Bug 1464686 - Illegal address access in append_acs function in ncurses tool with latest verison(6.0)
Summary: Illegal address access in append_acs function in ncurses tool with latest ve...
Keywords:
Status: CLOSED DUPLICATE of bug 1473306
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ncurses
Version: 7.5-Alt
Hardware: x86_64
OS: Linux
unspecified
urgent
Target Milestone: rc
: ---
Assignee: Miroslav Lichvar
QA Contact: BaseOS QE - Apps
URL:
Whiteboard:
Depends On:
Blocks: CVE-2017-11112
TreeView+ depends on / blocked
 
Reported: 2017-06-24 14:28 UTC by owl337
Modified: 2017-07-26 13:17 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-07-26 13:17:37 UTC


Attachments (Terms of Use)
Triggered by "captoinfo POC3" (173 bytes, application/x-rar)
2017-06-24 14:28 UTC, owl337
no flags Details

Description owl337 2017-06-24 14:28:55 UTC
Created attachment 1291506 [details]
Triggered by "captoinfo POC3"

Description of problem:

In append_acs function(parse_entry.c:57), the value of tp->Strings[409] was written as  0xffffffffff  in the preceding function that led to  illegal address access crash. 

Version-Release number of selected component (if applicable):

<=6.0

How reproducible:

captoinfo $POC

Steps to Reproduce:

The debug information is as follows:


$gdb captoinfo
…
(gdb) set args $POC
(gdb) r
…
(gdb) bt
...
 #0 strlen () at ../sysdeps/x86_64/strlen.S:137 
#1 0x000000000043a99a in append_acs (code=120, src=0xffffffffffffffff <error: Cannot access memory at address 0xffffffffffffffff>, dst=<optimized out>) at ../ncurses/./tinfo/parse_entry.c:574 
#2 postprocess_termcap (tp=<optimized out>, has_base=<optimized out>) at ../ncurses/./tinfo/parse_entry.c:916
 #3 _nc_parse_entry (entryp=0x7fffffffaf88, literal=<optimized out>, silent=<optimized out>) at ../ncurses/./tinfo/parse_entry.c:507 
#4 0x00000000004317d3 in _nc_read_entry_source (fp=<optimized out>, buf=<optimized out>, literal=0, silent=<optimized out>, hook=<optimized out>) at ../ncurses/./tinfo/comp_parse.c:227
 #5 0x0000000000402c57 in main (argc=<optimized out>, argv=<optimized out>) at ../progs/tic.c:929

Actual results:

crash

Expected results:

crash

Additional info:

Credits:

This vulnerability is detected by team OWL337, with our custom fuzzer coll AFL. Please contact ganshuitao@gmail.com  and chaoz@tsinghua.edu.cn if you need more info about the team, the tool or the vulnerability.

Comment 2 Thomas E. Dickey 2017-06-28 00:29:21 UTC
Severity medium (fix will appear in the weekly updates).

Comment 4 Miroslav Lichvar 2017-07-26 13:10:05 UTC
*** Bug 1473306 has been marked as a duplicate of this bug. ***

Comment 5 Miroslav Lichvar 2017-07-26 13:17:37 UTC

*** This bug has been marked as a duplicate of bug 1473306 ***


Note You need to log in before you can comment on or make changes to this bug.