Hide Forgot
Created attachment 1316976 [details] Triggered by " ./tic POC8 " Description of problem: There is an illegal address access in alloc_entry.c of libncurses. Version-Release number of selected component (if applicable): <= latest version How reproducible: ./tic POC8 Steps to Reproduce: $ ./tic POC8 "id:000018,sig:11,src:000518,op:arith8,pos:6,val:+3", line 1, col 10, terminal 'l': Missing separator after `rs', have c "id:000018,sig:11,src:000518,op:arith8,pos:6,val:+3", line 1, col 13, terminal 'l': Illegal character - '^J' "id:000018,sig:11,src:000518,op:arith8,pos:6,val:+3", line 1, col 13, terminal 'l': wrong type used for string capability 'll' Segmentation fault The GDB debugging information is as follows: (gdb) r ... Breakpoint 1, _nc_save_str (string=0x67c690 "l") at ../ncurses/./tinfo/alloc_entry.c:103 103 len = strlen(string) + 1; (gdb) n 105 if (len == 1 && next_free != 0) { (gdb) c Continuing. "id:000018,sig:11,src:000518,op:arith8,pos:6,val:+3", line 1, col 10, terminal 'l': Missing separator after `rs', have c "id:000018,sig:11,src:000518,op:arith8,pos:6,val:+3", line 1, col 13, terminal 'l': Illegal character - '^J' "id:000018,sig:11,src:000518,op:arith8,pos:6,val:+3", line 1, col 13, terminal 'l': wrong type used for string capability 'll' Breakpoint 1, _nc_save_str (string=0xffffffffffffffff <error: Cannot access memory at address 0xffffffffffffffff>) at ../ncurses/./tinfo/alloc_entry.c:103 103 len = strlen(string) + 1; (gdb) n Program received signal SIGSEGV, Segmentation fault. strlen () at ../sysdeps/x86_64/strlen.S:137 137 ../sysdeps/x86_64/strlen.S: No such file or directory. (gdb) bt #0 strlen () at ../sysdeps/x86_64/strlen.S:137 #1 0x0000000000453602 in _nc_save_str ( string=0xffffffffffffffff <error: Cannot access memory at address 0xffffffffffffffff>) at ../ncurses/./tinfo/alloc_entry.c:103 #2 0x0000000000445566 in postprocess_termcap (tp=<optimized out>, has_base=<optimized out>) at ../ncurses/./tinfo/parse_entry.c:679 #3 _nc_parse_entry (entryp=0x7fffffffaf28, literal=<optimized out>, silent=<optimized out>) at ../ncurses/./tinfo/parse_entry.c:520 #4 0x000000000043db23 in _nc_read_entry_source (fp=<optimized out>, buf=<optimized out>, literal=0, silent=false, hook=0x40e230 <immedhook>) at ../ncurses/./tinfo/comp_parse.c:225 #5 0x0000000000403039 in main (argc=<optimized out>, argv=<optimized out>) at ../progs/tic.c:958 (gdb) Trigged in: _nc_save_str (string=0xffffffffffffffff <error: Cannot access memory at address 0xffffffffffffffff>) at ../ncurses/./tinfo/alloc_entry.c:103 103 len = strlen(string) + 1; Actual results: crash Expected results: crash Additional info: Credits: This vulnerability is detected by team OWL337, with our custom fuzzer collAFL. Please contact ganshuitao@gmail.com and chaoz@tsinghua.edu.cn if you need more info about the team, the tool or the vulnerability.
I made a fix for this report which will be in the next set of updates.