:2", line 14, col 5, terminal 'a': Missing separator "id:000147,sig:11,src:001048,op:havoc,rep:2", line 14, col 7, terminal 'a': Illegal character (expected alphanumeric or @%&*!#) - 'M-4' Program received signal SIGSEGV, Segmentation fault. 0x00007ffff7a5d462 in _IO_vfprintf_internal (s=s@entry=0x7fffffffa160, format=<optimized out>, format@entry=0x459f57 "%s%s", ap=ap@entry=0x7fffffffa288) at vfprintf.c:1642 1642 vfprintf.c: No such file or directory. (gdb) bt #0 0x00007ffff7a5d462 in _IO_vfprintf_internal (s=s@entry=0x7fffffffa160, format=<optimized out>, format@entry=0x459f57 "%s%s", ap=ap@entry=0x7fffffffa288) at vfprintf.c:1642 #1 0x00007ffff7a804eb in __IO_vsprintf (string=0x7fffffffa360 "use=\204", '\264' <repeats 195 times>..., format=0x459f57 "%s%s", args=args@entry=0x7fffffffa288) at iovsprintf.c:42 #2 0x00007ffff7a63d17 in __sprintf (s=<optimized out>, format=<optimized out>) at sprintf.c:32 #3 0x000000000041a732 in dump_uses ( name=0xb4b4b4b4b4b4b4b4 <error: Cannot access memory at address 0xb4b4b4b4b4b4b4b4>, infodump=<optimized out>) at ../progs/dump_entry.c:1618 #4 0x0000000000403ee3 in main (argc=<optimized out>, argv=<optimized out>) at ../progs/tic.c:1035 (gdb) Trigged in: dump_uses (name=0xb4b4b4b4b4b4b4b4 <error: Cannot access memory at address 0xb4b4b4b4b4b4b4b4>, infodump=true) at ../progs/dump_entry.c:1618 1618 _nc_SPRINTF(buffer, _nc_SLIMIT(sizeof(buffer)) (gdb) list 1613 { 1614 char buffer[MAX_TERMINFO_LENGTH]; 1615 1616 if (TcOutput()) 1617 trim_trailing(); 1618 _nc_SPRINTF(buffer, _nc_SLIMIT(sizeof(buffer)) 1619 "%s%s", infodump ? "use=" : "tc=", name); 1620 wrap_concat1(buffer); 1621 } 1622 (gdb) Actual results: crash Expected results: crash Additional info: This vulnerability is detected by team OWL337, with our custom fuzzer collAFL. Please contact ganshuitao and chaoz.cn if you need more info about the team, the tool or the vulnerability.