Bug 1484276 - There is an illegal address access in alloc_entry.c of libncurses.
Summary: There is an illegal address access in alloc_entry.c of libncurses.
Keywords:
Status: CLOSED DUPLICATE of bug 1488916
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ncurses
Version: 7.5-Alt
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Miroslav Lichvar
QA Contact: qe-baseos-daemons
URL:
Whiteboard:
Depends On:
Blocks: CVE-2017-13729
TreeView+ depends on / blocked
 
Reported: 2017-08-23 07:47 UTC by owl337
Modified: 2018-07-27 15:24 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-07-27 15:24:06 UTC
Target Upstream Version:

Attachments (Terms of Use)
Triggered by " ./tic POC8 " (80 bytes, application/x-rar)
2017-08-23 07:47 UTC, owl337 		no flags Details
Add an attachment (proposed patch, testcase, etc.)

Description owl337 2017-08-23 07:47:37 UTC 
Created attachment 1316976 [details]
Triggered by " ./tic POC8 "

Description of problem:

There is an illegal address access in alloc_entry.c of libncurses.

Version-Release number of selected component (if applicable):

<= latest version

How reproducible:

 ./tic POC8

Steps to Reproduce:


$ ./tic POC8
"id:000018,sig:11,src:000518,op:arith8,pos:6,val:+3", line 1, col 10, terminal 'l': Missing separator after `rs', have c
"id:000018,sig:11,src:000518,op:arith8,pos:6,val:+3", line 1, col 13, terminal 'l': Illegal character - '^J'
"id:000018,sig:11,src:000518,op:arith8,pos:6,val:+3", line 1, col 13, terminal 'l': wrong type used for string capability 'll'
Segmentation fault


The GDB debugging information is as follows:
(gdb) r 
...
Breakpoint 1, _nc_save_str (string=0x67c690 "l") at ../ncurses/./tinfo/alloc_entry.c:103
103	    len = strlen(string) + 1;
(gdb) n
105	    if (len == 1 && next_free != 0) {
(gdb) c
Continuing.
"id:000018,sig:11,src:000518,op:arith8,pos:6,val:+3", line 1, col 10, terminal 'l': Missing separator after `rs', have c
"id:000018,sig:11,src:000518,op:arith8,pos:6,val:+3", line 1, col 13, terminal 'l': Illegal character - '^J'
"id:000018,sig:11,src:000518,op:arith8,pos:6,val:+3", line 1, col 13, terminal 'l': wrong type used for string capability 'll'

Breakpoint 1, _nc_save_str (string=0xffffffffffffffff <error: Cannot access memory at address 0xffffffffffffffff>)
    at ../ncurses/./tinfo/alloc_entry.c:103
103	    len = strlen(string) + 1;
(gdb) n

Program received signal SIGSEGV, Segmentation fault.
strlen () at ../sysdeps/x86_64/strlen.S:137
137	../sysdeps/x86_64/strlen.S: No such file or directory.
(gdb) bt
#0  strlen () at ../sysdeps/x86_64/strlen.S:137
#1  0x0000000000453602 in _nc_save_str (
    string=0xffffffffffffffff <error: Cannot access memory at address 0xffffffffffffffff>)
    at ../ncurses/./tinfo/alloc_entry.c:103
#2  0x0000000000445566 in postprocess_termcap (tp=<optimized out>, has_base=<optimized out>)
    at ../ncurses/./tinfo/parse_entry.c:679
#3  _nc_parse_entry (entryp=0x7fffffffaf28, literal=<optimized out>, silent=<optimized out>)
    at ../ncurses/./tinfo/parse_entry.c:520
#4  0x000000000043db23 in _nc_read_entry_source (fp=<optimized out>, buf=<optimized out>, literal=0, silent=false, 
    hook=0x40e230 <immedhook>) at ../ncurses/./tinfo/comp_parse.c:225
#5  0x0000000000403039 in main (argc=<optimized out>, argv=<optimized out>) at ../progs/tic.c:958
(gdb) 

Trigged in:
_nc_save_str (string=0xffffffffffffffff <error: Cannot access memory at address 0xffffffffffffffff>)
    at ../ncurses/./tinfo/alloc_entry.c:103
103	    len = strlen(string) + 1;

Actual results:

crash

Expected results:

crash

Additional info:

Credits:

This vulnerability is detected by team OWL337, with our custom fuzzer collAFL. Please contact ganshuitao@gmail.com   and chaoz@tsinghua.edu.cn if you need more info about the team, the tool or the vulnerability.
Comment 2 Thomas E. Dickey 2017-08-26 00:37:16 UTC 
I made a fix for this report which will be in the next set of updates.
Note You need to log in before you can comment on or make changes to this bug.