Hide Forgot
Created attachment 1316983 [details] Triggered by " ./infotocap POC13 " Description of problem: There is an illegal address access in strings.c of libncurses. Version-Release number of selected component (if applicable): <= latest version How reproducible: ./infotocap POC13 Steps to Reproduce: $ ./../../../infotocap POC13 "id:000315,sig:11,src:000798,op:havoc,rep:16", line 1, col 9: dubious character `*' in name or alias field "id:000315,sig:11,src:000798,op:havoc,rep:16", line 1, col 11, terminal 'a*9拢觻[': Illegal character (expected alphanumeric or @%&*!#) - ':' "id:000315,sig:11,src:000798,op:havoc,rep:16", line 1, col 14, terminal 'a*9拢觻[': Illegal character (expected alphanumeric or @%&*!#) - ':' "id:000315,sig:11,src:000798,op:havoc,rep:16", line 1, col 22, terminal 'a*9拢觻[': Illegal character (expected alphanumeric or @%&*!#) - ';' "id:000315,sig:11,src:000798,op:havoc,rep:16", line 1, col 24, terminal 'a*9拢觻[': Illegal character (expected alphanumeric or @%&*!#) - ',' "id:000315,sig:11,src:000798,op:havoc,rep:16", line 1, col 68, terminal 'a*9拢觻[': Illegal character - '^\' "id:000315,sig:11,src:000798,op:havoc,rep:16", line 1, col 68, terminal 'a*9拢觻[': unknown capability '5' "id:000315,sig:11,src:000798,op:havoc,rep:16", line 1, col 69, terminal 'a*9拢觻[': Illegal character (expected alphanumeric or @%&*!#) - '^\' "id:000315,sig:11,src:000798,op:havoc,rep:16", line 1, col 180, terminal 'a*9拢觻[': Illegal character (expected alphanumeric or @%&*!#) - ':' "id:000315,sig:11,src:000798,op:havoc,rep:16", line 1, col 183, terminal 'a*9拢觻[': Illegal character (expected alphanumeric or @%&*!#) - ':' "id:000315,sig:11,src:000798,op:havoc,rep:16", line 1, col 190, terminal 'a*9拢觻[': Illegal character (expected alphanumeric or @%&*!#) - ';' "id:000315,sig:11,src:000798,op:havoc,rep:16", line 1, col 192, terminal 'a*9拢觻[': Illegal character (expected alphanumeric or @%&*!#) - ',' "id:000315,sig:11,src:000798,op:havoc,rep:16", line 1, col 208, terminal 'a*9拢觻[': Missing separator after `ac', have ^\ "id:000315,sig:11,src:000798,op:havoc,rep:16", line 1, col 209, terminal 'a*9拢觻[': Illegal character (expected alphanumeric or @%&*!#) - '^\' Segmentation fault The GDB debugging information is as follows: (gdb) set args POC13 (gdb) set args POC13 (gdb) r Starting program: /home/icy/secreal/ncurses-6.0-20170819/install/bin/infotocap POC13 "POC31", line 1, col 9: dubious character `*' in name or alias field "POC13", line 1, col 11, terminal 'a*9??[': Illegal character (expected alphanumeric or @%&*!#) - ':' "POC13", line 1, col 14, terminal 'a*9??[': Illegal character (expected alphanumeric or @%&*!#) - ':' "POC13", line 1, col 22, terminal 'a*9??[': Illegal character (expected alphanumeric or @%&*!#) - ';' "POC13", line 1, col 24, terminal 'a*9??[': Illegal character (expected alphanumeric or @%&*!#) - ',' "POC13", line 1, col 68, terminal 'a*9??[': Illegal character - '^\' "POC13", line 1, col 68, terminal 'a*9??[': unknown capability '5' "POC13", line 1, col 69, terminal 'a*9??[': Illegal character (expected alphanumeric or @%&*!#) - '^\' "POC13", line 1, col 180, terminal 'a*9??[': Illegal character (expected alphanumeric or @%&*!#) - ':' "POC13", line 1, col 183, terminal 'a*9??[': Illegal character (expected alphanumeric or @%&*!#) - ':' "POC13", line 1, col 190, terminal 'a*9??[': Illegal character (expected alphanumeric or @%&*!#) - ';' "POC13", line 1, col 192, terminal 'a*9??[': Illegal character (expected alphanumeric or @%&*!#) - ',' "POC13", line 1, col 208, terminal 'a*9??[': Missing separator after `ac', have ^\ "POC13", line 1, col 209, terminal 'a*9??[': Illegal character (expected alphanumeric or @%&*!#) - '^\' Program received signal SIGSEGV, Segmentation fault. strlen () at ../sysdeps/x86_64/strlen.S:137 137 ../sysdeps/x86_64/strlen.S: No such file or directory. (gdb) bt #0 strlen () at ../sysdeps/x86_64/strlen.S:137 #1 0x00000000004528e2 in _nc_safe_strcat (dst=0x7fffffffadc0, src=0xffffffffffffffff <error: Cannot access memory at address 0xffffffffffffffff>) at ../ncurses/./tinfo/strings.c:109 #2 0x0000000000446bfa in postprocess_termcap (tp=<optimized out>, has_base=<optimized out>) at ../ncurses/./tinfo/parse_entry.c:923 #3 _nc_parse_entry (entryp=0x7fffffffaf38, literal=<optimized out>, silent=<optimized out>) at ../ncurses/./tinfo/parse_entry.c:520 #4 0x000000000043db23 in _nc_read_entry_source (fp=<optimized out>, buf=<optimized out>, literal=0, silent=false, hook=0x0) at ../ncurses/./tinfo/comp_parse.c:225 #5 0x0000000000403039 in main (argc=<optimized out>, argv=<optimized out>) at ../progs/tic.c:958 Trigged in: _nc_safe_strcat (dst=0x7fffffffadc0, src=0x67d6ad "\r") at ../ncurses/./tinfo/strings.c:109 109 size_t len = strlen(src); 104 */ 105 NCURSES_EXPORT(bool) 106 _nc_safe_strcat(string_desc * dst, const char *src) 107 { 108 if (src != 0) { 109 size_t len = strlen(src); 110 111 if (len < dst->s_size) { 112 if (dst->s_tail != 0) { 113 _nc_STRCPY(dst->s_tail, src, dst->s_size); Actual results: crash Expected results: crash Additional info: Credits: This vulnerability is detected by team OWL337, with our custom fuzzer collAFL. Please contact ganshuitao@gmail.com and chaoz@tsinghua.edu.cn if you need more info about the team, the tool or the vulnerability.
The given test-case does not produce the reported problem.
Created attachment 1318358 [details] The modified POC Sorry for this mistake.
I made a fix for this report which will be in the next set of updates.