Bug 1484285 - There is an illegal address access in function postprocess_termcap() of libncurses.
Summary: There is an illegal address access in function postprocess_termcap() of libn...
Status: CLOSED DUPLICATE of bug 1488918
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ncurses
Version: 7.5-Alt
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Miroslav Lichvar
QA Contact: qe-baseos-daemons
URL:
Whiteboard:
Keywords:
Depends On:
Blocks: CVE-2017-13731
TreeView+ depends on / blocked
 
Reported: 2017-08-23 07:59 UTC by owl337
Modified: 2018-07-27 15:24 UTC (History)
2 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2018-07-27 15:24:32 UTC


Attachments (Terms of Use)
Triggered by " ./tic POC10 " (99 bytes, application/x-rar)
2017-08-23 07:59 UTC, owl337
no flags Details

Description owl337 2017-08-23 07:59:56 UTC
Created attachment 1316978 [details]
Triggered by " ./tic POC10 "

Description of problem:

There is an illegal address access in function postprocess_termcap()  of libncurses.

Version-Release number of selected component (if applicable):

<= latest version

How reproducible:

./tic POC10

Steps to Reproduce:

$ ./tic POC10
Starting program: /home/icy/secreal/ncurses-6.0-20170819/install/bin/tic id:000142,sig:11,src:002264,op:havoc,rep:2 
"id:000142,sig:11,src:002264,op:havoc,rep:2", line 1, col 5, terminal 't': Illegal character - '^]'
"id:000142,sig:11,src:002264,op:havoc,rep:2", line 1, col 5, terminal 't': unknown capability 'b'
"id:000142,sig:11,src:002264,op:havoc,rep:2", line 1, col 24, terminal 't': Illegal character - '^M'
"id:000142,sig:11,src:002264,op:havoc,rep:2", line 1, col 24, terminal 't': wrong type used for string capability 'kdod'
"id:000142,sig:11,src:002264,op:havoc,rep:2", line 1, col 28, terminal 't': Missing separator after `do', have ,
"id:000142,sig:11,src:002264,op:havoc,rep:2", line 1, col 31, terminal 't': Illegal character - '^J'
"id:000142,sig:11,src:002264,op:havoc,rep:2", line 1, col 31, terminal 't': unknown capability '@V'
"id:000142,sig:11,src:002264,op:havoc,rep:2", line 1, col 31, terminal 't': unknown capability `' in ko string

Program received signal SIGSEGV, Segmentation fault.

The GDB debugging information is as follows:
(gdb) set args POC4
(gdb) r 
...
Starting program: /home/icy/secreal/ncurses-6.0-20170819/install/bin/tic id:000142,sig:11,src:002264,op:havoc,rep:2 
"id:000142,sig:11,src:002264,op:havoc,rep:2", line 1, col 5, terminal 't': Illegal character - '^]'
"id:000142,sig:11,src:002264,op:havoc,rep:2", line 1, col 5, terminal 't': unknown capability 'b'
"id:000142,sig:11,src:002264,op:havoc,rep:2", line 1, col 24, terminal 't': Illegal character - '^M'
"id:000142,sig:11,src:002264,op:havoc,rep:2", line 1, col 24, terminal 't': wrong type used for string capability 'kdod'
"id:000142,sig:11,src:002264,op:havoc,rep:2", line 1, col 28, terminal 't': Missing separator after `do', have ,
"id:000142,sig:11,src:002264,op:havoc,rep:2", line 1, col 31, terminal 't': Illegal character - '^J'
"id:000142,sig:11,src:002264,op:havoc,rep:2", line 1, col 31, terminal 't': unknown capability '@V'
"id:000142,sig:11,src:002264,op:havoc,rep:2", line 1, col 31, terminal 't': unknown capability `' in ko string

Breakpoint 1, postprocess_termcap (tp=<optimized out>, has_base=<optimized out>) at ../ncurses/./tinfo/parse_entry.c:870
870		    for (dp = buf2, bp = tp->Strings[from_ptr->nte_index]; *bp; bp++) {
(gdb) n

Program received signal SIGSEGV, Segmentation fault.
0x00000000004463ab in postprocess_termcap (tp=<optimized out>, has_base=<optimized out>)
    at ../ncurses/./tinfo/parse_entry.c:870
870		    for (dp = buf2, bp = tp->Strings[from_ptr->nte_index]; *bp; bp++) {
(gdb) bt
#0  0x00000000004463ab in postprocess_termcap (tp=<optimized out>, has_base=<optimized out>)
    at ../ncurses/./tinfo/parse_entry.c:870
#1  _nc_parse_entry (entryp=0x7fffffffaf48, literal=<optimized out>, silent=<optimized out>)
    at ../ncurses/./tinfo/parse_entry.c:520
#2  0x000000000043db23 in _nc_read_entry_source (fp=<optimized out>, buf=<optimized out>, literal=0, silent=false, 
    hook=0x40e230 <immedhook>) at ../ncurses/./tinfo/comp_parse.c:225
#3  0x0000000000403039 in main (argc=<optimized out>, argv=<optimized out>) at ../progs/tic.c:958
(gdb) list 
865	
866		    /*
867		     * The magic moment -- copy the mapped key string over,
868		     * stripping out padding.
869		     */
870		    for (dp = buf2, bp = tp->Strings[from_ptr->nte_index]; *bp; bp++) {
871			if (bp[0] == '$' && bp[1] == '<') {
872			    while (*bp && *bp != '>') {
873				++bp;
874			    }
(gdb) 

Trigged in:
postprocess_termcap (tp=<optimized out>, has_base=<optimized out>)
    at ../ncurses/./tinfo/parse_entry.c:870
870		    for (dp = buf2, bp = tp->Strings[from_ptr->nte_index]; *bp; bp++) {


Actual results:

crash

Expected results:

crash

Additional info:

Credits:

This vulnerability is detected by team OWL337, with our custom fuzzer collAFL. Please contact ganshuitao@gmail.com   and chaoz@tsinghua.edu.cn if you need more info about the team, the tool or the vulnerability.

Comment 2 Thomas E. Dickey 2017-08-26 00:35:53 UTC
I made a fix for this report which will be in the next set of updates.


Note You need to log in before you can comment on or make changes to this bug.