Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
Bug 1484287 - There is an illegal address access in function dump_uses() of libncurses.
There is an illegal address access in function dump_uses() of libncurses.
Status: CLOSED DUPLICATE of bug 1488919
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ncurses (Show other bugs)
7.5-Alt
Unspecified Unspecified
unspecified Severity unspecified
: rc
: ---
Assigned To: Miroslav Lichvar
qe-baseos-daemons
:
Depends On:
Blocks: CVE-2017-13732
  Show dependency treegraph
 
Reported: 2017-08-23 04:03 EDT by owl337
Modified: 2018-07-27 11:24 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2018-07-27 11:24:48 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Triggered by " ./captoinfo POC11 " (158 bytes, application/x-rar)
2017-08-23 04:03 EDT, owl337
no flags Details

  None (edit)
Description owl337 2017-08-23 04:03:03 EDT
Created attachment 1316980 [details]
Triggered by "  ./captoinfo POC11  "

Description of problem:

There is an illegal address access in function dump_uses() of libncurses.

Version-Release number of selected component (if applicable):

<= latest version

How reproducible:

./captoinfo POC11  

Steps to Reproduce:

$ ./../../../captoinfo POC11  
"id:000147,sig:11,src:001048,op:havoc,rep:2", line 2, col 605, terminal 'a': Very long string found.  Missing separator?
"id:000147,sig:11,src:001048,op:havoc,rep:2", line 13, col 7, terminal 'a': Illegal character - '^J'
"id:000147,sig:11,src:001048,op:havoc,rep:2", line 13, col 7, terminal 'a': Legacy termcap allows only a trailing tc= clause
"id:000147,sig:11,src:001048,op:havoc,rep:2", line 13, col 7, terminal 'a': unknown capability 'k'
"id:000147,sig:11,src:001048,op:havoc,rep:2", line 14, col 5, terminal 'a': Missing separator
"id:000147,sig:11,src:001048,op:havoc,rep:2", line 14, col 7, terminal 'a': Illegal character (expected alphanumeric or @%&*!#) - 'M-4'
Segmentation fault

The GDB debugging information is as follows:
(gdb) set args POC5
(gdb) r
Starting program: /home/icy/secreal/ncurses-6.0-20170819/install/bin/captoinfo id:000147,sig:11,src:001048,op:havoc,rep:2
"id:000147,sig:11,src:001048,op:havoc,rep:2", line 2, col 605, terminal 'a': Very long string found.  Missing separator?
"id:000147,sig:11,src:001048,op:havoc,rep:2", line 13, col 7, terminal 'a': Illegal character - '^J'
"id:000147,sig:11,src:001048,op:havoc,rep:2", line 13, col 7, terminal 'a': Legacy termcap allows only a trailing tc= clause
"id:000147,sig:11,src:001048,op:havoc,rep:2", line 13, col 7, terminal 'a': unknown capability 'k'
"id:000147,sig:11,src:001048,op:havoc,rep:2", line 14, col 5, terminal 'a': Missing separator
"id:000147,sig:11,src:001048,op:havoc,rep:2", line 14, col 7, terminal 'a': Illegal character (expected alphanumeric or @%&*!#) - 'M-4'

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7a5d462 in _IO_vfprintf_internal (s=s@entry=0x7fffffffa160, format=<optimized out>, 
    format@entry=0x459f57 "%s%s", ap=ap@entry=0x7fffffffa288) at vfprintf.c:1642
1642	vfprintf.c: No such file or directory.
(gdb) bt 
#0  0x00007ffff7a5d462 in _IO_vfprintf_internal (s=s@entry=0x7fffffffa160, format=<optimized out>, 
    format@entry=0x459f57 "%s%s", ap=ap@entry=0x7fffffffa288) at vfprintf.c:1642
#1  0x00007ffff7a804eb in __IO_vsprintf (string=0x7fffffffa360 "use=\204", '\264' <repeats 195 times>..., 
    format=0x459f57 "%s%s", args=args@entry=0x7fffffffa288) at iovsprintf.c:42
#2  0x00007ffff7a63d17 in __sprintf (s=<optimized out>, format=<optimized out>) at sprintf.c:32
#3  0x000000000041a732 in dump_uses (
    name=0xb4b4b4b4b4b4b4b4 <error: Cannot access memory at address 0xb4b4b4b4b4b4b4b4>, infodump=<optimized out>)
    at ../progs/dump_entry.c:1618
#4  0x0000000000403ee3 in main (argc=<optimized out>, argv=<optimized out>) at ../progs/tic.c:1035
(gdb) 

Trigged in:
dump_uses (name=0xb4b4b4b4b4b4b4b4 <error: Cannot access memory at address 0xb4b4b4b4b4b4b4b4>, 
    infodump=true) at ../progs/dump_entry.c:1618
1618	    _nc_SPRINTF(buffer, _nc_SLIMIT(sizeof(buffer))
(gdb) list 
1613	{
1614	    char buffer[MAX_TERMINFO_LENGTH];
1615	
1616	    if (TcOutput())
1617		trim_trailing();
1618	    _nc_SPRINTF(buffer, _nc_SLIMIT(sizeof(buffer))
1619			"%s%s", infodump ? "use=" : "tc=", name);
1620	    wrap_concat1(buffer);
1621	}
1622	
(gdb) 


Actual results:

crash

Expected results:

crash

Additional info:


This vulnerability is detected by team OWL337, with our custom fuzzer collAFL. Please contact ganshuitao@gmail.com   and chaoz@tsinghua.edu.cn if you need more info about the team, the tool or the vulnerability.
Comment 2 Thomas E. Dickey 2017-08-25 20:35:18 EDT
I made a fix for this report which will be in the next set of updates.

Note You need to log in before you can comment on or make changes to this bug.